daemon.at: Fix a race condition with windows service test.
OVS daemon service for Windows creates the pidfile and then
registers with the Windows services manager that the service
is running. There is a small time gap between the two steps.
So retry a few times in the test.
Ben Pfaff [Wed, 11 Feb 2015 02:00:22 +0000 (18:00 -0800)]
timeval: Correctly report usage statistics in log_poll_interval().
Most of the information that timeval was reporting for long poll intervals
was comparing per-thread with per-process statistics, which yielded
nonsense a lot of the time.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Alex Wang <alexw@nicira.com>
Alex Wang [Wed, 4 Feb 2015 01:08:13 +0000 (17:08 -0800)]
netdev-dpdk: Allow changing NON_PMD_CORE_ID for testing purpose.
For testing purpose, developers may want to change the NON_PMD_CORE_ID
and use a different core for non-pmd threads. Since the netdev-dpdk
module is hard-coded to assert the non-pmd threads using core 0, such
change will cause abortion of OVS.
This commit fixes the assertion and allows changing NON_PMD_CORE_ID.
Signed-off-by: Alex Wang <alexw@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Andy Zhou [Sat, 7 Feb 2015 00:14:10 +0000 (16:14 -0800)]
test: Reverse the order of commands added by ON_EXIT macro
Executing clean-up commands in the reverse order of their addition
seems to be better for most of the cleanup situations. For example,
in kmod tests, we should remove name spaces before remove kernel
modules.
Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Ben Pfaff <blp@nicira.comugi
Shu Shen [Wed, 4 Feb 2015 06:24:18 +0000 (22:24 -0800)]
ofproto: add support of OFPR_ACTION_SET as packet-in reason for OF1.4+
This patch adds support for OFPR_ACTION_SET as the packet-in reason when
a Packet-In message is triggered by an output action within an
action-set. By default reason code OFPR_ACTION_SET is enabled for async
messages when Openflow 1.4+ is used. A test case is included.
Signed-off-by: Shu Shen <shu.shen@radisys.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Jason Kölker [Sat, 7 Feb 2015 06:47:51 +0000 (06:47 +0000)]
XenServer: Don't reset on xe-toolstack-restart
With XenServer only 1 manager is configured in the pool, which may not
be the first manager returned from `get-manager` as it returns in
lexicographical order.
Signed-off-by: Jason Kölker <jason@koelker.net> Signed-off-by: Ben Pfaff <blp@nicira.com>
Andy Zhou [Thu, 5 Feb 2015 23:29:38 +0000 (15:29 -0800)]
test: remove unnecessary leading blanks
This is mostly a style fix. The macro is used in the next patch to
add commands to the 'cleanup" file. This fix makes the 'cleanup' file
easier to read.
Signed-off-by: Andy Zhou <azhou@nicira.com> Signed-off-by: Joe Stringer <joestringer@nicira.com>
Andy Zhou [Thu, 5 Feb 2015 23:19:41 +0000 (15:19 -0800)]
test: remove namespace after ovs-vswitchd is stopped
Remove namespaces also removes the ports in them, thus may
causing vswitch to generate warning log messages about not being
able find the port before it exits.
Remove namespaces after ovs-vswitchd exits improves test reliability.
Signed-off-by: Andy Zhou <azhou@nicira.com> Signed-off-by: Joe Stringer <joestringer@nicira.com>
Thomas Graf [Fri, 6 Feb 2015 20:10:44 +0000 (21:10 +0100)]
datapath: Account for "vxlan: Eliminate dependency on UDP socket in transmit path"
Excludes VXLAN_F_REMCSUM_TX bits as OVS currently doesn't support it.
Upstream commit:
vxlan: Eliminate dependency on UDP socket in transmit path
In the vxlan transmit path there is no need to reference the socket
for a tunnel which is needed for the receive side. We do, however,
need the vxlan_dev flags. This patch eliminate references
to the socket in the transmit path, and changes VXLAN_F_UNSHAREABLE
to be VXLAN_F_RCV_FLAGS. This mask is used to store the flags
applicable to receive (GBP, CSUM6_RX, and REMCSUM_RX) in the
vxlan_sock flags.
Signed-off-by: Tom Herbert <therbert@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: af33c1adae1e ("vxlan: Eliminate dependency on UDP socket in transmit path") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Thomas Graf [Fri, 6 Feb 2015 20:10:44 +0000 (21:10 +0100)]
datapath: Support VXLAN Group Policy extension
Upstream commit:
openvswitch: Support VXLAN Group Policy extension
Introduces support for the group policy extension to the VXLAN virtual
port. The extension is disabled by default and only enabled if the user
has provided the respective configuration.
The configuration interface to enable the extension is based on a new
attribute OVS_VXLAN_EXT_GBP nested inside OVS_TUNNEL_ATTR_EXTENSION
which can carry additional extensions as needed in the future.
The group policy metadata is stored as binary blob (struct ovs_vxlan_opts)
internally just like Geneve options but transported as nested Netlink
attributes to user space.
Renames the existing TUNNEL_OPTIONS_PRESENT to TUNNEL_GENEVE_OPT with the
binary value kept intact, a new flag TUNNEL_VXLAN_OPT is introduced.
The attributes OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS and existing
OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS are implemented mutually exclusive.
Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 1dd144 ("openvswitch: Support VXLAN Group Policy extension") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
INSTALL.Windows: Don't specify the openssl version.
Windows openssl libraries are distributed through slproweb.
The maintainer there is very strict about retiring unsafe
versions of openssl and only lets the latest versions of
openssl to be downloaded. Instead of updating INSTALL.Windows
everytime there is a change in latest version, leave it to
user's discretion to download the latest version.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Thomas Graf [Wed, 4 Feb 2015 15:45:06 +0000 (07:45 -0800)]
datapath: Fix missing symbols when required to use own VXLAN stack
Fixes an insufficient ifdef in compat/vxlan.c which caused required
symbols not to be included in the build. The declarations were properly
enabled so the build would succeed but the module would spit missing
symbols when being inserted.
The fix uses a new define USE_UPSTREAM_VXLAN which is set in the compat
header <net/vxlan.h> as required. This centralizes the decision when to
include VXLAN compat code to a single place which eases further changes.
Reported-by: Pravin Shelar <pshelar@nicira.com> Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Jarno Rajahalme [Wed, 4 Feb 2015 20:59:04 +0000 (12:59 -0800)]
ofproto: Initialize tunnel module earlier.
The tunnel module can get called by the handler threads right after
they are started, so we need to call ofproto_tunnel_init() before
opening the backer.
Late initialization caused a spurious ovs-vswitchd handler thread
crash on start-up due to the tunnel module fat_rwlock not being
initialized yet.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Flavio Leitner [Thu, 11 Dec 2014 11:38:19 +0000 (09:38 -0200)]
mcast-snoop: Add support to control Reports forwarding
The RFC4541 section 2.1.1 item 1 allows the snooping switch
to provide an administrative control to allow Report messages
to be flooded to ports not connected to multicast routers.
Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Alex Wang [Mon, 2 Feb 2015 22:50:47 +0000 (14:50 -0800)]
ovs-dpctl: Do not report pmd info for 'dpif-netlink' datapath.
In 'ovs-dpctl dump-flows' output, we should only report the pmd
related info for 'dpif-netdev' datapath. However, current
implementation also reports uninitialized pmd info for
'dpif-netlink' datapath, which is very confusing to users.
This commit fixes it.
Signed-off-by: Alex Wang <alexw@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Alex Wang [Mon, 2 Feb 2015 20:57:16 +0000 (12:57 -0800)]
ovs-command-completion: Complete on file path by default.
This commit makes the bash completion script complete on file
path when there is no completion available. The unit tests
are also adjusted accordingly.
Signed-off-by: Alex Wang <alexw@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Fri, 30 Jan 2015 22:20:52 +0000 (14:20 -0800)]
ofp-util: Issue error when OFPGC_DELETE command includes buckets.
An OFPGC_DELETE command deletes a whole group, including all of its
buckets, and so it doesn't make sense for the command itself to include any
specification of buckets.
ONF-JIRA: EXT-510 Signed-off-by: Ben Pfaff <blp@nicira.com>
Andy Zhou [Tue, 3 Feb 2015 21:57:55 +0000 (13:57 -0800)]
datapath: update exact match lookup hash value to avoid hash collision
Currently, the exact match cache lookup uses 'skb->hash' as an index.
In most cases, this value will be the same for pre and post
recirculation lookup, threshing the exact match cache. This patch
avoid this hash collision by using the rehashed value, by mixing in
in the 'recirc_id', as the lookup index.
Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Thomas Graf [Tue, 3 Feb 2015 20:53:36 +0000 (21:53 +0100)]
datapath: Account for "netlink: make nlmsg_end() and genlmsg_end() void"
genlmsg_end() no longer returns an error value. Not a problem as it
never returned an error code anyway.
Upstream: 053c09 ("netlink: make nlmsg_end() and genlmsg_end() void") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Thomas Graf [Tue, 3 Feb 2015 20:53:36 +0000 (21:53 +0100)]
datapath: Account for "genetlink: pass only network namespace to genl_has_listeners()"
Upstream commit:
genetlink: pass only network namespace to genl_has_listeners()
There's no point to force the caller to know about the internal
genl_sock to use inside struct net, just have them pass the network
namespace. This doesn't really change code generation since it's
an inline, but makes the caller less magic - there's never any
reason to pass another socket.
Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: f8403a2 ("genetlink: pass only network namespace to genl_has_listeners()") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Thomas Graf [Tue, 3 Feb 2015 20:53:36 +0000 (21:53 +0100)]
datapath: Allow for any level of nesting in flow attributes
Upstream commit:
openvswitch: Allow for any level of nesting in flow attributes
nlattr_set() is currently hardcoded to two levels of nesting. This change
introduces struct ovs_len_tbl to define minimal length requirements plus
next level nesting tables to traverse the key attributes to arbitrary depth.
Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 81bfe3 ("openvswitch: Allow for any level of nesting in flow attributes") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Thomas Graf [Tue, 3 Feb 2015 20:53:36 +0000 (21:53 +0100)]
datapath: Rename GENEVE_TUN_OPTS() to TUN_METADATA_OPTS()
Backport of upstream commit:
openvswitch: Rename GENEVE_TUN_OPTS() to TUN_METADATA_OPTS()
Also factors out Geneve validation code into a new separate function
validate_and_copy_geneve_opts().
A subsequent patch will introduce VXLAN options. Rename the existing
GENEVE_TUN_OPTS() to reflect its extended purpose of carrying generic
tunnel metadata options.
Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: d91641d ("openvswitch: Rename GENEVE_TUN_OPTS() to TUN_METADATA_OPTS()") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Thomas Graf [Tue, 3 Feb 2015 20:53:35 +0000 (21:53 +0100)]
datapath: Account for "vxlan: add x-netns support"
Upstream commit:
vxlan: add x-netns support
This patch allows to switch the netns when packet is encapsulated or
decapsulated.
The vxlan socket is openned into the i/o netns, ie into the netns where
encapsulated packets are received. The socket lookup is done into this netns to
find the corresponding vxlan tunnel. After decapsulation, the packet is
injecting into the corresponding interface which may stand to another netns.
When one of the two netns is removed, the tunnel is destroyed.
Configuration example:
ip netns add netns1
ip netns exec netns1 ip link set lo up
ip link add vxlan10 type vxlan id 10 group 239.0.0.10 dev eth0 dstport 0
ip link set vxlan10 netns netns1
ip netns exec netns1 ip addr add 192.168.0.249/24 broadcast 192.168.0.255 dev vxlan10
ip netns exec netns1 ip link set vxlan10 up
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: f01ec1c017de ("vxlan: add x-netns support") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Thomas Graf [Tue, 3 Feb 2015 20:53:35 +0000 (21:53 +0100)]
datapath: Account for "vxlan: Group Policy extension"
Upstream commit:
vxlan: Group Policy extension
Implements supports for the Group Policy VXLAN extension [0] to provide
a lightweight and simple security label mechanism across network peers
based on VXLAN. The security context and associated metadata is mapped
to/from skb->mark. This allows further mapping to a SELinux context
using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
tc, etc.
The group membership is defined by the lower 16 bits of skb->mark, the
upper 16 bits are used for flags.
SELinux allows to manage label to secure local resources. However,
distributed applications require ACLs to implemented across hosts. This
is typically achieved by matching on L2-L4 fields to identify the
original sending host and process on the receiver. On top of that,
netlabel and specifically CIPSO [1] allow to map security contexts to
universal labels. However, netlabel and CIPSO are relatively complex.
This patch provides a lightweight alternative for overlay network
environments with a trusted underlay. No additional control protocol
is required.
Host 1: Host 2:
Group A Group B Group B Group A
+-----+ +-------------+ +-------+ +-----+
| lxc | | SELinux CTX | | httpd | | VM |
+--+--+ +--+----------+ +---+---+ +--+--+
\---+---/ \----+---/
| |
+---+---+ +---+---+
| vxlan | | vxlan |
+---+---+ +---+---+
+------------------------------+
Backwards compatibility:
A VXLAN-GBP socket can receive standard VXLAN frames and will assign
the default group 0x0000 to such frames. A Linux VXLAN socket will
drop VXLAN-GBP frames. The extension is therefore disabled by default
and needs to be specifically enabled:
ip link add [...] type vxlan [...] gbp
In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
must run on a separate port number.
Examples:
iptables:
host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 351149 ("vxlan: Group Policy extension") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
This patch cleans up the header flags of VXLAN in anticipation of
defining some new ones:
- Move header related definitions from vxlan.c to vxlan.h
- Change VXLAN_FLAGS to be VXLAN_HF_VNI (only currently defined flag)
- Move check for unknown flags to after we find vxlan_sock, this
assumes that some flags may be processed based on tunnel
configuration
- Add a comment about why the stack treating unknown set flags as an
error instead of ignoring them
Signed-off-by: Tom Herbert <therbert@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 3bf394 ("vxlan: Improve support for header flags") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Thomas Graf [Tue, 3 Feb 2015 20:53:35 +0000 (21:53 +0100)]
datapath: Account for "rename vlan_tx_* helpers since "tx" is misleading there"
Upstream commit:
net: rename vlan_tx_* helpers since "tx" is misleading there
The same macros are used for rx as well. So rename it.
Signed-off-by: Jiri Pirko <jiri@resnulli.us> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: df8a39d ("net: rename vlan_tx_* helpers since "tx" is misleading there") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Ben Pfaff [Fri, 30 Jan 2015 21:36:34 +0000 (13:36 -0800)]
ofproto-dpif: Revalidate when sFlow probability changes.
Until now, when the sFlow selection probability changed, OVS failed to
immediately revalidate the flow table, delaying the new probability taking
effect. This commit fixes the problem.
Reported-by: K 華 <k940545@hotmail.com> Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
commit 7905aae3fc1633c2c44c8fdb9e9d3a3d6e63439b
("vlog: Don't fail syslog initialization in chroot.")
uses os.path.isfile("/dev/log"), which tests if the given path
is a regular file, to see if syslog can be usable.
However, /dev/log is not a regular file for platforms I looked at.
* On Ubuntu 14.04 and CentOS 6.5, /dev/log is a socket
* On NetBSD-6, /dev/log is a symlink to a socket
Replace the test with os.path.exists() so that it can work
as intended for these platforms.
Jarno Rajahalme [Tue, 3 Feb 2015 02:06:50 +0000 (18:06 -0800)]
miniflow: Fix miniflow push of L4 port numbers.
Replace a 64 bit copy of L4 src/dst ports that was also
including additional packet params (e.g. TCP Seq Num). This
was later resulting in all packets from the flow missing in
the EMC.
Alex Wang [Mon, 24 Nov 2014 19:15:45 +0000 (11:15 -0800)]
ovs-command-completion: Autotest integration.
This commit integrates the unit tests defined in
utilities/ovs-command-compgen-test.bash into 'make check'.
The tests will be skipped if the current shell is not bash.
Signed-off-by: Alex Wang <alexw@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Sorin Vinturis [Mon, 26 Jan 2015 19:00:40 +0000 (19:00 +0000)]
datapath-windows: Solved BSOD when loading an activated extension
If the OVS extension was previously enabled and the driver unloaded,
when the driver is loaded again a BSOD is triggered.
This happens because the OVS extension registers its FilterXxx routines
to NDIS, by calling NdisFRegisterFilterDriver, before performing all
the necessary initialization. Because drivers that call
NdisFRegisterFilterDriver must be prepared for an immediate call to any
of their FilterXxx functions.
The BSOD is triggered because the FilterAttach routine, OvsExtAttach,
tries to acquire the control lock, when the lock is not yet initialized.
This happens because the FilterAttach is called before the driver
finishes initialization, in OvsInit().
The solution is to perform all necessary initialization before
registering OVS FilterXxx routines.
If device object creation fails, all allocated resources during init
phase are released by calling OvsCleanup and NdisFDeregisterFilterDriver
functions.
Christoph Jaeger [Mon, 26 Jan 2015 16:26:12 +0000 (11:26 -0500)]
autotest: Use modprobe for kernel module unloading
rmmod fails if the module is not loaded; thus, Vagrant aborts provisioning
when started from a clean slate. Use modprobe, which does not fail, instead.
Unloading unused modules the to-be-unloaded module depends on may also be
desirable.
Signed-off-by: Christoph Jaeger <cj@linux.com> Signed-off-by: Andy Zhou <azhou@nicira.com>
When OVS unit tests are run inside chroot environment,
there is no syslog infrastructure available. In a
situation like that, don't fail or log additional messages
to syslog by increasing the severity level of syslog very high
(log messages would continue to be logged to console and file).
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
Mark D. Gray [Thu, 29 Jan 2015 15:22:53 +0000 (15:22 +0000)]
INSTALL.DPDK: Update documentation to indicate VFIO support
Since DPDK 1.7, VFIO is supported in place of UIO. This allows
a user to avoid having to insert a non-standard kernel module.
This patch updates the documentation with instructions for
setting up OVS with VFIO. As part of this work, VFIO was also
successfully tested with OVS and the DPDK netdev.
[tgraf: Added some more markdown formatting]
Signed-off-by: Mark D. Gray <mark.d.gray@intel.com> Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
in OVS_KMOD_VSWITCHD_STOP make up a syntactically correct function definition
(OVS_SWITCHD_STOP does not exist, and therefore the call does not expand):
Consequently, neither of the calls has the intended effect, i.e., stopping
ovs-vswitchd and ovsdb-server, checking their log files, and unloading the
datapath kernel module. Fix the misnaming, so all calls expand properly.
Fixes: 69c2bdfef9 ("autotest: add autotest framework for adding kernel module unit tests") Signed-off-by: Christoph Jaeger <cj@linux.com> Signed-off-by: Andy Zhou <azhou@nicira.com>
Author: add Christoph Jaeger
vlog: Ability to override the default log facility.
When Open vSwitch is run in hundreds of hypervisors, it is
useful to collect log messages through log collectors. To
collect log messages like this, it is useful to log them
in a particular RFC5424 facility in the local system. The
log collectors can then be used to collect logs anytime
desired.
This commit provides a sysadmin the ability to specify the
facility through which the log messages are logged.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
INSTALL.DPDK.md: Provide a little a more consistency to documentation.
A few users (based on the reports in discuss@openvswitch.org) have been
literally following the instructions in INSTALL.DPDK.md and mixing up
pre-installed utilities and daemons with freshly compiled utilities
because the current documentation does not consistently call out
using utilities from the compiled sources.
This commit updates DPDK documentation to ask users to do a 'make install'
and then use the utilities and daemons directly from Linux PATH.
It also adds github markup where applicable.
Joe Stringer [Fri, 19 Dec 2014 17:54:38 +0000 (09:54 -0800)]
upcall: Simplify enable_ufid debug option.
We previously tracked the debug enable/disable of UFID in each udpif,
and allowed the ovs-appctl debug option to turn on UFID features even if
the datapath doesn't support it.
This commit shifts the enable_ufid debug flag to a single flag, and
provides a helper to determine whether UFID features should be used on a
per-udpif basis.
Suggested-by: Andy Zhou <azhou@nicira.com> Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Mon, 19 Jan 2015 23:47:30 +0000 (15:47 -0800)]
vconn: Move struct definitions back to provider interface.
Commit 4a1f523f2d760 (lib: Move vconn.h to <openvswitch/vconn.h>) moved
the definitions of struct vconn and struct pvconn into the public vconn.h
header. This is unnecessary because the size and content of these structs
is not part of the ABI. This commit moves them back.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
Ben Pfaff [Sat, 17 Jan 2015 17:21:04 +0000 (09:21 -0800)]
pktbuf: Always initialize '*bufferp' even when 'pb == NULL'.
Otherwise if a service connection (which does not have buffers) attempts
to use buffers, '*bufferp' will be uninitialized, which can cause a
segfault in the caller.
Found using OFtest configured to use service (active rather than passive)
connections.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
will run "make check-kmod" in the vagrant launched VM.
It turns out to be more convenient to test within as root. Switch
Vagrantfile provisions to run as root user. However, vagrant can
still be launched as normal user.
Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
Andy Zhou [Tue, 13 Jan 2015 23:21:36 +0000 (15:21 -0800)]
autotest: add autotest framework for adding kernel module unit tests
This patch adds a basic infrastructure for developing and running
kernel module unit tests. Currently OVS contains thousands
of useful unit tests for user space programs. It is desirable to
have corresponding kernel module unit tests.
This commit adds basic framework for adding kernel module tests. Like
user space unit tests, Kmod tests are based autotest framework, thus
are similar to existing unit tests. For references, kmod-traffic.at
contains a simple ping test.
"make check-kmod" can be invoked on any build machine as a root
user. Since kernel testing can potentially crash the kernel, it is
not recommended to run those tests directly on a development machine,
but rather a testing VM, such as ones can be launched by vagrant.
Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
packets: Do not use zero sized array in icmp header.
Visual studio supports zero-size array within a struct or union,
but has to be the last element. GCC does not have this restriction.
icmp headers got included inside 'struct ovs_nd_msg' through
commit e60e935b1f (Implement set-field for IPv6 ND fields (nd_target,
nd_sll,and nd_tll). This causes compilation error while using MSVC.
Since icmp[6]_data in the icmp[6]_header is not used anywhere, just remove
them.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Stephen Finucane [Thu, 15 Jan 2015 09:20:22 +0000 (09:20 +0000)]
configure.ac: Enable 'tar-pax' by default
Automake defaults to the 'v7' legacy tar format in GNU tar, through
passing of the '-o' parameter to GNU tar. Enabling this option results
in errors for users with 32 bit UIDs:
$ make dist
...
tardir=openvswitch-2.3.90 && ${TAR-tar} chof - "$tardir" | GZIP=--best gzip -c >openvswitch-2.3.90.tar.gz
tar: value 12345678 out of uid_t range 0..2097151
tar: Exiting with failure status due to previous errors
make[1]: Leaving directory `/development/ovs'
...
The 'tar-pax' format is a 2001 POSIX standard that allow longer file
names and other niceties. Its use is a configuration option in Automake
1.9+. Enable this option.
Signed-off-by: Stephen Finucane <stephen.finucane@intel.com> Reviewed-by: Mark D. Gray <mark.d.gray@intel.com> Cc: Panu Matilainen <pmatilai@laiskiainen.org> Signed-off-by: Ben Pfaff <blp@nicira.com>
YAMAMOTO Takashi [Wed, 14 Jan 2015 01:20:12 +0000 (10:20 +0900)]
ovs-numa.h: Add a missing OVS_UNUSED
Suppress the following warning:
> cc1: warnings being treated as errors
> In file included from ../lib/dpif.h:394:0,
> from ../lib/netdev.c:28:
> ../lib/ovs-numa.h: In function 'ovs_numa_dump_cores_on_numa':
> ../lib/ovs-numa.h:150:33: error: unused parameter 'numa_id'
Thomas Graf [Wed, 14 Jan 2015 23:17:31 +0000 (00:17 +0100)]
dpif: Use separate OVS_PACKET_ATTR_PROBE for packet messges
User space is currently sending a OVS_FLOW_ATTR_PROBE for both flow
and packet messages. This leads to an out-of-bounds access in
ovs_packet_cmd_execute() because OVS_FLOW_ATTR_PROBE >
OVS_PACKET_ATTR_MAX.
Introduce a new OVS_PACKET_ATTR_PROBE with the same numeric value
as OVS_FLOW_ATTR_PROBE to grow the range of accepted packet attributes
while maintaining binary compatibility with existing OVS binaries.
Fixes: 9233ce ("datapath: Add support for OVS_FLOW_ATTR_PROBE.") Reported-by: Sander Eikelenboom <linux@eikelenboom.it> Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Jesse Gross <jesse@nicira.com>
Jarno Rajahalme [Wed, 14 Jan 2015 00:39:46 +0000 (16:39 -0800)]
test-atomic: Stop testing when running slow.
When the test suite is run on an OS with 1 core (e.g., a VM with one
core assigned to it), some of the atomic memory model tests take a
long time, with the effect that the test seems stuck.
This patch stops these tests after one second and only fails the test
if there has not been any significant progress, allowing the test to
pass also when running only with one core.
Implement set-field for IPv6 ND fields (nd_target, nd_sll, and nd_tll).
This patch adds set-field operations for nd_target, nd_sll, and nd_tll
fields, with and without masks, using Nicira extensions and OpenFlow 1.2
protocol.
Signed-off-by: Randall A Sharo <randall.sharo at navy.mil> Signed-off-by: Ben Pfaff <blp@nicira.com>
Andrew Kampjes [Mon, 12 Jan 2015 18:38:52 +0000 (07:38 +1300)]
SECURITY.md: Update.
Add bit about reporting vulns with GPG.
Add generalised rules for vulnerabilties.
Signed-off-by: Andrew Kampjes <a.kampjes@gmail.com>
[blp@nicira.com edited and removed text about not using public lists] Signed-off-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Fri, 2 Jan 2015 22:36:53 +0000 (14:36 -0800)]
configure: Omit -O2 from CFLAGS when configuring with --enable-coverage.
CFLAGS follows OVS_CFLAGS in the compiler command line, and should, so that
the user can override any automatically determined compiler options. That
means that the -O0 that the code here added to OVS_CFLAGS didn't really
have any effect since CFLAGS by default includes "-O2". However, we do
really want to disable optimizations (because the coverage reports are hard
to interpret with optimizations), so this commit changes the configure
script to edit out -O2 from CFLAGS, leaving any other default or
user-specified options.
Reported-by: Mijo Safradin <mijo@linux.vnet.ibm.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Amit Bose [Fri, 9 Jan 2015 11:27:04 +0000 (12:27 +0100)]
pkg-config: Fix Cflags in package-config files
Cflags in pkg-config files sets the include path to $PREFIX/openflow,
$PREFIX/openvswitch. This makes the including source files use the files
like
include <util.h>
instead of
include <openvswitch/util.h>
Ben Pfaff [Sun, 11 Jan 2015 21:45:36 +0000 (13:45 -0800)]
dpif-netlink: Drop oversized packets instead of assert-failing.
A packet sent to a Netlink datapath has to fit within a Netlink attribute.
Until now, this was only checked in an assertion inside the Netlink code,
which meant that trying to send a too-large packet (approximate 64 kB or
larger) would assert-fail. It's better to just drop those packets, which
this commit does.
Reported-by: Shuping Cui <scui@redhat.com> Reported-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jesse Gross <jesse@nicira.com>
Ben Pfaff [Wed, 7 Jan 2015 21:19:41 +0000 (13:19 -0800)]
netlink: Refine calculation of maximum-length attributes.
Until now the Netlink code has considered an attribute to exceed the
maximum length if the *padded* size of the attribute exceeds 65535 bytes.
For example, an attribute with a 65529-byte payload, together with 4-byte
header and 3 bytes of padding, takes up 65536 bytes and therefore the
existing code rejected it.
However, the restriction on Netlink attribute sizes is to ensure that the
length fits in the 16-bit nla_len field. This field includes the 4-byte
header but not the padding, so a 65529-byte payload is acceptable because,
with the header but not the padding, it comes to only 65533 bytes.
Thus, this commit relaxes the restriction on Netlink attribute sizes by
omitting padding from size checks. It also changes one piece of code that
inlined a size check to use the central function nl_attr_oversized().
This change should fix an assertion failure when OVS userspace passes a
maximum-size (65529+ byte) packet back to the kernel.
Reported-by: Shuping Cui <scui@redhat.com> Reported-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jesse Gross <jesse@nicira.com>
Ben Pfaff [Sun, 11 Jan 2015 21:25:24 +0000 (13:25 -0800)]
classifier: Add support for conjunctive matches.
A "conjunctive match" allows higher-level matches in the flow table, such
as set membership matches, without causing a cross-product explosion for
multidimensional matches. Please refer to the documentation that this
commit adds to ovs-ofctl(8) for a better explanation, including an example.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Motonori Shindo [Fri, 9 Jan 2015 09:31:51 +0000 (18:31 +0900)]
vagrant: make sure to bootstrap before configure_ovs.
The order of execution in Vagrantfile is "outside-in" meaning that
all commands in outer scope are executed first and then the commands
in inner scope. Because of this ordering, "configure_ovs" is executed
before "bootstrap_fedora", resulting in "configure_ovs" to fail as
it is not bootsrapped yet. This change fixes this problem by removing
the nested scope in Vagrant.configure block. Multi-machine is not used
so we don't need config.vm.define block.
Signed-off-by: Motonori Shindo <motonori@shin.do> Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Andy Zhou [Thu, 8 Jan 2015 03:42:41 +0000 (19:42 -0800)]
vagrant: switch to use out of tree build
Vagrant shared folder, at least on the default virtual box, does not
support the creation of the socket files. If one were to build OVS
under /vagrant, 'make check' would not work.
Out of tree builds can be used to work around this issue.
See Install.md for instructions.
Since out of tree builds requires a clean source tree, Vagrantfile can
not be a generated file. This commit removes Vagrantfile.in, commit
Vagrantfile instead.
Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
vlog: Rename the currently used term 'facility' as 'destination'.
In OVS, we currently use the term 'facility' to mean the place
where we log (syslog, console or file). In Linux's syslog() and
rfc5424, the term 'facility' is used to specify what type of program
is logging the message (e.g: LOG_DAEMON). This causes confusion
while reading vlog's code. This commit changes the term 'facility'
to 'destination'.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Ethan Jackson [Sat, 3 Jan 2015 19:39:14 +0000 (11:39 -0800)]
dpif-netdev: Fix rare flow add race condition.
Before this patch, dp_netdev_flow_add() inserted newly minted flows in
the "flow_table" cmap before inserting them into the per core "dpcls"
classifier. Since dpcls_insert() initializes 'flow->cr.mask', there's
a brief window where the flow is accessible from the cmap, but has a
bogus mask value.
In my testing, under rare instances (i.e. once every 20 minutes with a
very specific flow table and traffic pattern), revalidators core dump
when they call dpif_netdev_flow_dump_next(), which accesses this bogus
mask value from dp_netdev_flow_to_dpif_flow().
By inserting into the per core classifier before the cmap, all the
values are guaranteed to be initialized during flow dumps. With this
patch, I can no longer reproduce the crash.
Signed-off-by: Ethan Jackson <ethan@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Jarno Rajahalme [Wed, 7 Jan 2015 18:16:47 +0000 (10:16 -0800)]
tests: Make test independent of the hash function.
Otherwise compiling with -msse4.2 (or -march=native on a SSE4.2
capable CPU) will produce a test failure due to the CRC32-based hash
function being different from mhash.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>