Ariel Waizel [Tue, 15 Nov 2016 09:49:47 +0000 (01:49 -0800)]
ovs-router: Fix selection of source IP address when a gateway ip is introduced
When adding a VXLAN tunnel that connects to a VTEP residing in a different IP
network, the tunnel source ip needs to be selected by best fit (longest
matching netmask), based on the destination VTEP ip, and the specific route's
gateway ip.
A bug in ovs-router.c made the source ip to be decided only based on the
destination ip. Thus, if all source ips available to OVS and the destination ip
are in different ip networks - no source ip is selected, and an error is
returned.
This error occurred when using OVS-DPDK and configuring a VXLAN tunnel, where
source ip and destination ip are in different networks, and a gateway ip was in
place for the specific route.
The fix tries to match a source ip based on the gateway ip, if no matching
source ip was found based on the destination ip. This way, the gateway becomes
the first hop only if the tunnel crosses between ip networks.
Signed-off-by: Ariel Waizel <ariel.waizel@hpe.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Acked-by: Pravin B Shelar <pshelar@ovn.org>
When iterating on getifaddrs result, ifa_netmask is dereferenced, but it's
already a pointer to struct sockaddr. This would result in wrong masks being
used when comparing addresses while calculating the source address given a
destination address at the routing code.
For example, the mask ::ffff:116.85.0.0 would be used, causing 172.16.100.0/24
to match 172.16.101.1, though they should not match.
This will not happen when using a dummy netdev, as netdev_get_addrs is not used
by it.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Acked-by: Pravin B Shelar <pshelar@ovn.org>
qos_conf can be NULL. This can be easily reproduced by setting egress
QoS on a port:
```
ovs-vsctl set port dpdk2 qos=@newqos -- --id=@newqos create qos
type=egress-policer other-config:cir=46000000 other-config:cbs=2048
```
Reported-by: Ian Stokes <ian.stokes@intel.com> Fixes: 78bd47cf44a5 ("netdev-dpdk: Use RCU for egress QoS.") Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com> Tested-by: Ian Stokes <ian.stokes@intel.com> Acked-by: Ian Stokes <ian.stokes@intel.com>
This patch increases the number of packets processed in a batch during a
lookup from 16 to 32. Processing batches of 32 packets improves
performance and also one of the internal loops can be avoided here.
Signed-off-by: Bhanuprakash Bodireddy <bhanuprakash.bodireddy@intel.com> Co-authored-by: Antonio Fischetti <antonio.fischetti@intel.com> Signed-off-by: Antonio Fischetti <antonio.fischetti@intel.com> Acked-by: Jarno Rajahalme <jarno@ovn.org> Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>
Jarno Rajahalme [Mon, 14 Nov 2016 21:24:55 +0000 (13:24 -0800)]
ofproto: Return the OFPC_BUNDLES bit in switch features reply.
Add definitions for the OpenFlow 1.4.1/1.5 specific capabilities bits
OFPC14_BUNDLES and OFPC14_FLOW_MONITORING. Return the bundles
capability bit in switch features reply.
Reported-by: Andrej Leitner <andrej.leitner@pantheon.tech> Signed-off-by: Jarno Rajahalme <jarno@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
Lance Richardson [Mon, 14 Nov 2016 18:44:42 +0000 (13:44 -0500)]
ovn-sbctl: document logging and common options in man page
The ovn-sbctl is currently missing a description of logging and
common (-h/--help/-V/--version) command-line options. Add them
by including corresponding man page fragments.
Signed-off-by: Lance Richardson <lrichard@redhat.com> Signed-off-by: Russell Bryant <russell@ovn.org>
When iterating the list of mrouters, skip any that are not on the same
vlan as the multicast packet to be forwarded. This bug was causing
duplicate packets when more than one mrouter was behind a trunk port.
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2016-November/042938.html Signed-off-by: Darragh O'Reilly <darragh.oreilly@hpe.com> Signed-off-by: Simon Horman <simon.horman@netronome.com>
Zhang Dongya [Mon, 14 Nov 2016 03:24:26 +0000 (19:24 -0800)]
datapath: compat: vxlan: Avoid possible NULL dereference in vxlan_gro_receive.
With Linux kernel that does not have HAVE_UDP_OFFLOAD_ARG_UOFF
macro detected, struct vxlan_sock *vs will be NULL, which will
make kernel crash when receiving VXLAN packet that have RCO
flag turn on or even invalid packet that is destined
to VXLAN port which have the bit on in the RCO flag position.
Signed-off-by: Zhang Dongya <fortitude.zhang@gmail.com> Acked-by: Pravin B Shelar <pshelar@ovn.org>
Shashank Ram [Fri, 11 Nov 2016 00:38:05 +0000 (16:38 -0800)]
datapath-windows: Fix the isActivated flag in OvsActivateSwitch
Previously, the driver would enter a deadlock because
the OvsInitConfiguredSwitchNics() function would wait
till switchContext->isActivated flag is set.
Russell Bryant [Sat, 29 Oct 2016 16:12:03 +0000 (18:12 +0200)]
release: Propose a shorter release cycle for 2.7.
OVS recently adopted a six month release cycle. OVS doesn't
have to align to other projects, but it can be beneficial.
The dates for OVS 2.6 aligned very well to OpenStack,
which is a major consumer of OVS that usually does 6 month releases.
OpenStack is doing a short release cycle for its Ocata release
to adjust to changes to their event schedule.
As a result, I propose that we adjust the schedule for OVS 2.7 to remain
just ahead of OpenStack. The specific target dates for 2.7 I propose
would be:
branch-2.7 created - Jan 11, 2017
2.7.0 released from branch-2.7 - Feb 8, 2017
The key differences are moving the release date from March to February
and also shortening the period between branch creation and release to
account for the shorter development cycle.
This patch also adjusts the release cycle target dates to indicate
February as the target release month instead of March.
Signed-off-by: Russell Bryant <russell@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
Russell Bryant [Fri, 11 Nov 2016 02:36:55 +0000 (21:36 -0500)]
ovn-trace: Note that no match means drop.
ovn-trace will tell you when a packet processing ends because no flow is
matched in a given logical flow table. Update the output to clarify that
when this occurs, the packet is implicitly dropped.
The output now looks like this:
ingress(dp="sw0", inport="sw0-port1")
-------------------------------------
0. ls_in_port_sec_l2: no match (implicit drop)
Signed-off-by: Russell Bryant <russell@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
gwind [Thu, 10 Nov 2016 08:33:37 +0000 (16:33 +0800)]
rhel: python-six is required in the build process
the build error log is:
```
Traceback (most recent call last):
Traceback (most recent call last):
File "./ovsdb/ovsdb-idlc.in", line 8, in <module>
import ovs.json
File "/root/rpmbuild/BUILD/openvswitch-2.6.1/python/ovs/json.py", line 21, in <module>
import six
ImportError: No module named six
```
Submitted-at: https://github.com/openvswitch/ovs/pull/162 Signed-off-by: Jian Li <lijian@ooclab.com> Signed-off-by: Russell Bryant <russell@ovn.org>
Russell Bryant [Thu, 10 Nov 2016 20:48:23 +0000 (15:48 -0500)]
ovn-trace: Print stage name even without match.
Given a simple OVN configuration and a sample packet that fails to match
an L2 destination lookup flow, the output of ovn-trace looks something
like this:
ingress(dp="sw0", inport="sw0-port1")
-------------------------------------
0. ls_in_port_sec_l2 (ovn-northd.c:2827): inport == "sw0-port1" && eth.src == {00:00:00:00:00:01}, priority 50
next(1);
13. no match
In this case, I think it is helpful to still display the name of the
pipeline stage where we failed to match a flow. This patch adds
that to the output. This patch assumes that we always use the
same stage name for a given table ID in a given datapath, but I'm
pretty sure that is always true.
ingress(dp="sw0", inport="sw0-port1")
-------------------------------------
0. ls_in_port_sec_l2 (ovn-northd.c:2827): inport == "sw0-port1" && eth.src == {00:00:00:00:00:01}, priority 50
next(1);
13. ls_in_l2_lkup: no match
Signed-off-by: Russell Bryant <russell@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Fri, 7 Oct 2016 16:00:13 +0000 (09:00 -0700)]
ovn-nb: Document the syntax for an address set name.
Also, it is not necessary to specify that the name must be unique because
the schema documentation generator does that for us.
Reported-by: Kevin Lin <kevinlin@berkeley.edu>
Reported-at: http://openvswitch.org/pipermail/dev/2016-October/080386.html Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Russell Bryant <russell@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org>
Russell Bryant [Sat, 5 Nov 2016 01:22:02 +0000 (21:22 -0400)]
Add .mailmap file.
Create a .mailmap file as described in git-shortlog(1). This is used to
map commits that contain different names or email addresses to the same
person.
This file will automatically be used by git-shortlog. It can also be
used by other commands, such as git-log by providing the --use-mailmap
option.
Signed-off-by: Russell Bryant <russell@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
There's a mismash of absolute and relative URLs, but these will be
resolved by the move to Sphinx.
In addition, the URLs pointing to the test scripts are removed as they
will break when we move to Sphinx. This is because they won't be
published with the Sphinx docs, ruling out relative links, and OVS
evolves too fast to rely on non-breaking links to GitHub. Better to
rely on shell examples like we do elsewhere and let the user figure it
out.
Signed-off-by: Stephen Finucane <stephen@that.guru> Signed-off-by: Russell Bryant <russell@ovn.org>
OVN currently supports multiple gateway routers (residing on
different chassis) connected to the same logical topology.
When external traffic enters the logical topology, they can enter
from any gateway routers and reach its eventual destination. This
is achieved with proper static routes configured on the gateway
routers.
But when traffic is initiated in the logical space by a logical
port, we do not have a good way to distribute that traffic across
multiple gateway routers.
This commit introduces one particular way to do it. Based on the
source IP address or source IP network of the packet, we can now
jump to a specific gateway router.
This is very useful for a specific use case of Kubernetes.
When traffic is initiated inside a container heading to outside world,
we want to be able to send such traffic outside the gateway router
residing in the same host as that of the container. Since each
host gets a specific subnet, we can use source IP address based
policy routing to decide on the gateway router.
Rationale for using the same routing table for both source and
destination IP address based routing:
Some hardware network vendors support policy routing in a different table
on arbitrary "match". And when a packet enters, if there is a match
in policy based routing table, the default routing table is not
consulted at all. In case of OVN, we mainly want policy based routing
for north-south traffic. We want east-west traffic to flow as-is. Creating
a separate table for policy based routing complicates the configuration
quite a bit. For e.g., if we have a source IP network based rule added,
to decide a particular gateway router as a next hop, we should add rules at
a higher priority for all the connected routes to make sure that east-west
traffic is not effected in the policy based routing table itself.
Signed-off-by: Gurucharan Shetty <guru@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
ovn-controller: Container can have connection to a hosting VM.
A Container running inside a VM can have a connection to the
hosting VM (parent port) in the logical topology (for e.g via a router).
So we should be able to loop-back into the same VM, even if the
final packet delivered does not have any tags in it.
Add a connection table to the southbound db schema, similar
to the Open_vSwitch "Manager" table.
Add tests for pssl: and ptcp: read-only connection types.
Add support to ovn-sbctl for listing the SB Connection table.
Potential future work:
- Test cases for other connection types (punix, ssl, tcp, unix).
- SSL configuration table for southbound db.
- Connection table for NB schema.
- Add a way to specify a read-only connection as an ovsdb-server
command-line option.
Signed-off-by: Lance Richardson <lrichard@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Pravin B Shelar [Tue, 1 Nov 2016 19:06:15 +0000 (12:06 -0700)]
datapath: geneve: Handle vlan tag
The compat vlan code ignores vlan tag for inner packet
on egress path. Following patch fixes this by inserting the
tag for inner packet before tunnel encapsulation.
Signed-off-by: Pravin B Shelar <pshelar@ovn.org> Acked-by: Joe Stringer <joe@ovn.org>
Ben Pfaff [Mon, 31 Oct 2016 21:33:13 +0000 (14:33 -0700)]
ofproto-dpif: Log warning when ct action or its variants are not supported.
Some datapaths do not support the ct action, and others support only a
subset of its features. Until now, it has been difficult to tell why a
particular action is being rejected. This commit should make it clearer.
Reported-by: Kevin Lin <kevinlin@berkeley.edu>
Reported-at: http://openvswitch.org/pipermail/discuss/2016-October/023060.html Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Joe Stringer <joe@ovn.org>
When vxlan device is closed vxlan socket is freed. This
operation can race with vxlan-xmit function which
dereferences vxlan socket. Following patch uses RCU
mechanism to avoid this situation.
Signed-off-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Pravin B Shelar <pshelar@ovn.org> Acked-by: Joe Stringer <joe@ovn.org>
Pravin B Shelar [Sun, 30 Oct 2016 04:33:06 +0000 (21:33 -0700)]
lisp: avoid using stale lisp socket.
This patch is similar to earlier vxlan patch.
Lisp device close operation frees lisp socket. This
operation can race with lisp-xmit function which
dereferences lisp socket. Following patch uses RCU
mechanism to avoid this situation.
Signed-off-by: Pravin B Shelar <pshelar@ovn.org> Acked-by: Joe Stringer <joe@ovn.org>
This patch is similar to earlier vxlan patch.
Geneve device close operation frees geneve socket. This
operation can race with geneve-xmit function which
dereferences geneve socket. Following patch uses RCU
mechanism to avoid this situation.
Signed-off-by: Pravin B Shelar <pshelar@ovn.org> Acked-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Pravin B Shelar <pshelar@ovn.org> Acked-by: Joe Stringer <joe@ovn.org>
ifnotifier: do not wake up when there is no db connection
When bridge uses the interface notifier, it wakes up until a reconfiguration
takes place. However, if there is no connection or a lock contention to the
database, the check for reconfiguration will not take place.
This uses a seq and only seq_wait when checking for the interfaces change.
This is easily reproduced by starting ovs-vswitchd without starting
ovsdb-server, and then creating a new system interface, like using
'ip link add type veth'. ovs-vswitchd will then consume 100% CPU.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Shashank Ram [Mon, 10 Oct 2016 22:15:05 +0000 (15:15 -0700)]
datapath-windows: Set isActivated flag only on success
@Switch.c: Modifies OvsActivateSwitch() function
to mark the switch as activated only if the
the status is success. The callers itself
only call this method when the isActivated
flag is unset.
Mauricio Vasquez [Fri, 21 Oct 2016 04:51:24 +0000 (23:51 -0500)]
doc: v2: fix bad link to dpdk advance installation guide
Previous fix was also wrong.
Fixes: 167703d ("doc: Convert INSTALL.DPDK to rST") Signed-off-by: Mauricio Vasquez B <mauricio.vasquez@polito.it> Acked-by: Stephen Finucane <stephen@that.guru> Signed-off-by: Russell Bryant <russell@ovn.org>
Jarno Rajahalme [Thu, 20 Oct 2016 22:22:14 +0000 (15:22 -0700)]
datapath: Support a fixed size of 128 distinct labels.
Port upstream change in conntrack labels extension. Add a new
configure macro HAVE_NF_CONN_LABELS_WITH_WORDS to detect the old
definition. Unfortunately there is no conntrack API to hide the
difference, so the this makes conntrack.c deviate from upstream source
a bit.
netfilter: conntrack: support a fixed size of 128 distinct labels
The conntrack label extension is currently variable-sized, e.g. if
only 2 labels are used by iptables rules then the labels->bits[] array
will only contain one element.
We track size of each label storage area in the 'words' member.
But in nftables and openvswitch we always have to ask for worst-case
since we don't know what bit will be used at configuration time.
As most arches are 64bit we need to allocate 24 bytes in this case:
Make bits a fixed size and drop the words member, it simplifies
the code and only increases memory requirements on x86 when
less than 64bit labels are required.
We still only allocate the extension if its needed.
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jarno Rajahalme <jarno@ovn.org> Acked-by: Pravin B Shelar <pshelar@ovn.org>
Flavio Leitner [Tue, 18 Oct 2016 17:04:42 +0000 (15:04 -0200)]
fedora: do not restart the service on a pkg upgrade
There is no reliable way to restore the previous networking
state after a service restart. Many things like firewall
configuration, traffic shaping, stacked devices, custom setups
are completely out of OVS control.
The OVS might be providing the network used for remote
administration, so do not automatically restart the service
during a package upgrade.
Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Russell Bryant <russell@ovn.org>