datapath-windows: Add Connection Tracking Support

Enable support for Stateful Firewall in Hyper-V by adding a Connection
Tracking module. The module has been ported over from the userspace
implementation patch of a similar name.

The current version of the module supports ct - zone, mark and label for
TCP packets. Support for other packet formats will be added in subsequent
patches.

The conntrack-tcp module is adapted from FreeBSD's pf subsystem and hence
the BSD license. It has been ported over to match OVS Hyper-V coding
style.

Signed-off-by: Sairam Venugopal <[email protected]>
Signed-off-by: Daniele Di Proietto <[email protected]>
Co-Authored-by: Daniele Di Proietto <[email protected]>
Acked-by: Nithin Raju <[email protected]>
Signed-off-by: Ben Pfaff <[email protected]>

Author: 2 people

NOTICE

@@ -38,3 +38,8 @@ Copyright (c) 2008, 2009, 2010 Sten Spans <[email protected]>
 Auto Attach implementation
 Copyright (c) 2014, 2015 WindRiver, Inc
 Copyright (c) 2014, 2015 Avaya, Inc
+
+TCP connection tracker from FreeBSD pf, BSD licensed
+Copyright (c) 2001 Daniel Hartmeier
+Copyright (c) 2002 - 2008 Henning Brauer
+Copyright (c) 2012 Gleb Smirnoff <[email protected]>

datapath-windows/automake.mk

@@ -13,6 +13,9 @@ EXTRA_DIST += \
 	datapath-windows/ovsext/Atomic.h \
 	datapath-windows/ovsext/BufferMgmt.c \
 	datapath-windows/ovsext/BufferMgmt.h \
+	datapath-windows/ovsext/Conntrack-tcp.c \
+	datapath-windows/ovsext/Conntrack.c \
+	datapath-windows/ovsext/Conntrack.h \
 	datapath-windows/ovsext/Datapath.c \
 	datapath-windows/ovsext/Datapath.h \
 	datapath-windows/ovsext/Debug.c \

datapath-windows/ovsext/Actions.c

@@ -17,6 +17,7 @@
 #include "precomp.h"
 
 #include "Actions.h"
+#include "Conntrack.h"
 #include "Debug.h"
 #include "Event.h"
 #include "Flow.h"
@@ -1786,6 +1787,28 @@ OvsDoExecuteActions(POVS_SWITCH_CONTEXT switchContext,
             break;
         }
 
+        case OVS_ACTION_ATTR_CT:
+        {
+            if (ovsFwdCtx.destPortsSizeOut > 0
+                || ovsFwdCtx.tunnelTxNic != NULL
+                || ovsFwdCtx.tunnelRxNic != NULL) {
+                status = OvsOutputBeforeSetAction(&ovsFwdCtx);
+                if (status != NDIS_STATUS_SUCCESS) {
+                    dropReason = L"OVS-adding destination failed";
+                    goto dropit;
+                }
+            }
+
+            status = OvsExecuteConntrackAction(ovsFwdCtx.curNbl, layers,
+                                               key, (const PNL_ATTR)a);
+            if (status != NDIS_STATUS_SUCCESS) {
+                OVS_LOG_ERROR("CT Action failed");
+                dropReason = L"OVS-conntrack action failed";
+                goto dropit;
+            }
+            break;
+        }
+
         case OVS_ACTION_ATTR_RECIRC:
         {
             if (ovsFwdCtx.destPortsSizeOut > 0 || ovsFwdCtx.tunnelTxNic != NULL