openflow

package
v1.8.0-alpha.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 5, 2022 License: Apache-2.0 Imports: 33 Imported by: 1

Documentation

Index

Constants

View Source
const (
	// We use OpenFlow Meter for packet-in rate limiting on OVS side.
	// Meter Entry ID.
	PacketInMeterIDNP = 1
	PacketInMeterIDTF = 2
	// Meter Entry Rate. It is represented as number of events per second.
	// Packets which exceed the rate will be dropped.
	PacketInMeterRateNP = 100
	PacketInMeterRateTF = 100

	// PacketIn reasons
	PacketInReasonTF ofpPacketInReason = 1
	// PacketInReasonNP is used for the custom packetIn reasons for Network Policy, including: Logging, Reject, Deny.
	// It is also used to mark the DNS Response packet.
	PacketInReasonNP ofpPacketInReason = 0
	// PacketInReasonMC shares PacketInReasonNP for IGMP packet_in message. This is because OVS "controller" action
	// only correctly supports reason 0 or 1. Change to another value after the OVS action is corrected.
	PacketInReasonMC = PacketInReasonNP
	// PacketInQueueSize defines the size of PacketInQueue.
	// When PacketInQueue reaches PacketInQueueSize, new packet-in will be dropped.
	PacketInQueueSize = 200
	// PacketInQueueRate defines the maximum frequency of getting items from PacketInQueue.
	// PacketInQueueRate is represented as number of events per second.
	PacketInQueueRate = 100
)
View Source
const (
	CtZone       = 0xfff0
	CtZoneV6     = 0xffe6
	SNATCtZone   = 0xfff1
	SNATCtZoneV6 = 0xffe7

	// disposition values used in AP
	DispositionAllow = 0b00
	DispositionDrop  = 0b01
	DispositionRej   = 0b10
	DispositionPass  = 0b11

	// CustomReasonLogging is used when send packet-in to controller indicating this
	// packet need logging.
	CustomReasonLogging = 0b01
	// CustomReasonReject is not only used when send packet-in to controller indicating
	// that this packet should be rejected, but also used in the case that when
	// controller send reject packet as packet-out, we want reject response to bypass
	// the connTrack to avoid unexpected drop.
	CustomReasonReject = 0b10
	// CustomReasonDeny is used when sending packet-in message to controller indicating
	// that the corresponding connection has been dropped or rejected. It can be consumed
	// by the Flow Exporter to export flow records for connections denied by network
	// policy rules.
	CustomReasonDeny = 0b100
	CustomReasonDNS  = 0b1000
	CustomReasonIGMP = 0b10000

	// EtherTypeDot1q is used when adding 802.1Q VLAN header in OVS action
	EtherTypeDot1q = 0x8100
)

Variables

View Source
var (

	// reg0 (NXM_NX_REG0)
	// reg0[0..3]: Field to store the packet source. Marks in this field include:
	//   - 1: from tunnel port.
	//   - 2: from Antrea gateway port.
	//   - 3: from local Pods.
	//   - 4: from uplink port.
	//   - 5: from bridge local port.
	//   - 6: from traffic control return port.
	PktSourceField      = binding.NewRegField(0, 0, 3, "PacketSource")
	FromTunnelRegMark   = binding.NewRegMark(PktSourceField, tunnelVal)
	FromGatewayRegMark  = binding.NewRegMark(PktSourceField, gatewayVal)
	FromLocalRegMark    = binding.NewRegMark(PktSourceField, localVal)
	FromUplinkRegMark   = binding.NewRegMark(PktSourceField, uplinkVal)
	FromBridgeRegMark   = binding.NewRegMark(PktSourceField, bridgeVal)
	FromTCReturnRegMark = binding.NewRegMark(PktSourceField, tcReturnVal)
	// reg0[4..7]: Field to store the packet destination. Marks in this field include:
	//   - 1: to tunnel port.
	//   - 2: to Antrea gateway port.
	//   - 3: to local Pods.
	//   - 4: to uplink port.
	//   - 5: to bridge local port.
	PktDestinationField = binding.NewRegField(0, 4, 7, "PacketDestination")
	ToTunnelRegMark     = binding.NewRegMark(PktDestinationField, tunnelVal)
	ToGatewayRegMark    = binding.NewRegMark(PktDestinationField, gatewayVal)
	ToUplinkRegMark     = binding.NewRegMark(PktDestinationField, uplinkVal)
	// reg0[8]: Mark to indicate the ofPort number of an interface is found.
	OFPortFoundRegMark = binding.NewOneBitRegMark(0, 8, "OFPortFound")
	// reg0[9]: Field to indicate whether the packet's source / destination MAC address needs to be rewritten.
	RewriteMACRegMark    = binding.NewOneBitRegMark(0, 9, "RewriteMAC")
	NotRewriteMACRegMark = binding.NewOneBitZeroRegMark(0, 9, "NotRewriteMAC")
	// reg0[10]: Mark to indicate the packet is denied(Drop/Reject).
	CnpDenyRegMark = binding.NewOneBitRegMark(0, 10, "CNPDeny")
	// reg0[11..12]: Field to indicate disposition of Antrea Policy. It could have more bits to support more dispositions
	// that Antrea Policy support in the future. Marks in this field include:
	//   - 0b00: allow
	//   - 0b01: drop
	//   - 0b11: pass
	APDispositionField      = binding.NewRegField(0, 11, 12, "APDisposition")
	DispositionAllowRegMark = binding.NewRegMark(APDispositionField, DispositionAllow)
	DispositionDropRegMark  = binding.NewRegMark(APDispositionField, DispositionDrop)
	DispositionPassRegMark  = binding.NewRegMark(APDispositionField, DispositionPass)
	// reg0[13..17]: Field to indicate the reasons of sending packet to the controller. Marks in this field include:
	//   - 0b00001: logging
	//   - 0b00010: reject
	//   - 0b00100: deny (used by Flow Exporter)
	//   - 0b01000: DNS packet (used by FQDN)
	//   - 0b10000: IGMP packet (used by Multicast)
	CustomReasonField          = binding.NewRegField(0, 13, 17, "PacketInReason")
	CustomReasonLoggingRegMark = binding.NewRegMark(CustomReasonField, CustomReasonLogging)
	CustomReasonRejectRegMark  = binding.NewRegMark(CustomReasonField, CustomReasonReject)
	CustomReasonDenyRegMark    = binding.NewRegMark(CustomReasonField, CustomReasonDeny)
	CustomReasonDNSRegMark     = binding.NewRegMark(CustomReasonField, CustomReasonDNS)
	CustomReasonIGMPRegMark    = binding.NewRegMark(CustomReasonField, CustomReasonIGMP)

	// reg1(NXM_NX_REG1)
	// Field to cache the ofPort of the OVS interface where to output packet.
	TargetOFPortField = binding.NewRegField(1, 0, 31, "TargetOFPort")

	// reg2(NXM_NX_REG2)
	// Field to help swap values in two different flow fields in the OpenFlow actions. This field is only used in func
	// `arpResponderStaticFlow`.
	SwapField = binding.NewRegField(2, 0, 31, "SwapValue")

	// reg3(NXM_NX_REG3)
	// Field to store the selected Service Endpoint IP
	EndpointIPField = binding.NewRegField(3, 0, 31, "EndpointIP")
	// Field to store the conjunction ID which is for rule in CNP. It shares the same register with EndpointIPField,
	// since the service selection will finish when a packet hitting NetworkPolicy related rules.
	CNPConjIDField = binding.NewRegField(3, 0, 31, "CNPConjunctionID")

	// reg4(NXM_NX_REG4)
	// reg4[0..15]: Field to store the selected Service Endpoint port.
	EndpointPortField = binding.NewRegField(4, 0, 15, "EndpointPort")
	// reg4[16..18]: Field to store the state of a packet accessing a Service. Marks in this field include:
	//	- 0b001: packet need to do service selection.
	//	- 0b010: packet has done service selection.
	//	- 0b011: packet has done service selection and the selection result needs to be cached.
	ServiceEPStateField = binding.NewRegField(4, 16, 18, "EndpointState")
	EpToSelectRegMark   = binding.NewRegMark(ServiceEPStateField, 0b001)
	EpSelectedRegMark   = binding.NewRegMark(ServiceEPStateField, 0b010)
	EpToLearnRegMark    = binding.NewRegMark(ServiceEPStateField, 0b011)
	// reg4[0..18]: Field to store the union value of Endpoint port and Endpoint status. It is used as a single match
	// when needed.
	EpUnionField = binding.NewRegField(4, 0, 18, "EndpointUnion")
	// reg4[19]: Mark to indicate the Service type is NodePort.
	ToNodePortAddressRegMark = binding.NewOneBitRegMark(4, 19, "NodePortAddress")
	// reg4[16..19]: Field to store the union value of Endpoint state and the mark of whether Service type is NodePort.
	NodePortUnionField = binding.NewRegField(4, 16, 19, "NodePortUnion")
	// reg4[20]: Field to indicate whether the packet is from local Antrea IPAM Pod. NotAntreaFlexibleIPAMRegMark will
	// be used with RewriteMACRegMark, thus the reg id must not be same due to the limitation of ofnet library.
	AntreaFlexibleIPAMRegMark    = binding.NewOneBitRegMark(4, 20, "AntreaFlexibleIPAM")
	NotAntreaFlexibleIPAMRegMark = binding.NewOneBitZeroRegMark(4, 20, "NotAntreaFlexibleIPAM")
	// reg4[21]: Mark to indicate whether the packet is accessing a NodePort or a LoadBalancer IP of a Service whose
	// externalTrafficPolicy is Cluster.
	ToClusterServiceRegMark = binding.NewOneBitRegMark(4, 21, "ToClusterService")
	// reg4[22..23]: Field to store the action of a traffic control rule. Marks in this field include:
	TrafficControlActionField     = binding.NewRegField(4, 22, 23, "TrafficControlAction")
	TrafficControlMirrorRegMark   = binding.NewRegMark(TrafficControlActionField, 0b01)
	TrafficControlRedirectRegMark = binding.NewRegMark(TrafficControlActionField, 0b10)

	// reg5(NXM_NX_REG5)
	// Field to cache the Egress conjunction ID hit by TraceFlow packet.
	TFEgressConjIDField = binding.NewRegField(5, 0, 31, "TFEgressConjunctionID")

	// reg6(NXM_NX_REG6)
	// Field to store the Ingress conjunction ID hit by TraceFlow packet.
	TFIngressConjIDField = binding.NewRegField(6, 0, 31, "TFIngressConjunctionID")

	// reg7(NXM_NX_REG7)
	// Field to store the GroupID corresponding to the Service.
	ServiceGroupIDField = binding.NewRegField(7, 0, 31, "ServiceGroupID")

	// reg8(NXM_NX_REG8)
	// Field to store the VLAN ID. Valid value is 0~4094. value=0 indicates packet without 802.1q header.
	// VLANIDField for all incoming IP/IPv6 traffic with VLAN must be set explicitly at ClassifierTable or SpoofGuardTable.
	VLANIDField = binding.NewRegField(8, 0, 11, "VLANID")
	// Field to store the CtZone type.
	// CtZoneTypeField for all incoming IP/IPv6 traffic must be set explicitly at ClassifierTable or SpoofGuardTable.
	CtZoneTypeField       = binding.NewRegField(8, 12, 15, "CtZoneType")
	IPCtZoneTypeRegMark   = binding.NewRegMark(CtZoneTypeField, 0b0001)
	IPv6CtZoneTypeRegMark = binding.NewRegMark(CtZoneTypeField, 0b0011)
	// Field to store the CtZone ID, which is a combination of VLANIDField and CtZoneTypeField to indicate CtZone for DstNAT.
	CtZoneField = binding.NewRegField(8, 0, 15, "CtZoneID")

	// reg9(NXM_NX_REG9)
	// Field to cache the ofPort of the OVS interface to output traffic control packets.
	TrafficControlTargetOFPortField = binding.NewRegField(9, 0, 31, "TrafficControlTargetOFPort")
)

Fields using reg.

View Source
var (

	// CTMark (NXM_NX_CT_MARK)
	// CTMark[0..3]: Field to mark the source of the connection. This field has the same bits and positions as PktSourceField
	// for persisting the value from reg0 to CTMark when committing the first packet of the connection with CT action.
	// This CT mark is only used in CtZone / CtZoneV6.
	ConnSourceCTMarkField = binding.NewCTMarkField(0, 3)
	FromGatewayCTMark     = binding.NewCTMark(ConnSourceCTMarkField, gatewayVal)
	FromBridgeCTMark      = binding.NewCTMark(ConnSourceCTMarkField, bridgeVal)

	// CTMark[4]: Marks to indicate whether DNAT is performed on the connection for Service.
	// These CT marks are used in CtZone / CtZoneV6 and SNATCtZone / SNATCtZoneV6.
	ServiceCTMark    = binding.NewOneBitCTMark(4)
	NotServiceCTMark = binding.NewOneBitZeroCTMark(4)

	// CTMark[5]: Mark to indicate SNAT is performed on the connection for Service.
	// This CT mark is only used in CtZone / CtZoneV6.
	ConnSNATCTMark = binding.NewOneBitCTMark(5)

	// CTMark[6]: Mark to indicate the connection is hairpin.
	// This CT mark is used in CtZone / CtZoneV6 and SNATCtZone / SNATCtZoneV6.
	HairpinCTMark = binding.NewOneBitCTMark(6)
)

Marks using CT.

View Source
var (
	// Field to store the ingress rule ID.
	IngressRuleCTLabel = binding.NewCTLabel(0, 31, "ingressRuleCTLabel")

	// Field to store the egress rule ID.
	EgressRuleCTLabel = binding.NewCTLabel(32, 63, "egressRuleCTLabel")
)

Fields using CT label.

View Source
var (
	MatchDstIP          = types.NewMatchKey(binding.ProtocolIP, types.IPAddr, "nw_dst")
	MatchSrcIP          = types.NewMatchKey(binding.ProtocolIP, types.IPAddr, "nw_src")
	MatchDstIPNet       = types.NewMatchKey(binding.ProtocolIP, types.IPNetAddr, "nw_dst")
	MatchSrcIPNet       = types.NewMatchKey(binding.ProtocolIP, types.IPNetAddr, "nw_src")
	MatchDstIPv6        = types.NewMatchKey(binding.ProtocolIPv6, types.IPAddr, "ipv6_dst")
	MatchSrcIPv6        = types.NewMatchKey(binding.ProtocolIPv6, types.IPAddr, "ipv6_src")
	MatchDstIPNetv6     = types.NewMatchKey(binding.ProtocolIPv6, types.IPNetAddr, "ipv6_dst")
	MatchSrcIPNetv6     = types.NewMatchKey(binding.ProtocolIPv6, types.IPNetAddr, "ipv6_src")
	MatchDstOFPort      = types.NewMatchKey(binding.ProtocolIP, types.OFPortAddr, "reg1[0..31]")
	MatchSrcOFPort      = types.NewMatchKey(binding.ProtocolIP, types.OFPortAddr, "in_port")
	MatchTCPDstPort     = types.NewMatchKey(binding.ProtocolTCP, types.L4PortAddr, "tp_dst")
	MatchTCPv6DstPort   = types.NewMatchKey(binding.ProtocolTCPv6, types.L4PortAddr, "tp_dst")
	MatchUDPDstPort     = types.NewMatchKey(binding.ProtocolUDP, types.L4PortAddr, "tp_dst")
	MatchUDPv6DstPort   = types.NewMatchKey(binding.ProtocolUDPv6, types.L4PortAddr, "tp_dst")
	MatchSCTPDstPort    = types.NewMatchKey(binding.ProtocolSCTP, types.L4PortAddr, "tp_dst")
	MatchSCTPv6DstPort  = types.NewMatchKey(binding.ProtocolSCTPv6, types.L4PortAddr, "tp_dst")
	MatchTCPSrcPort     = types.NewMatchKey(binding.ProtocolTCP, types.L4PortAddr, "tp_src")
	MatchTCPv6SrcPort   = types.NewMatchKey(binding.ProtocolTCPv6, types.L4PortAddr, "tp_src")
	MatchUDPSrcPort     = types.NewMatchKey(binding.ProtocolUDP, types.L4PortAddr, "tp_src")
	MatchUDPv6SrcPort   = types.NewMatchKey(binding.ProtocolUDPv6, types.L4PortAddr, "tp_src")
	MatchICMPType       = types.NewMatchKey(binding.ProtocolICMP, types.ICMPAddr, "icmp_type")
	MatchICMPCode       = types.NewMatchKey(binding.ProtocolICMP, types.ICMPAddr, "icmp_code")
	MatchICMPv6Type     = types.NewMatchKey(binding.ProtocolICMPv6, types.ICMPAddr, "icmpv6_type")
	MatchICMPv6Code     = types.NewMatchKey(binding.ProtocolICMPv6, types.ICMPAddr, "icmpv6_code")
	MatchServiceGroupID = types.NewMatchKey(binding.ProtocolIP, types.ServiceGroupIDAddr, "reg7[0..31]")
	MatchIGMPProtocol   = types.NewMatchKey(binding.ProtocolIGMP, types.IGMPAddr, "igmp")
	Unsupported         = types.NewMatchKey(binding.ProtocolIP, types.UnSupported, "unknown")
)
View Source
var (

	// PipelineRootClassifierTable is the only table of pipelineRoot at this moment and its table ID should be 0. Packets
	// are forwarded to pipelineIP or pipelineARP in this table.
	PipelineRootClassifierTable = newTable("PipelineRootClassifier", stageStart, pipelineRoot, defaultDrop)

	// Tables in stageValidation:
	ARPSpoofGuardTable = newTable("ARPSpoofGuard", stageValidation, pipelineARP)

	// Tables in stageOutput:
	ARPResponderTable = newTable("ARPResponder", stageOutput, pipelineARP)

	// Tables in stageClassifier:
	ClassifierTable = newTable("Classifier", stageClassifier, pipelineIP, defaultDrop)

	// Tables in stageValidation:
	SpoofGuardTable           = newTable("SpoofGuard", stageValidation, pipelineIP, defaultDrop)
	IPv6Table                 = newTable("IPv6", stageValidation, pipelineIP)
	PipelineIPClassifierTable = newTable("PipelineIPClassifier", stageValidation, pipelineIP)

	// Tables in stageConntrackState:
	UnSNATTable         = newTable("UnSNAT", stageConntrackState, pipelineIP)
	ConntrackTable      = newTable("ConntrackZone", stageConntrackState, pipelineIP)
	ConntrackStateTable = newTable("ConntrackState", stageConntrackState, pipelineIP)

	// Tables in stagePreRouting:
	// When proxy is enabled.
	PreRoutingClassifierTable = newTable("PreRoutingClassifier", stagePreRouting, pipelineIP)
	NodePortMarkTable         = newTable("NodePortMark", stagePreRouting, pipelineIP)
	SessionAffinityTable      = newTable("SessionAffinity", stagePreRouting, pipelineIP)
	ServiceLBTable            = newTable("ServiceLB", stagePreRouting, pipelineIP)
	EndpointDNATTable         = newTable("EndpointDNAT", stagePreRouting, pipelineIP)
	// When proxy is disabled.
	DNATTable = newTable("DNAT", stagePreRouting, pipelineIP)

	// Tables in stageEgressSecurity:
	AntreaPolicyEgressRuleTable = newTable("AntreaPolicyEgressRule", stageEgressSecurity, pipelineIP)
	EgressRuleTable             = newTable("EgressRule", stageEgressSecurity, pipelineIP)
	EgressDefaultTable          = newTable("EgressDefaultRule", stageEgressSecurity, pipelineIP)
	EgressMetricTable           = newTable("EgressMetric", stageEgressSecurity, pipelineIP)

	// Tables in stageRouting:
	L3ForwardingTable = newTable("L3Forwarding", stageRouting, pipelineIP)
	EgressMarkTable   = newTable("EgressMark", stageRouting, pipelineIP)
	L3DecTTLTable     = newTable("L3DecTTL", stageRouting, pipelineIP)

	// Tables in stagePostRouting:
	SNATMarkTable = newTable("SNATMark", stagePostRouting, pipelineIP)
	SNATTable     = newTable("SNAT", stagePostRouting, pipelineIP)

	// Tables in stageSwitching:
	L2ForwardingCalcTable = newTable("L2ForwardingCalc", stageSwitching, pipelineIP)
	TrafficControlTable   = newTable("TrafficControl", stageSwitching, pipelineIP)

	// Tables in stageIngressSecurity:
	IngressSecurityClassifierTable = newTable("IngressSecurityClassifier", stageIngressSecurity, pipelineIP)
	AntreaPolicyIngressRuleTable   = newTable("AntreaPolicyIngressRule", stageIngressSecurity, pipelineIP)
	IngressRuleTable               = newTable("IngressRule", stageIngressSecurity, pipelineIP)
	IngressDefaultTable            = newTable("IngressDefaultRule", stageIngressSecurity, pipelineIP)
	IngressMetricTable             = newTable("IngressMetric", stageIngressSecurity, pipelineIP)

	// Tables in stageConntrack:
	ConntrackCommitTable = newTable("ConntrackCommit", stageConntrack, pipelineIP)

	// Tables in stageOutput:
	VLANTable            = newTable("VLAN", stageOutput, pipelineIP)
	L2ForwardingOutTable = newTable("Output", stageOutput, pipelineIP)

	// Tables of pipelineMulticast are declared below. Do don't declare any tables of other pipelines here!
	// Tables in stageEgressSecurity:
	// Since IGMP Egress rules only support IGMP report which is handled by packetIn, it is not necessary to add
	// MulticastIGMPEgressMetricTable here.
	MulticastEgressRuleTable   = newTable("MulticastEgressRule", stageEgressSecurity, pipelineMulticast)
	MulticastEgressMetricTable = newTable("MulticastEgressMetric", stageEgressSecurity, pipelineMulticast)

	MulticastEgressPodMetricTable = newTable("MulticastEgressPodMetric", stageEgressSecurity, pipelineMulticast)

	// Tables in stageRouting:
	MulticastRoutingTable = newTable("MulticastRouting", stageRouting, pipelineMulticast)
	// Tables in stageIngressSecurity
	MulticastIngressRuleTable      = newTable("MulticastIngressRule", stageIngressSecurity, pipelineMulticast)
	MulticastIngressMetricTable    = newTable("MulticastIngressMetric", stageIngressSecurity, pipelineMulticast)
	MulticastIngressPodMetricTable = newTable("MulticastIngressPodMetric", stageIngressSecurity, pipelineMulticast)
	// Tables in stageOutput
	MulticastOutputTable = newTable("MulticastOutput", stageOutput, pipelineMulticast)
)
View Source
var DispositionToString = map[uint32]string{
	DispositionAllow: "Allow",
	DispositionDrop:  "Drop",
	DispositionRej:   "Reject",
	DispositionPass:  "Pass",
}
View Source
var (
	// xxreg3(NXM_NX_XXREG3)
	// xxreg3: Field to cache Endpoint IPv6 address. It occupies reg12-reg15 in the meanwhile.
	EndpointIP6Field = binding.NewXXRegField(3, 0, 127)
)

Fields using xxreg.

View Source
var (
	GlobalVirtualMAC, _ = net.ParseMAC("aa:bb:cc:dd:ee:ff")
)
View Source
var GlobalVirtualMACForMulticluster, _ = net.ParseMAC("aa:bb:cc:dd:ee:f0")

GlobalVirtualMACForMulticluster is a vritual MAC which will be used only for cross-cluster traffic to distinguish from in-cluster traffic.

Functions

func CleanOFTableCache added in v1.6.0

func CleanOFTableCache()

CleanOFTableCache is used to reset ofTableCache and only used in integration tests. When all integration tests about openflow run in batch, unexpected flows could be installed on OVS due to stale ofTableCache, which may cause some tests to fail. For example, for TestFuncA, EgressMarkTable is needed; for TestFuncB, EgressMarkTable is not needed. If TestFuncB is run after TestFuncA, since ofTableCache (EgressMarkTable is added by TestFuncA) is not reset, default flow of EgressMarkTable will also be realized on OVS when running TestFuncB (see "func (c *client) defaultFlows() (flows []binding.Flow)"). Note that, the unexpected flows are not included in the map tableCache of OFBridge defined in pkg/ovs/openflow/ofctrl_bridge.go, because the bridge will be destroyed after every test. For some tests, function checkOVSFlowMetrics (defined in test/integration/agent/openflow_test.go) is used to check the flow number of every installed table. The expected table list is read from the map tableCache of OFBridge, but the actual table list is dumped from OVS bridge (including the unexpected flow). They are different, and as a result, TestFuncB will fail.

func GetFlowTableID added in v1.4.0

func GetFlowTableID(tableName string) uint8

GetFlowTableID does a case insensitive lookup of the table name, and returns the flow table number if the table is found. Otherwise TableIDAll is returned if the table cannot be found.

func GetFlowTableName

func GetFlowTableName(tableID uint8) string

GetFlowTableName returns the flow table name given the table ID. An empty string is returned if the table cannot be found.

func GetTableList added in v1.4.0

func GetTableList() []binding.Table

func InitMockTables added in v1.6.0

func InitMockTables(tableMap map[*Table]uint8)

InitMockTables is used to init mock tables.

func ResetOFTable added in v1.6.0

func ResetOFTable()

ResetOFTable is used for integration tests.

Types

type Client

type Client interface {
	// Initialize sets up all basic flows on the specific OVS bridge. It returns a channel which
	// is used to notify the caller in case of a reconnection, in which case ReplayFlows should
	// be called to ensure that the set of OVS flows is correct. All flows programmed in the
	// switch which match the current round number will be deleted before any new flow is
	// installed.
	Initialize(roundInfo types.RoundInfo,
		config *config.NodeConfig,
		networkConfig *config.NetworkConfig,
		egressConfig *config.EgressConfig,
		serviceConfig *config.ServiceConfig) (<-chan struct{}, error)

	// InstallNodeFlows should be invoked when a connection to a remote Node is going to be set
	// up. The hostname is used to identify the added flows. When IPsec tunnel is enabled,
	// ipsecTunOFPort must be set to the OFPort number of the IPsec tunnel port to the remote Node;
	// otherwise ipsecTunOFPort must be set to 0.
	// InstallNodeFlows has all-or-nothing semantics(call succeeds if all the flows are installed
	// successfully, otherwise no flows will be installed). Calls to InstallNodeFlows are idempotent.
	// Concurrent calls to InstallNodeFlows and / or UninstallNodeFlows are supported as long as they
	// are all for different hostnames.
	InstallNodeFlows(
		hostname string,
		peerConfigs map[*net.IPNet]net.IP,
		tunnelPeerIP *utilip.DualStackIPs,
		ipsecTunOFPort uint32,
		peerNodeMAC net.HardwareAddr) error

	// UninstallNodeFlows removes the connection to the remote Node specified with the
	// hostname. UninstallNodeFlows will do nothing if no connection to the host was established.
	UninstallNodeFlows(hostname string) error

	// InstallPodFlows should be invoked when a connection to a Pod on current Node. The
	// interfaceName is used to identify the added flows. InstallPodFlows has all-or-nothing
	// semantics(call succeeds if all the flows are installed successfully, otherwise no
	// flows will be installed). Calls to InstallPodFlows are idempotent. Concurrent calls
	// to InstallPodFlows and / or UninstallPodFlows are supported as long as they are all
	// for different interfaceNames.
	InstallPodFlows(interfaceName string, podInterfaceIPs []net.IP, podInterfaceMAC net.HardwareAddr, ofPort uint32, vlanID uint16) error

	// UninstallPodFlows removes the connection to the local Pod specified with the
	// interfaceName. UninstallPodFlows will do nothing if no connection to the Pod was established.
	UninstallPodFlows(interfaceName string) error

	// InstallServiceGroup installs a group for Service LB. Each endpoint
	// is a bucket of the group. For now, each bucket has the same weight.
	InstallServiceGroup(groupID binding.GroupIDType, withSessionAffinity bool, endpoints []proxy.Endpoint) error
	// UninstallGroup removes the group and its buckets that are
	// installed by InstallServiceGroup or InstallMulticastGroup.
	UninstallGroup(groupID binding.GroupIDType) error

	// InstallEndpointFlows installs flows for accessing Endpoints.
	// If an Endpoint is on the current Node, then flows for hairpin and endpoint
	// L2 forwarding should also be installed.
	InstallEndpointFlows(protocol binding.Protocol, endpoints []proxy.Endpoint) error
	// UninstallEndpointFlows removes flows of the Endpoint installed by
	// InstallEndpointFlows.
	UninstallEndpointFlows(protocol binding.Protocol, endpoint proxy.Endpoint) error

	// InstallServiceFlows installs flows for accessing Service NodePort, LoadBalancer and ClusterIP. It installs the
	// flow that uses the group/bucket to do service LB. If the affinityTimeout is not zero, it also installs the flow
	// which has a learn action to maintain the LB decision. The group with the groupID must be installed before,
	// otherwise the installation will fail.
	// nodeLocalExternal represents if the externalTrafficPolicy is Local or not. This field is meaningful only when
	// the svcType is NodePort or LoadBalancer.
	InstallServiceFlows(groupID binding.GroupIDType, svcIP net.IP, svcPort uint16, protocol binding.Protocol, affinityTimeout uint16, nodeLocalExternal bool, svcType v1.ServiceType) error
	// UninstallServiceFlows removes flows installed by InstallServiceFlows.
	UninstallServiceFlows(svcIP net.IP, svcPort uint16, protocol binding.Protocol) error

	// GetFlowTableStatus should return an array of flow table status, all existing flow tables should be included in the list.
	GetFlowTableStatus() []binding.TableStatus

	// InstallPolicyRuleFlows installs flows for a new NetworkPolicy rule. Rule should include all fields in the
	// NetworkPolicy rule. Each ingress/egress policy rule installs Openflow entries on two tables, one for
	// ruleTable and the other for dropTable. If a packet does not pass the ruleTable, it will be dropped by the
	// dropTable.
	InstallPolicyRuleFlows(ofPolicyRule *types.PolicyRule) error

	// BatchInstallPolicyRuleFlows installs multiple flows for NetworkPolicy rules in batch.
	BatchInstallPolicyRuleFlows(ofPolicyRules []*types.PolicyRule) error

	// UninstallPolicyRuleFlows removes the Openflow entry relevant to the specified NetworkPolicy rule.
	// It also returns a slice of stale ofPriorities used by ClusterNetworkPolicies.
	// UninstallPolicyRuleFlows will do nothing if no Openflow entry for the rule is installed.
	UninstallPolicyRuleFlows(ruleID uint32) ([]string, error)

	// AddPolicyRuleAddress adds one or multiple addresses to the specified NetworkPolicy rule. If addrType is true, the
	// addresses are added to PolicyRule.From, else to PolicyRule.To.
	AddPolicyRuleAddress(ruleID uint32, addrType types.AddressType, addresses []types.Address, priority *uint16) error

	// DeletePolicyRuleAddress removes addresses from the specified NetworkPolicy rule. If addrType is srcAddress, the addresses
	// are removed from PolicyRule.From, else from PolicyRule.To.
	DeletePolicyRuleAddress(ruleID uint32, addrType types.AddressType, addresses []types.Address, priority *uint16) error

	// InstallSNATMarkFlows installs flows for a local SNAT IP. On Linux, a
	// single flow is added to mark the packets tunnelled from remote Nodes
	// that should be SNAT'd with the SNAT IP.
	InstallSNATMarkFlows(snatIP net.IP, mark uint32) error

	// UninstallSNATMarkFlows removes the flows installed to set the packet
	// mark for a SNAT IP.
	UninstallSNATMarkFlows(mark uint32) error

	// InstallPodSNATFlows installs the SNAT flows for a local Pod. If the
	// SNAT IP for the Pod is on the local Node, a non-zero SNAT ID should
	// allocated for the SNAT IP, and the installed flow sets the SNAT IP
	// mark on the egress packets from the ofPort; if the SNAT IP is on a
	// remote Node, snatMark should be set to 0, and the installed flow
	// tunnels egress packets to the remote Node using the SNAT IP as the
	// tunnel destination, and the packets should be SNAT'd on the remote
	// Node. As of now, a Pod can be configured to use only a single SNAT
	// IP in a single address family (IPv4 or IPv6).
	InstallPodSNATFlows(ofPort uint32, snatIP net.IP, snatMark uint32) error

	// UninstallPodSNATFlows removes the SNAT flows for the local Pod.
	UninstallPodSNATFlows(ofPort uint32) error

	// Disconnect disconnects the connection between client and OFSwitch.
	Disconnect() error

	// IsConnected returns the connection status between client and OFSwitch. The return value is true if the OFSwitch is connected.
	IsConnected() bool

	// ReplayFlows should be called when a spurious disconnection occurs. After we reconnect to
	// the OFSwitch, we need to replay all the flows cached by the client. ReplayFlows will try
	// to replay as many flows as possible, and will log an error when a flow cannot be
	// installed.
	ReplayFlows()

	// DeleteStaleFlows deletes all flows from the previous round which are no longer needed. It
	// should be called by the agent after all required flows have been installed / updated with
	// the new round number.
	DeleteStaleFlows() error

	// GetTunnelVirtualMAC() returns GlobalVirtualMAC used for tunnel traffic.
	GetTunnelVirtualMAC() net.HardwareAddr

	// GetPodFlowKeys returns the keys (match strings) of the cached flows for a
	// Pod.
	GetPodFlowKeys(interfaceName string) []string

	// GetServiceFlowKeys returns the keys (match strings) of the cached
	// flows for a Service (port) and its endpoints.
	GetServiceFlowKeys(svcIP net.IP, svcPort uint16, protocol binding.Protocol, endpoints []proxy.Endpoint) []string

	// GetNetworkPolicyFlowKeys returns the keys (match strings) of the cached
	// flows for a NetworkPolicy. Flows are grouped by policy rules, and duplicated
	// entries can be added due to conjunctive match flows shared by multiple
	// rules.
	GetNetworkPolicyFlowKeys(npName, npNamespace string) []string

	// ReassignFlowPriorities takes a list of priority updates, and update the actionFlows to replace
	// the old priority with the desired one, for each priority update on that table.
	ReassignFlowPriorities(updates map[uint16]uint16, table uint8) error

	// SubscribePacketIn subscribes to packet in messages for the given reason. Packets
	// will be placed in the queue and if the queue is full, the packet in messages
	// will be dropped. pktInQueue supports rate-limiting for the consumer, in order to
	// constrain the compute resources that may be used by the consumer.
	SubscribePacketIn(reason uint8, pktInQueue *binding.PacketInQueue) error

	// SendTraceflowPacket injects packet to specified OVS port for Openflow.
	SendTraceflowPacket(dataplaneTag uint8, packet *binding.Packet, inPort uint32, outPort int32) error

	// InstallTraceflowFlows installs flows for a Traceflow request.
	InstallTraceflowFlows(dataplaneTag uint8, liveTraffic, droppedOnly, receiverOnly bool, packet *binding.Packet, ofPort uint32, timeoutSeconds uint16) error

	// UninstallTraceflowFlows uninstalls flows for a Traceflow request.
	UninstallTraceflowFlows(dataplaneTag uint8) error

	// Initial tun_metadata0 in TLV map for Traceflow.
	InitialTLVMap() error

	// Find Network Policy reference and OFpriority by conjunction ID.
	GetPolicyInfoFromConjunction(ruleID uint32) (string, string)

	// RegisterPacketInHandler uses SubscribePacketIn to get PacketIn message and process received
	// packets through registered handlers.
	RegisterPacketInHandler(packetHandlerReason uint8, packetHandlerName string, packetInHandler interface{})

	StartPacketInHandler(stopCh <-chan struct{})
	// Get traffic metrics of each NetworkPolicy rule.
	NetworkPolicyMetrics() map[uint32]*types.RuleMetric

	// Get multicast ingress metrics of each Pod in MulticastIngressPodMetricTable.
	MulticastIngressPodMetrics() map[uint32]*types.RuleMetric
	// Get multicast Pod ingress statistics from MulticastIngressPodMetricTable with specified ofPort.
	MulticastIngressPodMetricsByOFPort(ofPort int32) *types.RuleMetric
	// Get multicast egress metrics of each Pod in MulticastEgressPodMetricTable.
	MulticastEgressPodMetrics() map[string]*types.RuleMetric
	// Get multicast Pod ingress statistics from MulticastEgressPodMetricTable with specified src IP.
	MulticastEgressPodMetricsByIP(ip net.IP) *types.RuleMetric

	// SendTCPPacketOut sends TCP packet as a packet-out to OVS.
	SendTCPPacketOut(
		srcMAC string,
		dstMAC string,
		srcIP string,
		dstIP string,
		inPort uint32,
		outPort uint32,
		isIPv6 bool,
		tcpSrcPort uint16,
		tcpDstPort uint16,
		tcpAckNum uint32,
		tcpFlag uint8,
		mutatePacketOut func(builder binding.PacketOutBuilder) binding.PacketOutBuilder) error
	// SendICMPPacketOut sends ICMP packet as a packet-out to OVS.
	SendICMPPacketOut(
		srcMAC string,
		dstMAC string,
		srcIP string,
		dstIP string,
		inPort uint32,
		outPort uint32,
		isIPv6 bool,
		icmpType uint8,
		icmpCode uint8,
		icmpData []byte,
		mutatePacketOut func(builder binding.PacketOutBuilder) binding.PacketOutBuilder) error
	// SendUDPPacketOut sends UDP packet as a packet-out to OVS.
	SendUDPPacketOut(
		srcMAC string,
		dstMAC string,
		srcIP string,
		dstIP string,
		inPort uint32,
		outPort uint32,
		isIPv6 bool,
		udpSrcPort uint16,
		udpDstPort uint16,
		udpData []byte,
		mutatePacketOut func(builder binding.PacketOutBuilder) binding.PacketOutBuilder) error
	// NewDNSpacketInConjunction creates a policyRuleConjunction for the dns response interception flows.
	NewDNSpacketInConjunction(id uint32) error
	// AddAddressToDNSConjunction adds addresses to the toAddresses of the dns packetIn conjunction,
	// so that dns response packets sent towards these addresses will be intercepted and parsed by
	// the fqdnController.
	AddAddressToDNSConjunction(id uint32, addrs []types.Address) error
	// DeleteAddressFromDNSConjunction removes addresses from the toAddresses of the dns packetIn conjunction.
	DeleteAddressFromDNSConjunction(id uint32, addrs []types.Address) error
	// InstallMulticastInitialFlows installs OpenFlow to packetIn the IGMP messages and output the Multicast traffic to
	// antrea-gw0 so that local Pods could access external Multicast servers.
	InstallMulticastInitialFlows(pktInReason uint8) error
	// InstallMulticastFlows installs the flow to forward Multicast traffic normally, and output it to antrea-gw0
	// to ensure it can be forwarded to the external addresses.
	InstallMulticastFlows(multicastIP net.IP, groupID binding.GroupIDType) error
	// UninstallMulticastFlows removes the flow matching the given multicastIP.
	UninstallMulticastFlows(multicastIP net.IP) error
	// SendIGMPQueryPacketOut sends the IGMPQuery packet as a packet-out to OVS from the gateway port.
	SendIGMPQueryPacketOut(
		dstMAC net.HardwareAddr,
		dstIP net.IP,
		outPort uint32,
		igmp ofutil.Message) error

	// InstallTrafficControlMarkFlows installs the flows to mark the packets for a traffic control rule.
	InstallTrafficControlMarkFlows(name string, sourceOFPorts []uint32, targetOFPort uint32, direction v1alpha2.Direction, action v1alpha2.TrafficControlAction) error

	// UninstallTrafficControlMarkFlows removes the flows for a traffic control rule.
	UninstallTrafficControlMarkFlows(name string) error

	// InstallTrafficControlReturnPortFlow installs the flow to classify the packets from a return port.
	InstallTrafficControlReturnPortFlow(returnOFPort uint32) error

	// UninstallTrafficControlReturnPortFlow removes the flow to classify the packets from a return port.
	UninstallTrafficControlReturnPortFlow(returnOFPort uint32) error

	InstallMulticastGroup(ofGroupID binding.GroupIDType, localReceivers []uint32) error

	// InstallMulticlusterNodeFlows installs flows to handle cross-cluster packets between a regular
	// Node and a local Gateway.
	InstallMulticlusterNodeFlows(
		clusterID string,
		peerConfigs map[*net.IPNet]net.IP,
		tunnelPeerIP net.IP) error

	// InstallMulticlusterGatewayFlows installs flows to handle cross-cluster packets between Gateways.
	InstallMulticlusterGatewayFlows(
		clusterID string,
		peerConfigs map[*net.IPNet]net.IP,
		tunnelPeerIP net.IP,
		localGatewayIP net.IP) error

	// InstallMulticlusterClassifierFlows installs flows to classify cross-cluster packets.
	InstallMulticlusterClassifierFlows(tunnelOFPort uint32, isGateway bool) error

	// UninstallMulticlusterFlows removes cross-cluster flows matching the given clusterID on
	// a regular Node or a Gateway.
	UninstallMulticlusterFlows(clusterID string) error
}

Client is the interface to program OVS flows for entity connectivity of Antrea.

func NewClient

func NewClient(bridgeName string,
	mgmtAddr string,
	enableProxy bool,
	enableAntreaPolicy bool,
	enableEgress bool,
	enableDenyTracking bool,
	proxyAll bool,
	connectUplinkToBridge bool,
	enableMulticast bool,
	enableTrafficControl bool,
	enableMulticluster bool) Client

NewClient is the constructor of the Client interface.

type ConjunctionNotFound

type ConjunctionNotFound uint32

ConjunctionNotFound is an error response when the specified policyRuleConjunction is not found from the local cache.

func (*ConjunctionNotFound) Error

func (e *ConjunctionNotFound) Error() string

type GroupAllocator added in v1.6.0

type GroupAllocator interface {
	Allocate() binding.GroupIDType
	Release(id binding.GroupIDType)
}

func NewGroupAllocator added in v1.6.0

func NewGroupAllocator(isIPv6 bool) GroupAllocator

type IPAddress

type IPAddress net.IP

IP address calculated from Pod's address.

func NewIPAddress

func NewIPAddress(addr net.IP) *IPAddress

func (*IPAddress) GetMatchKey

func (a *IPAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*IPAddress) GetMatchValue

func (a *IPAddress) GetMatchValue() string

func (*IPAddress) GetValue

func (a *IPAddress) GetValue() interface{}

type IPNetAddress

type IPNetAddress net.IPNet

IP block calculated from Pod's address.

func NewIPNetAddress

func NewIPNetAddress(addr net.IPNet) *IPNetAddress

func (*IPNetAddress) GetMatchKey

func (a *IPNetAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*IPNetAddress) GetMatchValue

func (a *IPNetAddress) GetMatchValue() string

func (*IPNetAddress) GetValue

func (a *IPNetAddress) GetValue() interface{}

type OFEntryOperations

type OFEntryOperations interface {
	Add(flow binding.Flow) error
	Modify(flow binding.Flow) error
	Delete(flow binding.Flow) error
	AddAll(flows []binding.Flow) error
	ModifyAll(flows []binding.Flow) error
	BundleOps(adds []binding.Flow, mods []binding.Flow, dels []binding.Flow) error
	DeleteAll(flows []binding.Flow) error
	AddOFEntries(ofEntries []binding.OFEntry) error
	DeleteOFEntries(ofEntries []binding.OFEntry) error
}

type OFPortAddress

type OFPortAddress int32

OFPortAddress is the Openflow port of an interface.

func NewOFPortAddress

func NewOFPortAddress(addr int32) *OFPortAddress

func (*OFPortAddress) GetMatchKey

func (a *OFPortAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*OFPortAddress) GetMatchValue

func (a *OFPortAddress) GetMatchValue() string

func (*OFPortAddress) GetValue

func (a *OFPortAddress) GetValue() interface{}

type Option added in v1.6.0

type Option func(*Table)

Option is a modifier for Table.

type PacketInHandler

type PacketInHandler interface {
	// HandlePacketIn should not modify the input pktIn and should not
	// assume that the pktIn contents(e.g. NWSrc/NWDst) will not be
	// modified at a later time.
	HandlePacketIn(pktIn *ofctrl.PacketIn) error
}

type ServiceGroupIDAddress added in v1.4.0

type ServiceGroupIDAddress binding.GroupIDType

func NewServiceGroupIDAddress added in v1.4.0

func NewServiceGroupIDAddress(groupID binding.GroupIDType) *ServiceGroupIDAddress

func (*ServiceGroupIDAddress) GetMatchKey added in v1.4.0

func (a *ServiceGroupIDAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*ServiceGroupIDAddress) GetMatchValue added in v1.4.0

func (a *ServiceGroupIDAddress) GetMatchValue() string

func (*ServiceGroupIDAddress) GetValue added in v1.4.0

func (a *ServiceGroupIDAddress) GetValue() interface{}

type Table added in v1.6.0

type Table struct {
	// contains filtered or unexported fields
}

Table in FlexiblePipeline is the basic unit to build OVS pipelines. A Table can be referenced by one or more features, but its member struct ofTable will be initialized and realized on OVS only when it is referenced by any activated features.

func GetAntreaIGMPIngressTables added in v1.7.0

func GetAntreaIGMPIngressTables() []*Table

func GetAntreaMulticastEgressTables added in v1.7.0

func GetAntreaMulticastEgressTables() []*Table

func GetAntreaPolicyBaselineTierTables

func GetAntreaPolicyBaselineTierTables() []*Table

func GetAntreaPolicyEgressTables

func GetAntreaPolicyEgressTables() []*Table

func GetAntreaPolicyIngressTables

func GetAntreaPolicyIngressTables() []*Table

func GetAntreaPolicyMultiTierTables

func GetAntreaPolicyMultiTierTables() []*Table

func (*Table) GetID added in v1.6.0

func (t *Table) GetID() uint8

func (*Table) GetMissAction added in v1.6.0

func (t *Table) GetMissAction() binding.MissActionType

func (*Table) GetName added in v1.6.0

func (t *Table) GetName() string

func (*Table) GetNext added in v1.6.0

func (t *Table) GetNext() uint8

Directories

Path Synopsis
Package cookie implements a cookie allocator.
Package cookie implements a cookie allocator.
Package testing is a generated GoMock package.
Package testing is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL