Ben Pfaff [Sat, 17 Jan 2015 17:21:04 +0000 (09:21 -0800)]
pktbuf: Always initialize '*bufferp' even when 'pb == NULL'.
Otherwise if a service connection (which does not have buffers) attempts
to use buffers, '*bufferp' will be uninitialized, which can cause a
segfault in the caller.
Found using OFtest configured to use service (active rather than passive)
connections.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
will run "make check-kmod" in the vagrant launched VM.
It turns out to be more convenient to test within as root. Switch
Vagrantfile provisions to run as root user. However, vagrant can
still be launched as normal user.
Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
Andy Zhou [Tue, 13 Jan 2015 23:21:36 +0000 (15:21 -0800)]
autotest: add autotest framework for adding kernel module unit tests
This patch adds a basic infrastructure for developing and running
kernel module unit tests. Currently OVS contains thousands
of useful unit tests for user space programs. It is desirable to
have corresponding kernel module unit tests.
This commit adds basic framework for adding kernel module tests. Like
user space unit tests, Kmod tests are based autotest framework, thus
are similar to existing unit tests. For references, kmod-traffic.at
contains a simple ping test.
"make check-kmod" can be invoked on any build machine as a root
user. Since kernel testing can potentially crash the kernel, it is
not recommended to run those tests directly on a development machine,
but rather a testing VM, such as ones can be launched by vagrant.
Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
packets: Do not use zero sized array in icmp header.
Visual studio supports zero-size array within a struct or union,
but has to be the last element. GCC does not have this restriction.
icmp headers got included inside 'struct ovs_nd_msg' through
commit e60e935b1f (Implement set-field for IPv6 ND fields (nd_target,
nd_sll,and nd_tll). This causes compilation error while using MSVC.
Since icmp[6]_data in the icmp[6]_header is not used anywhere, just remove
them.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Stephen Finucane [Thu, 15 Jan 2015 09:20:22 +0000 (09:20 +0000)]
configure.ac: Enable 'tar-pax' by default
Automake defaults to the 'v7' legacy tar format in GNU tar, through
passing of the '-o' parameter to GNU tar. Enabling this option results
in errors for users with 32 bit UIDs:
$ make dist
...
tardir=openvswitch-2.3.90 && ${TAR-tar} chof - "$tardir" | GZIP=--best gzip -c >openvswitch-2.3.90.tar.gz
tar: value 12345678 out of uid_t range 0..2097151
tar: Exiting with failure status due to previous errors
make[1]: Leaving directory `/development/ovs'
...
The 'tar-pax' format is a 2001 POSIX standard that allow longer file
names and other niceties. Its use is a configuration option in Automake
1.9+. Enable this option.
Signed-off-by: Stephen Finucane <stephen.finucane@intel.com> Reviewed-by: Mark D. Gray <mark.d.gray@intel.com> Cc: Panu Matilainen <pmatilai@laiskiainen.org> Signed-off-by: Ben Pfaff <blp@nicira.com>
YAMAMOTO Takashi [Wed, 14 Jan 2015 01:20:12 +0000 (10:20 +0900)]
ovs-numa.h: Add a missing OVS_UNUSED
Suppress the following warning:
> cc1: warnings being treated as errors
> In file included from ../lib/dpif.h:394:0,
> from ../lib/netdev.c:28:
> ../lib/ovs-numa.h: In function 'ovs_numa_dump_cores_on_numa':
> ../lib/ovs-numa.h:150:33: error: unused parameter 'numa_id'
Thomas Graf [Wed, 14 Jan 2015 23:17:31 +0000 (00:17 +0100)]
dpif: Use separate OVS_PACKET_ATTR_PROBE for packet messges
User space is currently sending a OVS_FLOW_ATTR_PROBE for both flow
and packet messages. This leads to an out-of-bounds access in
ovs_packet_cmd_execute() because OVS_FLOW_ATTR_PROBE >
OVS_PACKET_ATTR_MAX.
Introduce a new OVS_PACKET_ATTR_PROBE with the same numeric value
as OVS_FLOW_ATTR_PROBE to grow the range of accepted packet attributes
while maintaining binary compatibility with existing OVS binaries.
Fixes: 9233ce ("datapath: Add support for OVS_FLOW_ATTR_PROBE.") Reported-by: Sander Eikelenboom <linux@eikelenboom.it> Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Jesse Gross <jesse@nicira.com>
Jarno Rajahalme [Wed, 14 Jan 2015 00:39:46 +0000 (16:39 -0800)]
test-atomic: Stop testing when running slow.
When the test suite is run on an OS with 1 core (e.g., a VM with one
core assigned to it), some of the atomic memory model tests take a
long time, with the effect that the test seems stuck.
This patch stops these tests after one second and only fails the test
if there has not been any significant progress, allowing the test to
pass also when running only with one core.
Implement set-field for IPv6 ND fields (nd_target, nd_sll, and nd_tll).
This patch adds set-field operations for nd_target, nd_sll, and nd_tll
fields, with and without masks, using Nicira extensions and OpenFlow 1.2
protocol.
Signed-off-by: Randall A Sharo <randall.sharo at navy.mil> Signed-off-by: Ben Pfaff <blp@nicira.com>
Andrew Kampjes [Mon, 12 Jan 2015 18:38:52 +0000 (07:38 +1300)]
SECURITY.md: Update.
Add bit about reporting vulns with GPG.
Add generalised rules for vulnerabilties.
Signed-off-by: Andrew Kampjes <a.kampjes@gmail.com>
[blp@nicira.com edited and removed text about not using public lists] Signed-off-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Fri, 2 Jan 2015 22:36:53 +0000 (14:36 -0800)]
configure: Omit -O2 from CFLAGS when configuring with --enable-coverage.
CFLAGS follows OVS_CFLAGS in the compiler command line, and should, so that
the user can override any automatically determined compiler options. That
means that the -O0 that the code here added to OVS_CFLAGS didn't really
have any effect since CFLAGS by default includes "-O2". However, we do
really want to disable optimizations (because the coverage reports are hard
to interpret with optimizations), so this commit changes the configure
script to edit out -O2 from CFLAGS, leaving any other default or
user-specified options.
Reported-by: Mijo Safradin <mijo@linux.vnet.ibm.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Amit Bose [Fri, 9 Jan 2015 11:27:04 +0000 (12:27 +0100)]
pkg-config: Fix Cflags in package-config files
Cflags in pkg-config files sets the include path to $PREFIX/openflow,
$PREFIX/openvswitch. This makes the including source files use the files
like
include <util.h>
instead of
include <openvswitch/util.h>
Ben Pfaff [Sun, 11 Jan 2015 21:45:36 +0000 (13:45 -0800)]
dpif-netlink: Drop oversized packets instead of assert-failing.
A packet sent to a Netlink datapath has to fit within a Netlink attribute.
Until now, this was only checked in an assertion inside the Netlink code,
which meant that trying to send a too-large packet (approximate 64 kB or
larger) would assert-fail. It's better to just drop those packets, which
this commit does.
Reported-by: Shuping Cui <scui@redhat.com> Reported-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jesse Gross <jesse@nicira.com>
Ben Pfaff [Wed, 7 Jan 2015 21:19:41 +0000 (13:19 -0800)]
netlink: Refine calculation of maximum-length attributes.
Until now the Netlink code has considered an attribute to exceed the
maximum length if the *padded* size of the attribute exceeds 65535 bytes.
For example, an attribute with a 65529-byte payload, together with 4-byte
header and 3 bytes of padding, takes up 65536 bytes and therefore the
existing code rejected it.
However, the restriction on Netlink attribute sizes is to ensure that the
length fits in the 16-bit nla_len field. This field includes the 4-byte
header but not the padding, so a 65529-byte payload is acceptable because,
with the header but not the padding, it comes to only 65533 bytes.
Thus, this commit relaxes the restriction on Netlink attribute sizes by
omitting padding from size checks. It also changes one piece of code that
inlined a size check to use the central function nl_attr_oversized().
This change should fix an assertion failure when OVS userspace passes a
maximum-size (65529+ byte) packet back to the kernel.
Reported-by: Shuping Cui <scui@redhat.com> Reported-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jesse Gross <jesse@nicira.com>
Ben Pfaff [Sun, 11 Jan 2015 21:25:24 +0000 (13:25 -0800)]
classifier: Add support for conjunctive matches.
A "conjunctive match" allows higher-level matches in the flow table, such
as set membership matches, without causing a cross-product explosion for
multidimensional matches. Please refer to the documentation that this
commit adds to ovs-ofctl(8) for a better explanation, including an example.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Motonori Shindo [Fri, 9 Jan 2015 09:31:51 +0000 (18:31 +0900)]
vagrant: make sure to bootstrap before configure_ovs.
The order of execution in Vagrantfile is "outside-in" meaning that
all commands in outer scope are executed first and then the commands
in inner scope. Because of this ordering, "configure_ovs" is executed
before "bootstrap_fedora", resulting in "configure_ovs" to fail as
it is not bootsrapped yet. This change fixes this problem by removing
the nested scope in Vagrant.configure block. Multi-machine is not used
so we don't need config.vm.define block.
Signed-off-by: Motonori Shindo <motonori@shin.do> Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Andy Zhou [Thu, 8 Jan 2015 03:42:41 +0000 (19:42 -0800)]
vagrant: switch to use out of tree build
Vagrant shared folder, at least on the default virtual box, does not
support the creation of the socket files. If one were to build OVS
under /vagrant, 'make check' would not work.
Out of tree builds can be used to work around this issue.
See Install.md for instructions.
Since out of tree builds requires a clean source tree, Vagrantfile can
not be a generated file. This commit removes Vagrantfile.in, commit
Vagrantfile instead.
Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
vlog: Rename the currently used term 'facility' as 'destination'.
In OVS, we currently use the term 'facility' to mean the place
where we log (syslog, console or file). In Linux's syslog() and
rfc5424, the term 'facility' is used to specify what type of program
is logging the message (e.g: LOG_DAEMON). This causes confusion
while reading vlog's code. This commit changes the term 'facility'
to 'destination'.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Ethan Jackson [Sat, 3 Jan 2015 19:39:14 +0000 (11:39 -0800)]
dpif-netdev: Fix rare flow add race condition.
Before this patch, dp_netdev_flow_add() inserted newly minted flows in
the "flow_table" cmap before inserting them into the per core "dpcls"
classifier. Since dpcls_insert() initializes 'flow->cr.mask', there's
a brief window where the flow is accessible from the cmap, but has a
bogus mask value.
In my testing, under rare instances (i.e. once every 20 minutes with a
very specific flow table and traffic pattern), revalidators core dump
when they call dpif_netdev_flow_dump_next(), which accesses this bogus
mask value from dp_netdev_flow_to_dpif_flow().
By inserting into the per core classifier before the cmap, all the
values are guaranteed to be initialized during flow dumps. With this
patch, I can no longer reproduce the crash.
Signed-off-by: Ethan Jackson <ethan@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Jarno Rajahalme [Wed, 7 Jan 2015 18:16:47 +0000 (10:16 -0800)]
tests: Make test independent of the hash function.
Otherwise compiling with -msse4.2 (or -march=native on a SSE4.2
capable CPU) will produce a test failure due to the CRC32-based hash
function being different from mhash.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Flavio Leitner [Wed, 7 Jan 2015 16:26:42 +0000 (14:26 -0200)]
SECURITY.md: LTS branches triggers version release
The release cycle is in order of months currently, so when a
security fix is applied to LTS (long-term support) branches,
it is recommended to release a new version.
The idea is to keep the latest LTS tarball less vulnerable.
Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Flavio Leitner [Wed, 7 Jan 2015 16:26:41 +0000 (14:26 -0200)]
SECURITY.md: disclosure date can be negotiated
Stakeholders might need extra time to provide the update,
so let's leave it open to negotiate case by case with the
final word on the Open vSwitch security team's hands. A
default policy is provided as a reference.
Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Flavio Leitner [Wed, 7 Jan 2015 14:13:34 +0000 (12:13 -0200)]
INSTALL.md: Split building steps to allow refs
There are other parts of the document that needs to
reference some building steps. Instead of copying
and explaining again, this patch splits the building
section in three sections that can be referenced.
Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Thomas Graf [Wed, 7 Jan 2015 11:55:49 +0000 (12:55 +0100)]
datapath: Account for new flags args of vxlan_sock_add()
The upstream commit 359a0ea
("vxlan: Add support for UDP checksums (v4 sending, v6 zero csums)")
has introduced a new flags argument to vxlan_sock_add().
OVS does not pass any flags at this point, thus specyfing 0 will be
compatible with both the old ipv6 bool and the new u32 flags argument.
Upstream: 359a0ea ("vxlan: Add support for UDP checksums (v4 sending, v6 zero csums)") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Thomas Graf [Wed, 7 Jan 2015 11:55:49 +0000 (12:55 +0100)]
datapath: replace remaining users of arch_fast_hash with jhash
This patch effectively reverts commit 500f80872645 ("net: ovs: use CRC32
accelerated flow hash if available"), and other remaining arch_fast_hash()
users such as from nfsd via commit 6282cd565553 ("NFSD: Don't hand out
delegations for 30 seconds after recalling them.") where it has been used
as a hash function for bloom filtering.
While we think that these users are actually not much of concern, it has
been requested to remove the arch_fast_hash() library bits that arose
from [1] entirely as per recent discussion [2]. The main argument is that
using it as a hash may introduce bias due to its linearity (see avalanche
criterion) and thus makes it less clear (though we tried to document that)
when this security/performance trade-off is actually acceptable for a
general purpose library function.
Lets therefore avoid any further confusion on this matter and remove it to
prevent any future accidental misuse of it. For the time being, this is
going to make hashing of flow keys a bit more expensive in the ovs case,
but future work could reevaluate a different hashing discipline.
Upstream: 8754589 ("net: replace remaining users of arch_fast_hash with jhash") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Thomas Graf [Wed, 7 Jan 2015 11:55:49 +0000 (12:55 +0100)]
datapath: move vlan pop/push functions into common code
So it can be used from out of openvswitch code.
Did couple of cosmetic changes on the way, namely variable naming and
adding support for 8021AD proto.
Note on backwards compatability:
Unlike the upstream version, the backport of skb_vlan_push() does not
support translating a hardware accelerated 8021AD tag to software.
This is not a problem though as it preserves existing behaviour.
Upstream: 93515d53 ("net: move vlan pop/push functions into common code") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Thomas Graf [Wed, 7 Jan 2015 11:55:49 +0000 (12:55 +0100)]
datapath: move make_writable helper into common code
note that skb_make_writable already exists in net/netfilter/core.c
but does something slightly different.
Upstream: e219512 ("net: move make_writable helper into common code") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Thomas Graf [Wed, 7 Jan 2015 11:55:49 +0000 (12:55 +0100)]
datapath: Add __vlan_insert_tag() compat helper if not available
Since older kernels do not have skb->vlan_proto, it is assumed that
kernels which don't provide their own __vlan_insert_tag() will also
not have skb->vlan_proto. The backwards compat function therefore
only supports ETH_P_8021Q as the protocol type.
Upstream: 15255a43 ("vlan: introduce __vlan_insert_tag helper which does not free skb") Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Ben Pfaff [Tue, 6 Jan 2015 18:21:36 +0000 (10:21 -0800)]
SECURITY: New document describing proposed security process for OVS.
Open vSwitch needs some kind of process for handling vulnerabilities. So
far, we've been pretty lucky that way, but it can't last forever, and I
think we'll be better off if we have at least the outline of an established
process whenever a significant vulnerability comes along. Here's my draft
of a process based on the documentation of the OpenStack process at
https://wiki.openstack.org/wiki/Vulnerability_Management.
I don't have a lot of experience with this kind of thing myself, so I'd
appreciate critical review from anyone who does.
Signed-off-by: Ben Pfaff <blp@nicira.com> Reviewed-by: Flavio Leitner <fbl@redhat.com> Acked-by: Justin Pettit <jpettit@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
Jarno Rajahalme [Tue, 6 Jan 2015 19:10:42 +0000 (11:10 -0800)]
miniflow: Use 64-bit data.
So far the compressed flow data in struct miniflow has been in 32-bit
words with a 63-bit map, allowing for a maximum size of struct flow of
252 bytes. With the forthcoming Geneve options this is not sufficient
any more.
This patch solves the problem by changing the miniflow data to 64-bit
words, doubling the flow max size to 504 bytes. Since the word size
is doubled, there is some loss in compression efficiency. To counter
this some of the flow fields have been reordered to keep related
fields together (e.g., the source and destination IP addresses share
the same 64-bit word).
This change should speed up flow data processing on 64-bit CPUs, which
may help counterbalance the impact of making the struct flow bigger in
the future.
Classifier lookup stage boundaries are also changed to 64-bit
alignment, as the current algorithm depends on each miniflow word to
not be split between ranges. This has resulted in new padding (part
of the 'mpls_lse' field).
The 'dp_hash' field is also moved to packet metadata to eliminate
otherwise needed padding there. This allows the L4 to fit into one
64-bit word, and also makes matches on 'dp_hash' more efficient as
misses can be found already on stage 1.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Jarno Rajahalme [Tue, 6 Jan 2015 21:48:54 +0000 (13:48 -0800)]
hash: Make basis of hash_words64() 32 bits.
The basis of hash_words64() was 64 bits, even when the hash value is
32 bits, thus confusing the domain and the range of the function.
This patch fixes this by making the basis an uint32_t.
Suggested-by: Ben Pfaff <blp@nicira.com> Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Alex Wang [Mon, 29 Dec 2014 22:10:56 +0000 (14:10 -0800)]
ofproto-dpif: Do not allow recirc_id freed by non-owning ofproto.
This commit changes the VLOG_ERR (for warning unmatched ofproto)
in ofproto_dpif_free_recirc_id() to an assert statement, so that
recirc_id is never allowed to be freed by non-owning ofproto.
Suggested-by: Ben Pfaff <blp@nicira.com> Signed-off-by: Alex Wang <alexw@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Tue, 6 Jan 2015 17:27:32 +0000 (09:27 -0800)]
ofproto: Don't count hidden rules in table stats.
The hidden rules created by in-band control and fail-open should not be
included in the table stats reported via OpenFlow. I seem to recall that
this was done correctly in some previous version but it has broken since
then. This commit fixes the problem and adds a test that should make it
harder to break again in the future.
Ben Pfaff [Fri, 2 Jan 2015 22:54:50 +0000 (14:54 -0800)]
datapath: Consistently include VLAN header in flow and port stats.
Until now, when VLAN acceleration was in use, the bytes of the VLAN header
were not included in port or flow byte counters. They were however
included when VLAN acceleration was not used. This commit corrects the
inconsistency, by always including the VLAN header in byte counters.
Previous discussion at
http://openvswitch.org/pipermail/dev/2014-December/049521.html
Thomas Graf [Mon, 5 Jan 2015 15:22:56 +0000 (16:22 +0100)]
vagrant: Provide basic Vagrantfile
This is a basic Vagrantfile which compiles and provisions the local OVS
source tree in a Fedora 20 VM. The Vagrantfile.in can be extended to
support additional distributions.
To use this Vagrantfile:
1. Install Vagrant plus a compatible hypervisor
2. Run configure to translate Vagrantfile.in to Vagrantfile
3. Run `vagrant up` to create & provision the VM
4. Run `vagrant ssh` to log into the VM
Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Kyle Mestery <mestery@mestery.com>
Shu Shen [Sat, 3 Jan 2015 07:14:30 +0000 (23:14 -0800)]
travis: support versioning of DPDK and options to specify git repo and tag
Use DPDK_VER to specify the version of DPDK, and DPDK_GIT to specify
the URL of the DPDK git repository.
Both flags require "DPDK=1" and "--with-dpdk" shall no longer be
specified as part of "OPTS" environment.
Example uses:
- skip both flags to use v1.7.1 tarball from dpdk.org as before:
KERNEL=3.17.4 DPDK=1
- specify DPDK_VER only to use a version of tarball from dpdk.org:
KERNEL=3.17.4 DPDK=1 DPDK_VER=1.7.1
- specify both DPDK_VER and DPDK_GIT to check out the tag "v$DPDK_VER"
from the git repository "$DPDK_GIT":
KERNEL=3.18 DPDK=1 DPDK_VER=1.7.1sp1 DPDK_GIT=https://github.com/shushen/dpdk
Signed-off-by: Shu Shen <shu.shen@radisys.com> Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Alex Wang [Sun, 4 Jan 2015 00:09:07 +0000 (16:09 -0800)]
FreeBSD: Fix build failure.
This commit fixes an include dependency for header ip6.h, on
FreeBSD. Without this commit, the gmake of ovs master on
FreeBSD will result in the following error.
/usr/include/netinet/ip6.h:82: error: field 'ip6_src' has incomplete type
/usr/include/netinet/ip6.h:83: error: field 'ip6_dst' has incomplete type
Signed-off-by: Alex Wang <alexw@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Thu, 1 Jan 2015 22:40:44 +0000 (14:40 -0800)]
ofproto: Omit hidden tables from "next tables".
Hidden tables are intended to be concealed from OpenFlow, but their
presence leaked through the "next tables" and "instructions" in the OF1.3+
table features reply. This fixes the problem.
Reported-by: "Ronaldo A. Ferreira" <ronaldof@CS.Princeton.EDU> Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
Neil McKee [Tue, 16 Dec 2014 22:42:05 +0000 (14:42 -0800)]
sflow: Export OVS datapath performance counters via sFlow.
The OVS cache hit/miss counters and memory/CPU usage statistics have been
identified as important metrics when managing large deployments. This patch
allows them to be pushed periodically as part of the sFlow feed, and
represents a more efficient and scalable alternative to polling via
ovs-dpctl(1).
Signed-off-by: Neil McKee <neil.mckee@inmon.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Sorin Vinturis [Mon, 22 Dec 2014 15:06:34 +0000 (15:06 +0000)]
datapath-windows: Release WFP allocated objects
Filter and sublayer WFP objects are created when the filter attach routine
is called and the tunnel filter is initialized, and they are released
in the uninitialize part. But the release part is done indirectly, through
the FwpmEngineClose function call which releases the latter objects when
the tunnel is uninitialized at filter detach.
We need to properly release the created objects and not rely that
FwpmEngineClose function does this for us, because if we decide to keep
the engine opened passed the filter detach those objects will continue to
exist.
Even though the FwpmEngineClose function releases the latter objects, we
still need this and the reason will became obvious in the next patch.
Sorin Vinturis [Thu, 11 Dec 2014 12:51:36 +0000 (12:51 +0000)]
datapath-windows: Cleanup OVS
Removed duplicate include of "Switch.h" header.
Removed useless usage of UNREFERENCED_PARAMETER macro for a
referenced parameter.
Added debug logs for dropped packets.
Alex Wang [Mon, 13 Oct 2014 01:18:47 +0000 (18:18 -0700)]
dpif-netdev: Add per-pmd flow-table/classifier.
This commit changes the per dpif-netdev datapath flow-table/
classifier to per pmd-thread. As direct benefit, datapath
and flow statistics no longer need to be protected by mutex
or be declared as per-thread variable, since they are only
written by the owning pmd thread.
As side effects, the flow-dump output of userspace datapath
can contain overlapping flows. To reduce confusion, the dump
from different pmd thread will be separated by a title line.
In addition, the flow operations via 'ovs-appctl dpctl/*'
are modified so that if the given flow in_port corresponds
to a dpdk interface, the operation will be conducted to all
pmd threads recv from that interface (expect for flow-get
which will always be applied to non-pmd threads).
Signed-off-by: Alex Wang <alexw@nicira.com> Tested-by: Mark D. Gray <mark.d.gray@intel.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Pravin B Shelar [Mon, 22 Dec 2014 12:53:02 +0000 (04:53 -0800)]
datapath: Simplify vport_send() error handling.
Today vport-send has complex error handling because it involves
freeing skb and updating stats depending on return value from
vport send implementation.
This can be simplified by delegating responsibility of freeing
skb to the vport implementation for all cases. So that
vport-send needs just update stats.
Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Jesse Gross <jesse@nicira.com>
Alex Wang [Tue, 23 Dec 2014 08:50:10 +0000 (00:50 -0800)]
test: Fix intermittent failure.
This commit fixes the intermittent failure of test (ofproto-dpif,
balance-tcp bonding, different recirc flow), by waiting for all
bond interfaces to be enabled.
Signed-off-by: Alex Wang <alexw@nicira.com> Acked-by: Joe Stringer <joestringer@nicira.com>
Alex Wang [Tue, 23 Dec 2014 18:20:50 +0000 (10:20 -0800)]
recirculation: RCU postpone the free of dpif_backer_recirc_node.
This commit RCU postpones the free of 'struct dpif_backer_recirc_node',
after it is removed from the cmap. This is in that other threads may
be accessing the struct at the same time.
Signed-off-by: Alex Wang <alexw@nicira.com> Acked-by: Ethan Jackson <ethan@nicira.com>
Alex Wang [Wed, 17 Dec 2014 02:47:27 +0000 (18:47 -0800)]
recirculation: Map recirc_id to ofproto_dpif.
After commit 0c7812e5e (recirculation: Do not drop packet when
there is no match from internal table.), if flow keys are modified
before the recirculation action (e.g. set vlan ID), the miss
handling of recirc'ed packets may not reach the intended
'ofproto_dpif' which has rules looking up the 'recirc_id's,
causing drops.
This commit adds an unittest that captures this bug. Moreover,
to solve this bug, this commit checks mapping between 'recirc_id'
and the corresponding 'ofproto_dpif', and makes sure that the
miss handling of recirc'ed packets are done with the correct
'ofproto_dpif'.
Signed-off-by: Alex Wang <alexw@nicira.com> Acked-by: Andy Zhou <azhou@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Jarno Rajahalme [Mon, 22 Dec 2014 19:31:18 +0000 (11:31 -0800)]
ofproto: Reject slave controllers for bundle messages.
Slave controllers are rejected for flow and port mod messages, so they
should also be rejected for bundles (that require support at least for
flow and port mod messages).
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Jarno Rajahalme [Mon, 22 Dec 2014 19:31:18 +0000 (11:31 -0800)]
rconn: Make OF 1.4 bundle messages 'admitted'.
Use of OF 1.4 bundle messages by a controller should indicate that the
controller has decided to use the switch, hence make is_admitted_msg()
return 'true' for them.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Joe Stringer [Wed, 17 Dec 2014 01:44:40 +0000 (17:44 -0800)]
dpif: Shift ufid support checking up to dpif_backer.
Previously, the dpif layer was responsible for determining datapath
support for UFIDs, which resulted in all ovs-dpctl utilities
inserting/deleting flows from the datapath each time they are run.
Shift this responsibility up to the dpif_backer.
There are two users of this functionality: Revalidators check for UFID
support to request a terser dump using UFIDs, and dpif-netlink uses this
to request flow_del operations to only return the UFID/stats. The latter
case was previously hidden from revalidators, but this change makes them
aware of it, and reuses the same "udpif->enable_ufid" flag for reducing
overhead of both flow dump and flow delete.
Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Andy Zhou <azhou@nicira.com>
Joe Stringer [Wed, 17 Dec 2014 02:40:50 +0000 (18:40 -0800)]
odp-util: Fix UFID string parsing.
Commit 534a19b (dpctl: Add support for using UFID to add/del flows.)
introduced string parsing functions for UFIDs, but provided a broken
implementation where the upper 64 bits would be ignored, then the lower
64 bits would be read into both the lower and upper UFID positions. Fix
the implementation to read the upper bits properly.
Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Andy Zhou <azhou@nicira.com>
Pravin B Shelar [Fri, 19 Dec 2014 09:55:45 +0000 (01:55 -0800)]
datapath: Fix MPLS action validation.
Linux stack do not allow GSO for packet with multiple
encapsulations. Therefore there was check in MPLS action
validation to detect such case, But it is better to add
such check at run time to detect such cases.
Removing this check also fixes bug in action copy to no skip
multiple set actions.
Pravin B Shelar [Tue, 25 Nov 2014 15:39:20 +0000 (07:39 -0800)]
ofproto-dpif: Fix MPLS multiple Push pop action.
vSwitchd does not generate correct MPLS actions for multiple
MPLS push or pop action.
Datapath can handle multiple push action for in single action list.
But for after first MPLS pop it needs to recirculate packet to
refill packet key. Following patch fixes it accordingly.
Reported-by: Stefano Salsano <stefano.salsano@uniroma2.it> Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Tested-by: Pier Luigi Ventre <pl.ventre@gmail.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Joe Stringer [Wed, 10 Dec 2014 19:20:10 +0000 (11:20 -0800)]
revalidator: Don't delete non-existent flow.
If ukey_acquire() returns ENOENT, then it is unable to locate the ukey
corresponding to the flow and the flow has disappeared since it was
dumped. Don't bother deleting the flow in this case, as it will fail.
Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
For containers containing multiple ports and spawned by
orchestrators without openflow flows configured, it can be quite
useful to distinguish their traffic with vlans. This can be useful
when containers are spawned inside VMs instead of hypervisors.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
ovs-docker currently lets one add the ability to set the
IP address on an OVS interface. Ability to set the default
gateway too can be an useful addition. (orchestrators
who plan to use OVS interfaces can do this from a single
utility instead of multiple utilities)