openvswitch.txt 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249
  1. Open vSwitch datapath developer documentation
  2. =============================================
  3. The Open vSwitch kernel module allows flexible userspace control over
  4. flow-level packet processing on selected network devices. It can be
  5. used to implement a plain Ethernet switch, network device bonding,
  6. VLAN processing, network access control, flow-based network control,
  7. and so on.
  8. The kernel module implements multiple "datapaths" (analogous to
  9. bridges), each of which can have multiple "vports" (analogous to ports
  10. within a bridge). Each datapath also has associated with it a "flow
  11. table" that userspace populates with "flows" that map from keys based
  12. on packet headers and metadata to sets of actions. The most common
  13. action forwards the packet to another vport; other actions are also
  14. implemented.
  15. When a packet arrives on a vport, the kernel module processes it by
  16. extracting its flow key and looking it up in the flow table. If there
  17. is a matching flow, it executes the associated actions. If there is
  18. no match, it queues the packet to userspace for processing (as part of
  19. its processing, userspace will likely set up a flow to handle further
  20. packets of the same type entirely in-kernel).
  21. Flow key compatibility
  22. ----------------------
  23. Network protocols evolve over time. New protocols become important
  24. and existing protocols lose their prominence. For the Open vSwitch
  25. kernel module to remain relevant, it must be possible for newer
  26. versions to parse additional protocols as part of the flow key. It
  27. might even be desirable, someday, to drop support for parsing
  28. protocols that have become obsolete. Therefore, the Netlink interface
  29. to Open vSwitch is designed to allow carefully written userspace
  30. applications to work with any version of the flow key, past or future.
  31. To support this forward and backward compatibility, whenever the
  32. kernel module passes a packet to userspace, it also passes along the
  33. flow key that it parsed from the packet. Userspace then extracts its
  34. own notion of a flow key from the packet and compares it against the
  35. kernel-provided version:
  36. - If userspace's notion of the flow key for the packet matches the
  37. kernel's, then nothing special is necessary.
  38. - If the kernel's flow key includes more fields than the userspace
  39. version of the flow key, for example if the kernel decoded IPv6
  40. headers but userspace stopped at the Ethernet type (because it
  41. does not understand IPv6), then again nothing special is
  42. necessary. Userspace can still set up a flow in the usual way,
  43. as long as it uses the kernel-provided flow key to do it.
  44. - If the userspace flow key includes more fields than the
  45. kernel's, for example if userspace decoded an IPv6 header but
  46. the kernel stopped at the Ethernet type, then userspace can
  47. forward the packet manually, without setting up a flow in the
  48. kernel. This case is bad for performance because every packet
  49. that the kernel considers part of the flow must go to userspace,
  50. but the forwarding behavior is correct. (If userspace can
  51. determine that the values of the extra fields would not affect
  52. forwarding behavior, then it could set up a flow anyway.)
  53. How flow keys evolve over time is important to making this work, so
  54. the following sections go into detail.
  55. Flow key format
  56. ---------------
  57. A flow key is passed over a Netlink socket as a sequence of Netlink
  58. attributes. Some attributes represent packet metadata, defined as any
  59. information about a packet that cannot be extracted from the packet
  60. itself, e.g. the vport on which the packet was received. Most
  61. attributes, however, are extracted from headers within the packet,
  62. e.g. source and destination addresses from Ethernet, IP, or TCP
  63. headers.
  64. The <linux/openvswitch.h> header file defines the exact format of the
  65. flow key attributes. For informal explanatory purposes here, we write
  66. them as comma-separated strings, with parentheses indicating arguments
  67. and nesting. For example, the following could represent a flow key
  68. corresponding to a TCP packet that arrived on vport 1:
  69. in_port(1), eth(src=e0:91:f5:21:d0:b2, dst=00:02:e3:0f:80:a4),
  70. eth_type(0x0800), ipv4(src=172.16.0.20, dst=172.18.0.52, proto=17, tos=0,
  71. frag=no), tcp(src=49163, dst=80)
  72. Often we ellipsize arguments not important to the discussion, e.g.:
  73. in_port(1), eth(...), eth_type(0x0800), ipv4(...), tcp(...)
  74. Wildcarded flow key format
  75. --------------------------
  76. A wildcarded flow is described with two sequences of Netlink attributes
  77. passed over the Netlink socket. A flow key, exactly as described above, and an
  78. optional corresponding flow mask.
  79. A wildcarded flow can represent a group of exact match flows. Each '1' bit
  80. in the mask specifies a exact match with the corresponding bit in the flow key.
  81. A '0' bit specifies a don't care bit, which will match either a '1' or '0' bit
  82. of a incoming packet. Using wildcarded flow can improve the flow set up rate
  83. by reduce the number of new flows need to be processed by the user space program.
  84. Support for the mask Netlink attribute is optional for both the kernel and user
  85. space program. The kernel can ignore the mask attribute, installing an exact
  86. match flow, or reduce the number of don't care bits in the kernel to less than
  87. what was specified by the user space program. In this case, variations in bits
  88. that the kernel does not implement will simply result in additional flow setups.
  89. The kernel module will also work with user space programs that neither support
  90. nor supply flow mask attributes.
  91. Since the kernel may ignore or modify wildcard bits, it can be difficult for
  92. the userspace program to know exactly what matches are installed. There are
  93. two possible approaches: reactively install flows as they miss the kernel
  94. flow table (and therefore not attempt to determine wildcard changes at all)
  95. or use the kernel's response messages to determine the installed wildcards.
  96. When interacting with userspace, the kernel should maintain the match portion
  97. of the key exactly as originally installed. This will provides a handle to
  98. identify the flow for all future operations. However, when reporting the
  99. mask of an installed flow, the mask should include any restrictions imposed
  100. by the kernel.
  101. The behavior when using overlapping wildcarded flows is undefined. It is the
  102. responsibility of the user space program to ensure that any incoming packet
  103. can match at most one flow, wildcarded or not. The current implementation
  104. performs best-effort detection of overlapping wildcarded flows and may reject
  105. some but not all of them. However, this behavior may change in future versions.
  106. Unique flow identifiers
  107. -----------------------
  108. An alternative to using the original match portion of a key as the handle for
  109. flow identification is a unique flow identifier, or "UFID". UFIDs are optional
  110. for both the kernel and user space program.
  111. User space programs that support UFID are expected to provide it during flow
  112. setup in addition to the flow, then refer to the flow using the UFID for all
  113. future operations. The kernel is not required to index flows by the original
  114. flow key if a UFID is specified.
  115. Basic rule for evolving flow keys
  116. ---------------------------------
  117. Some care is needed to really maintain forward and backward
  118. compatibility for applications that follow the rules listed under
  119. "Flow key compatibility" above.
  120. The basic rule is obvious:
  121. ------------------------------------------------------------------
  122. New network protocol support must only supplement existing flow
  123. key attributes. It must not change the meaning of already defined
  124. flow key attributes.
  125. ------------------------------------------------------------------
  126. This rule does have less-obvious consequences so it is worth working
  127. through a few examples. Suppose, for example, that the kernel module
  128. did not already implement VLAN parsing. Instead, it just interpreted
  129. the 802.1Q TPID (0x8100) as the Ethertype then stopped parsing the
  130. packet. The flow key for any packet with an 802.1Q header would look
  131. essentially like this, ignoring metadata:
  132. eth(...), eth_type(0x8100)
  133. Naively, to add VLAN support, it makes sense to add a new "vlan" flow
  134. key attribute to contain the VLAN tag, then continue to decode the
  135. encapsulated headers beyond the VLAN tag using the existing field
  136. definitions. With this change, a TCP packet in VLAN 10 would have a
  137. flow key much like this:
  138. eth(...), vlan(vid=10, pcp=0), eth_type(0x0800), ip(proto=6, ...), tcp(...)
  139. But this change would negatively affect a userspace application that
  140. has not been updated to understand the new "vlan" flow key attribute.
  141. The application could, following the flow compatibility rules above,
  142. ignore the "vlan" attribute that it does not understand and therefore
  143. assume that the flow contained IP packets. This is a bad assumption
  144. (the flow only contains IP packets if one parses and skips over the
  145. 802.1Q header) and it could cause the application's behavior to change
  146. across kernel versions even though it follows the compatibility rules.
  147. The solution is to use a set of nested attributes. This is, for
  148. example, why 802.1Q support uses nested attributes. A TCP packet in
  149. VLAN 10 is actually expressed as:
  150. eth(...), eth_type(0x8100), vlan(vid=10, pcp=0), encap(eth_type(0x0800),
  151. ip(proto=6, ...), tcp(...)))
  152. Notice how the "eth_type", "ip", and "tcp" flow key attributes are
  153. nested inside the "encap" attribute. Thus, an application that does
  154. not understand the "vlan" key will not see either of those attributes
  155. and therefore will not misinterpret them. (Also, the outer eth_type
  156. is still 0x8100, not changed to 0x0800.)
  157. Handling malformed packets
  158. --------------------------
  159. Don't drop packets in the kernel for malformed protocol headers, bad
  160. checksums, etc. This would prevent userspace from implementing a
  161. simple Ethernet switch that forwards every packet.
  162. Instead, in such a case, include an attribute with "empty" content.
  163. It doesn't matter if the empty content could be valid protocol values,
  164. as long as those values are rarely seen in practice, because userspace
  165. can always forward all packets with those values to userspace and
  166. handle them individually.
  167. For example, consider a packet that contains an IP header that
  168. indicates protocol 6 for TCP, but which is truncated just after the IP
  169. header, so that the TCP header is missing. The flow key for this
  170. packet would include a tcp attribute with all-zero src and dst, like
  171. this:
  172. eth(...), eth_type(0x0800), ip(proto=6, ...), tcp(src=0, dst=0)
  173. As another example, consider a packet with an Ethernet type of 0x8100,
  174. indicating that a VLAN TCI should follow, but which is truncated just
  175. after the Ethernet type. The flow key for this packet would include
  176. an all-zero-bits vlan and an empty encap attribute, like this:
  177. eth(...), eth_type(0x8100), vlan(0), encap()
  178. Unlike a TCP packet with source and destination ports 0, an
  179. all-zero-bits VLAN TCI is not that rare, so the CFI bit (aka
  180. VLAN_TAG_PRESENT inside the kernel) is ordinarily set in a vlan
  181. attribute expressly to allow this situation to be distinguished.
  182. Thus, the flow key in this second example unambiguously indicates a
  183. missing or malformed VLAN TCI.
  184. Other rules
  185. -----------
  186. The other rules for flow keys are much less subtle:
  187. - Duplicate attributes are not allowed at a given nesting level.
  188. - Ordering of attributes is not significant.
  189. - When the kernel sends a given flow key to userspace, it always
  190. composes it the same way. This allows userspace to hash and
  191. compare entire flow keys that it may not be able to fully
  192. interpret.