Ben Pfaff [Tue, 20 Apr 2010 20:58:24 +0000 (13:58 -0700)]
in-band: Avoid magic number in refresh_remotes().
The initial value of min_refresh() can only matter if there are no remotes,
in which case there is nothing to refresh anyhow. So avoid the magic
number "10" as the initial minimum, since it has no real significance.
Ben Pfaff [Tue, 20 Apr 2010 20:58:40 +0000 (13:58 -0700)]
in-band: Better adapt to new rconn usage pattern.
Previously, in-band control was always handed a single rconn whose remote
target changed as the selected controller was changed or added or removed.
Now, however, the rconns handed to in-band control never change their
remote IP targets (instead, new rconns are added and old ones are removed),
so there is no point in looking for changes in remote IP address.
The veth driver doesn't clean itself up very well when removed. This
commit destroys any outstanding veth devices and then unregisters its
sysfs entry.
datapath: Define kmemdup() for kernels older than 2.6.19
The new GRE code requires the kmemdup function, but it's not available
on 2.6.18 kernels. It has been backported to Xen, so only define it for
non-Xen kernels older than 2.6.19.
xenserver: Set internal network-uuids in Bridge table on XS5.5
On XenServer 5.5, interface-reconfigure is not called when creating
internal bridges, so we jump through extra hoops to determine the
network UUIDs. The code that handled this was not properly retrieving
the UUIDs from XAPI, so the field would never be set. This commit
corrects that.
The translation of fragmentation-needed messages from outside the
tunnel to inside didn't quite make the transition from the old
GRE implementation to the new one intact. This fixes a number of
minor bugs in the implmentation. The primary issues are with computing
the tunnel header length and comparing the input vs. output values
for tunnel parameters such as the key.
Ben Pfaff [Tue, 20 Apr 2010 20:41:53 +0000 (13:41 -0700)]
in-band: Refresh both local and remote rules even if local rules change.
This code should call refresh_remotes() even if refresh_local() returns
true. That is, the normal C short-circuit evaluation of || is not desired
here. So always call both.
Ben Pfaff [Tue, 20 Apr 2010 18:00:58 +0000 (11:00 -0700)]
ofproto: Add support for master/slave controller coordination.
Now that Open vSwitch has support for multiple simultaneous controllers,
there is some need for a degree of coordination among them. For now, the
plan is for the controllers themselves to take the lead on this. This
commit adds a small bit of OVS infrastructure: the ability for a controller
to designate itself as a "master" or a "slave". There may be at most one
master at a time; when a controller designates itself as the master, then
any existing master is demoted to slave status. Slave controllers are not
allowed to modify the flow table or global configuration; any attempt to
do so is rejected with a "bad request" error.
Ben Pfaff [Tue, 20 Apr 2010 17:43:42 +0000 (10:43 -0700)]
Add support for multiple OpenFlow controllers on a single bridge.
With this commit, Open vSwitch permits a bridge to have any number of
OpenFlow controllers. When multiple controllers are configured, Open
vSwitch connects to all of them simultaneously. Details of configuration
are in the vswitch schema documentation.
OpenFlow 1.0 does not specify how multiple controllers coordinate in
interacting with a single switch, so more than one controller should be
specified only if the controllers are themselves designed to coordinate
with each other.
An upcoming commit will provide a simple means for coordination between
multiple controllers.
Ben Pfaff [Tue, 20 Apr 2010 17:05:57 +0000 (10:05 -0700)]
ofproto: Bundle all controller-related settings into a struct.
Many ofproto settings are controller-related. Upcoming commits will add
to ofproto the ability to support multiple controllers, so it is important
to be able to refer to controller settings as a group. Hence, this commit
bundles them into a new "struct ofproto_controller".
Ben Pfaff [Tue, 6 Apr 2010 22:24:38 +0000 (15:24 -0700)]
in-band: Drop in-band flows when turning off in-band control.
Destroying the in-band control object didn't remove the flows related to
in-band control, so they could persist until another event caused the
flow table to be reset. Changing or removing the controller is one such
event, which would probably happen at the same time as turning off in-band
control, so this is a rather minor flaw, but it still seems good to fix it.
Ben Pfaff [Tue, 6 Apr 2010 00:12:43 +0000 (17:12 -0700)]
in-band: Fix inconsistency in in-band code.
The IBR_TO_LOCAL_ARP and IBR_FROM_LOCAL_ARP flows are dropped if there is
no local MAC. I don't see why IBR_FROM_LOCAL_DHCP should be different, so
this commit adds it too.
Ben Pfaff [Wed, 7 Apr 2010 22:27:35 +0000 (15:27 -0700)]
ofproto: Make valgrind happy.
The "flags" member of struct odp_flow is not used for adding or deleting
flows, but valgrind doesn't know that. By zeroing it out we can suppress
spurious warnings.
Ben Pfaff [Fri, 16 Apr 2010 17:31:05 +0000 (10:31 -0700)]
ovsdb-doc: Distinguish hyphens and minus signs in nroff output.
In nroff, a minus sign (\-) should generally be used in literal text,
whereas hyphens are generally correct elsewhere. This roughly corresponds
to bold versus non-bold text, so this commit makes ovsdb-doc output "-"
that appears in input as a minus sign if it is bold or a hyphen if it is
not.
Ben Pfaff [Mon, 19 Apr 2010 21:37:56 +0000 (14:37 -0700)]
CodingStyle: Drop advice about breaking lines before binary operators.
I like the style that was prescribed here--I find it slightly easier to
read--but everyone else who submits code seems to prefer breaking
lines after binary operators instead. No point in fighting the tide.
Ben Pfaff [Mon, 19 Apr 2010 18:40:32 +0000 (11:40 -0700)]
xenserver: Restore original InterfaceReconfigure*.py on uninstall.
The %post script fragment in the RPM spec was moving aside the original
InterfaceReconfigure{,Bridge,Vswitch}.py scripts, but the %postun was
not restoring them. This commit restores them in %postun.
Without this change, installing the openvswitch RPM on a stock XenServer
and then uninstalling it breaks XenServer networking.
Bug #2624. Reported-by: Ram Jothikumar <rjothikumar@nicira.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
The new GRE implementation provides a complete drop in replacement
for the old Linux based implementation. Therefore, remove the
old implementation and rename "grenew" to "gre".
netdev: Allow get_ifindex and get_features to be null.
Allow netdev providers to set get_ifindex and get_features it
null if they would always return EOPNOTSUPP. This is particuarly
useful for virtual devices.
Jesse Gross [Tue, 30 Mar 2010 22:40:01 +0000 (18:40 -0400)]
netdev-linux: Don't free a member of a struct.
We allocate struct netdev_linux which contains struct netdev but
free the netdev. In practice this makes no difference because the
netdev is the first member of the struct but we should be correct
anyways.
Jesse Gross [Tue, 30 Mar 2010 22:39:20 +0000 (18:39 -0400)]
netdev-linux: Check notifications are for netdev-linux device.
When receiving a change notification from rtnetlink we checked whether
a netdev of that name existed and if so tried to handle it. This also
checks that the type of the device is one handled by netdev-linux.
Add a new vport type that implements GRE support inside of the
datapath instead of relying on Linux devices. This provides
greater scalability, performance, and control.
The new GRE implementation supports nearly all features of the
Linux implementation. It does not currently support multicast,
NBMA tunnels, or non-Ethernet devices.
This implementation of GRE has several important benefits over the
existing Linux implementation. The first is simply that is not a
Linux device. Linux devices are fairly heavy weight both in terms
of memory consumption and interactions with the rest of the system
(notifications, processes polling, etc.). There are many pieces of
code that make assumptions about the maximum reasonable number of
ports. Simply maintaining the state of several thousand devices is
enough to full occupy the CPU.
A tighter coupling between the GRE implementation and datapath
also allows more flexibility. The key can be set and retrieved
from the flow table, which allows even greater scalability.
There will probably be additional use cases in the future.
Some kernels don't copy the checksum offload state in the skb
header when doing different types of copies. Xen adds even more
fields, which are also not consistently copied. The result is
uninitialized memory and random outcomes. This adds a function to
consistently copy these bits across all kernel versions.
Later kernel versions remove the direction argument from
skb_checksum_help. This provides a compatibility function so we
can have consistent syntax across versions.
Since CHECKSUM_PARTIAL is the same as CHECKSUM_HW on older kernels
this allows a unified code path for computing checksums.
Currently the flow hash table assumes that it is storing flows.
However, we will need additional types of hash tables in the
future so remove assumptions about flows and convert the datapath
to use the new table.
dpif-linux: Clean up vports that are no longer in config.
If the config changes while ovs-vswitchd is not running it is possible
that there could be some vports which are no longer needed but won't
be destroyed when closed because they aren't open. This deletes
unneeded vports at the same time that we clean up unneeded datapaths.
Add netdev_is_open(), which checks to see if a given netdev is
currently open. It will be used to assist in cleaning up old ports
that are no longer in use.
Currently the datapath directly accesses devices through their
Linux functions. Obviously this doesn't work for virtual devices
that are not backed by an actual Linux device. This creates a
new virtual port layer which handles all interaction with devices.
The existing support for Linux devices was then implemented on top
of this layer as two device types. It splits out and renames dp_dev
to internal_dev. There were several places where datapath devices
had to handled in a special manner and this cleans that up by putting
all the special casing in a single location.
datapath: Don't read net namespace on kernels that don't use them.
Use macros to eliminate the network namespace argument before it
gets to the compiler. This allows us to specify a namespace on
kernels that know about them and prevent the compiler from complaining
on kernels that don't.
Add a tun_id field which contains the ID of the encapsulating tunnel
on which a packet was received (0 if not received on a tunnel). Also
add an action which allows the tunnel ID to be set for outgoing
packets. At this point there aren't any tunnel implementations so
these fields don't have any effect.
The matching is exposed to OpenFlow by overloading the high 32 bits
of the cookie as the tunnel ID. ovs-ofctl is capable of turning
on this special behavior using a new "tun-cookie" command but this
command is intentially undocumented to avoid it being used without
a full understanding of the consequences.
Ben Pfaff [Fri, 16 Apr 2010 00:11:45 +0000 (17:11 -0700)]
bridge: Don't learn from inadmissible flows when revising learning table.
Various kinds of flows are inadmissible and must be dropped. Most notably,
OVS drops packets received on a bond whose destinations are ones that OVS
has already learned on a different port. As the comment says:
/* Drop all packets for which we have learned a different input
* port, because we probably sent the packet on one slave and got
* it back on the other. Broadcast ARP replies are an exception
* to this rule: the host has moved to another switch. */
As an important side effect of dropping these packets, OVS does not use
them for MAC learning when it sets up the corresponding flows.
However, OVS also periodically scans the datapath flow table and uses
information about flow activity to update its learning tables. (Otherwise,
learning table entries could expire because no new flows were being set up,
even though active flows existed.) This process, implemented in
bridge_account_flow_ofhook_cb(), did not check for admissibility, so
packets received on a bond could be used for learning even though another
port had already been learned.
This commit fixes the problem by making bridge_account_flow_ofhook_cb()
check for admissibility.
QA notes: Reproducing this problem requires some care and some luck. One
way is to have two VMs with network interfaces on a single bonded network.
Both bonded interfaces must be up (otherwise packets sent out on one slave
will never be received on the other). The problem will also not occur if
the physical switch that the bond slaves are plugged into has learned the
MAC address of the VMs involved (because the physical switch will then,
again, drop the packets without sending them back in on the other slave).
Finally, there needs to be some luck in timing and perhaps with the OVS
internal hash function also.
(One way to reproduce it reliably is to plug a pair of Ethernet ports into
each other with a cable, without an intermediate switch, and then use that
pair of ports as a bond. Then every packet sent out on one will
immediately be received on the other, triggering the problem fairly often.
If this doesn't work at first, try changing the Ethernet address used on
one side or the other.)
To verify that the problem being observed is the one fixed by this commit,
turn on bridge debugging with "ovs-appctl vlog/set bridge:file" and look
for "bridge xapi2: learned that 00:01:02:03:04:06 is on port bond0 in VLAN
0" where 00:01:02:03:04:06 is a VM's Ethernet address and bond0 is the
name of the bond in the ovs-vswitchd log file.
Testing: I ran the "loopback bond" test above with and without this commit,
twice each in case I was just lucky.
CC: Henrik Amren <henrik@nicira.com>
Bug #2366.
Bug NIC-64.
Bug NIC-69.
Ben Pfaff [Thu, 15 Apr 2010 23:43:10 +0000 (16:43 -0700)]
bridge: Factor admissibility check out of process_flow().
The next commit will need to make the same tests as the first part of
process_flow(), so this commit breaks that out into a new function
is_admissible().
This commit introduces a new netdev type called "patch". A patch is a
pair of interfaces, in which frames sent through one of the devices
pop out of the other. This is useful for linking together datapaths.
A patch's only argument on creation is "peer", which specifies the other
side of the patch. A patch must be created in pairs, so a second netdev
must be created with the "name" and "peer" values reversed.
The current implementation is built using veth devices. Further, it's
limited to the veth devices which support configuration through sysfs.
This limits the ability to use a "patch" on 2.6.18 kernels using the
veth device we include (read: flavors of XenServer 5.5). In the not too
distant future, the implementation will be modified to use the new
kernel port abstraction introduced by Jesse Gross's forthcoming GRE
work. At that point, patch devices will work on any Linux platform
supported by OVS.
In a future commit, the "patch" netdev type will be introduced. The
initial implementation will be based on veth, for which we have a kernel
module on 2.6.18. A more general solution will be used in the future,
at which time, this loading of the veth module can be removed.
When a user tried to delete a veth device through sysfs, the driver
wasn't properly parsing the device name. Also, it called
dev_get_by_name(), which increments a refcount on the device, but didn't
make a dev_put() before trying to delete it.
Ben Pfaff [Wed, 14 Apr 2010 17:49:34 +0000 (10:49 -0700)]
ofproto: Use original in_port for executing NXAST_RESUBMIT actions.
If NXAST_RESUBMIT adopts the replacement in_port for executing actions,
then OFPP_NORMAL will believe that traffic originated from whatever port
that is. This seems unlikely to ever be useful and in fact breaks
applications that use NXAST_RESUBMIT for two-stage ACLs.
Ben Pfaff [Wed, 14 Apr 2010 23:02:38 +0000 (16:02 -0700)]
stream-ssl: Avoid access-after-free error in update_ssl_config().
Commit b84f503d "stream-ssl: Read existing CA certificate more eagerly
during bootstrap" inadvertently introduced an access-after-free error:
do_ca_cert_bootstrap() calls
stream_ssl_set_ca_cert_file(ca_cert.file_name, true), which calls
update_ssl_config(&ca_cert, file_name), which calls
free(ca_cert.file_name) then xstrdup(ca_cert.file_name).
Fix the problem.
Reported-by: Cedric Hobbs <cedric@nicira.com> Reported-by: Peter Balland <peter@nicira.com>
Ben Pfaff [Tue, 13 Apr 2010 17:30:28 +0000 (10:30 -0700)]
ovs-ofctl: Fix write before beginning of string in "add-flow".
If "action" is the first word in a flow specification, then we were writing
one byte before the beginning of the string. So overwrite the 'a' in
"action" instead; we know it's really there.
Ben Pfaff [Tue, 13 Apr 2010 22:08:37 +0000 (15:08 -0700)]
configure: Convert --with-l26=<dir> argument to absolute path.
If the argument to --with-l26 is given as a relative pathname, then if
configuration succeeds, the build will fail, because the current directory
during the kernel build is different from that at configuration time.
Avoid the problem by converting the argument to an absolute path if
necessary.
Ben Pfaff [Tue, 13 Apr 2010 23:49:22 +0000 (16:49 -0700)]
dpif: Make dpif_flow_get() results predictable on error.
If dpif_flow_get()'s caller is less cautious than it should be, then it
will get surprising results when it looks at the returned flow on error.
This commit at least gives it plausible results.
Ben Pfaff [Tue, 13 Apr 2010 23:48:10 +0000 (16:48 -0700)]
ovs-dpctl: In "dump-flows", only print flows that can be retrieved.
If dpif_flow_get() returns an error then we'd better not try to print
the flow (especially not the actions since check_rw_odp_flow() clears
the first action to 0xcc).
Ben Pfaff [Fri, 9 Apr 2010 21:04:10 +0000 (14:04 -0700)]
ofproto: Maximum value of "int" is INT_MAX, not UINT32_MAX.
This bug seems to be dormant at the moment, since the -1 gets passed
through unchanged to do_send_packet_in() and then to make_packet_in()
and then gets converted to SIZE_MAX as part of the MIN invocation in that
function. It is still better to fix it.
Ben Pfaff [Tue, 13 Apr 2010 17:12:25 +0000 (10:12 -0700)]
ofproto: Make NXAST_RESUBMIT take header modifications into account.
Until now, the NXAST_RESUBMIT action has always looked up the original
flow except for the updated in_port. This commit changes the semantics to
instead look up the flow as modified by any preceding actions that affect
it, e.g. if OFPAT_SET_VLAN_VID precedes NXAST_RESUBMIT, then NXAST_RESUBMIT
now looks up the flow with the modified VLAN, not the original (as well as
the modified in_port).
Also, document how NXAST_RESUBMIT is supposed to work.
Ben Pfaff [Fri, 9 Apr 2010 22:19:12 +0000 (15:19 -0700)]
ofproto: Copy the flow being translated in xlate_actions().
This change should have no user-visible effect, but it paves the way for
the following commit, which requires the action_xlate_ctx's flow to be
modifiable.
Ben Pfaff [Tue, 13 Apr 2010 16:28:13 +0000 (09:28 -0700)]
Make fatal signals cause an exit more promptly in special cases.
The fatal-signal library notices and records fatal signals (e.g. SIGTERM)
and terminates the process on the next trip through poll_block(). But
some special utilities do not always invoke poll_block() promptly, e.g.
"ovs-ofctl monitor" does not call poll_block() as long as OpenFlow messages
are available. But these special cases seem like they are all likely to
call into functions that themselves block (those with "_block" in their
names). So make a new rule that such functions should always call
fatal_signal_run(), either directly or through poll_block(). This commit
implements and documents that rule.
xenserver: Fix ip_gre_mod modprobe issue in init script
The OVS kernel modules were moved to kernel/extra/openvswitch, but the
init script wasn't updated to look for the ip_gre_mod kernel module
there. This commit fixes that.
xenserver: Allow use first class datamodel field for controller IP
Starting in XenServer 5.6.0, a "vswitch_controller" key is available to
store the controller's IP address in the "pool" table of XAPI. Older
versions must still use the "vSwitchController" key in "other_config".
Based on commits 37fee7 and 0ebd737 from the xs5.7 branch written by
Ian Campbell.
xenserver: Only register xsconsole plugin if OVS is running
The 5.6.0 XenServer release will include OVS but not have it enabled by
default. By only registering the xsconsole plugin on systems running OVS,
this plugin can be included in the main distribution.
Based on commit 0ebd737 from the xs5.7 branch written by Ian Campbell.
Ben Pfaff [Thu, 18 Mar 2010 19:59:32 +0000 (12:59 -0700)]
stream: Generalize stream_open_block().
This change makes it possible to separate opening a stream from blocking on
connection completion. This avoids some code redundancy in an upcoming
commit.
Ben Pfaff [Wed, 24 Mar 2010 00:19:36 +0000 (17:19 -0700)]
stream-ssl: Make it possible to avoid checking peer SSL certificate.
In Citrix XenServer, the hosts have SSL private keys and certificates, but
those certificates are not signed by any certificate authority. So we
must provide a way to avoid checking certificates against a CA if we want
other OVS tools to be able to talk to XenServer hosts over SSL. This
commit makes that possible.
Ben Pfaff [Tue, 23 Mar 2010 22:29:10 +0000 (15:29 -0700)]
ovs-vsctl: Add SSL support.
Normally ovs-vsctl is run locally, with a Unix domain socket as target, but
it can be useful over SSL as well from a remote host, so this commit
enables that use.
Ben Pfaff [Fri, 9 Apr 2010 23:01:02 +0000 (16:01 -0700)]
stream-ssl: Read existing CA certificate more eagerly during bootstrap.
When do_ca_cert_bootstrap() attempts to bootstrap a CA certificate from a
remote host, it gives up if the CA certificate file already exists. It
knows that this file did not exist some time earlier (because it checked),
so it logged a warning and just returns. The next time that
stream_ssl_set_ca_cert_file() gets called, it will read the new CA
certificate file and all will be well.
That works OK in ovsdb-server, which calls stream_ssl_set_ca_cert_file()
every time through its main loop. It does not work well for ovs-vswitchd,
which only calls that function when it needs to reconfigure. But it
should work fine to call it directly from do_ca_cert_bootstrap(), so this
commit changes it to do that.
In a flow description, the VLAN VID was printed in hex, but an VLAN VID
modification would print the value in decimal. This commit consistently
prints the value in decimal.
ovs-ofctl: Allow setting cookie as a decimal or hex value
Clean-up a few items related to flow cookies:
- Allow setting the flow cookie as a hex or decimal string
- Consistently print the cookie in hex
- Document the ability to set the flow cookie in ovs-ofctl.
vswitch: Mark bridge_update_desc argument as unused
The implementation of bridge_update_desc() is empty, which causes a
compiler warning for the argument. Mark the argument unused until we
get a chance to fix the function's implementation.
xenserver: Put kernel modules in "extra" directory
This change cleans up a couple of items. First, it makes sure that our
newly installed kernel modules are picked up instead of any ones that
shipped with XenServer. Second, it prevents having to do the install
with "--nodeps".
xenserver: Don't install xsconsole plugin as symlink
The OVS xsconsole plugin used to be installed in
/usr/share/openvswitch/scripts directory and then a symlink was created
to the /usr/lib/xsconsole/plugins-base directory. The Citrix packaging of
OVS just placed it directly into the xsconsole plugin directory. This
worked fine until we renamed our package "openvswitch", which is the
same as Citrix uses.
On an upgrade, the default package handler would attempt to clean up files
that were in the Cirix packaging, but not in the upgraded package. Since
it didn't know that we had replaced their plugin with our symlink, it would
destroy our symlink.
This commit just places the plugin directly into the
/usr/lib/xsconsole/plugins-base directory, which allows us to seamlessly
upgrade to newer Open vSwitch versions.
projects / ovs.git / log