Ophir Munk [Thu, 17 Jan 2019 18:42:35 +0000 (18:42 +0000)]
netdev-dpdk: support port representors
Dpdk port representors were introduced in dpdk versions 18.xx.
Prior to port representors there was a one-to-one relationship
between an rte device (e.g. PCI bus) and an eth device (referenced as
dpdk port id in OVS). With port representors the relationship becomes
one-to-many rte device to eth devices.
For example in [3] there are two devices (representors) using the same
PCI physical address 0000:08:00.0: "0000:08:00.0,representor=[3]" and
"0000:08:00.0,representor=[5]".
This commit handles the new one-to-many relationship. For example,
when one of the device port representors in [3] is closed - the PCI bus
cannot be detached until the other device port representor is closed as
well. OVS remains backward compatible by supporting dpdk legacy PCI
ports which do not include port representors.
Dpdk port representors related commits are listed in [1]. Dpdk port
representors documentation appears in [2]. A sample configuration
which uses two representors ports (the output of "ovs-vsctl show"
command) is shown in [3].
[1] e0cb96204b71 ("net/i40e: add support for representor ports") cf80ba6e2038 ("net/ixgbe: add support for representor ports") 26c08b979d26 ("net/mlx5: add port representor awareness")
Yifeng Sun [Wed, 16 Jan 2019 22:37:08 +0000 (14:37 -0800)]
ofp-actions: Avoid overflow for ofpact_learn_spec->n_bits
ofpact_learn_spec->n_bits is the size of immediate data that is
following ofpact_learn_spec. Now it is defined as 'uint8_t'.
In many places, it gets its value directly from mf_subfield->n_bits,
whose type is 'unsigned int'. If input is large enough, there will
be uint8_t overflow.
For example, the following command will make ovs-ofctl crash:
ovs-ofctl add-flow br0 "table=0, priority=0, action=learn(limit=20 tun_metadata15=0x60ff00000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002fffffffffffffff0ffffffffffffffffffffffffffff)"
This patch fixies this issue by changing type of ofpact_learn_spec->n_bits
from uint8_t to uint32_t.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11870 Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Han Zhou [Wed, 16 Jan 2019 21:45:10 +0000 (13:45 -0800)]
sandbox: Fix env for clustered OVN DBs.
When ovn clustered mode is specified, the environment veriables
OVN_NB_DB/OVN_SB_DB are wrong. It should be something like
unix:nb1,unix:nb2,unix:nb3 but it turns out to be unix:nb1,unix:nb1,unix:nb2.
So when nb3 becomes leader, the connection will always fail.
It is caused by using an undefined variable $n resulting in the
unexpected result of `seq 2 $n`. This patch fixed it by using the
correct variable $servers.
Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Mark Michelson [Wed, 16 Jan 2019 15:37:06 +0000 (10:37 -0500)]
ovn: Add port addresses to IPAM later.
ipam_add_port_adresses() needs to be called after the peer field is set
on the ovn_port structures. This way, addresses taken by peered router
ports will be added to the logical switch's IPAM and therefore will be
barred from assignment to other ports.
Reported-by: Girish Moodalbail <gmoodalbail@nvidia.com> Signed-off-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ian Stokes [Tue, 6 Nov 2018 21:17:38 +0000 (21:17 +0000)]
travis: Add dpdk shared library build.
Add travis builds for DPDK as a shared library.
Currently the DPDK builds in travis only compile DPDK as a static library.
With static builds in DPDK there is a risk that if a function is not
exported then it will not be supported when DPDK is used as a shared library.
This commit adds the option to build DPDK as a shared library. Also two
build jobs are added to the travis.yml whereby a shared DPDK is built
with both static and shared OVS libraries.
Signed-off-by: Ian Stokes <ian.stokes@intel.com> Acked-by: Tiago Lam <tiago.lam@intel.com> Acked-by: Kevin Traynor <ktraynor@redhat.com>
Nitin Katiyar [Wed, 16 Jan 2019 05:41:43 +0000 (05:41 +0000)]
Adding support for PMD auto load balancing
Port rx queues that have not been statically assigned to PMDs are currently
assigned based on periodically sampled load measurements.
The assignment is performed at specific instances – port addition, port
deletion, upon reassignment request via CLI etc.
Due to change in traffic pattern over time it can cause uneven load among
the PMDs and thus resulting in lower overall throughout.
This patch enables the support of auto load balancing of PMDs based on
measured load of RX queues. Each PMD measures the processing load for each
of its associated queues every 10 seconds. If the aggregated PMD load reaches
95% for 6 consecutive intervals then PMD considers itself to be overloaded.
If any PMD is overloaded, a dry-run of the PMD assignment algorithm is
performed by OVS main thread. The dry-run does NOT change the existing
queue to PMD assignments.
If the resultant mapping of dry-run indicates an improved distribution
of the load then the actual reassignment will be performed.
The automatic rebalancing will be disabled by default and has to be
enabled via configuration option. The interval (in minutes) between
two consecutive rebalancing can also be configured via CLI, default
is 1 min.
Following example commands can be used to set the auto-lb params:
ovs-vsctl set open_vswitch . other_config:pmd-auto-lb="true"
ovs-vsctl set open_vswitch . other_config:pmd-auto-lb-rebalance-intvl="5"
Terry Wilson [Mon, 14 Jan 2019 14:15:36 +0000 (08:15 -0600)]
Un-revert Work around Python/C JSON unicode differences
This fix was reverted because it depended on a small bit of code
in a patch that was reverted that changed some python/ovs testing
and build. The fix is still necessary.
The OVS C-based JSON parser operates on bytes, so the parser_feed
function returns the number of bytes that are processed. The pure
Python JSON parser currently operates on unicode, so it expects
that Parser.feed() returns a number of characters. This difference
leads to parsing errors when unicode characters are passed to the
C JSON parser from Python.
Acked-by: Lucas Alvares Gomes <lucasagomes@gmail.com> Signed-off-by: Terry Wilson <twilson@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ilya Maximets [Mon, 14 Jan 2019 15:04:32 +0000 (18:04 +0300)]
checkpatch: Check style of FOREACH loops.
Current checkpatch rules matches only OVS 'FOR_EACH' loops.
This change will apply same style checks for DPDK iterators
like 'RTE_ETH_FOREACH_MATCHING_DEV () {}'.
Ilya Maximets [Tue, 15 Jan 2019 14:03:00 +0000 (17:03 +0300)]
python: Escape backslashes while formatting logs.
Since python version 3.7 (and some 3.6+ versions) regexp engine
changed to treat the wrong escape sequences as errors. Previously,
if the replace string had something like '\u0000', '\u' was
qualified as a bad escape sequence and treated just as a sequence
of characters '\' and 'u'. But know this triggers an error:
Traceback (most recent call last):
File "/usr/lib/python3.7/sre_parse.py", line 1021, in parse_template
this = chr(ESCAPES[this][1])
KeyError: '\\u'
From the documentation [1]:
Unknown escapes consisting of '\' and an ASCII letter in replacement
templates for re.sub() were deprecated in Python 3.5, and will now
cause an error.
We need to escape the backslash by another one to keep regexp engine
from errors. In case of '\\u000', '\\' is a valid escape sequence
and the 'u' is a simple character.
To be 100% safe we need to use 're.escape(replace)', but it escapes
too many characters making the logs hard to read.
This change fixes Python 3 tests on systems with python 3.7.
Should be backward compatible.
Reported-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Thu, 10 Jan 2019 23:23:45 +0000 (15:23 -0800)]
python: Fix invalid escape sequences.
It appears that Python silently treats invalid escape sequences in
strings as literals, e.g. "\." is the same as "\\.". Newer versions of
checkpatch complain, and it does seem reasonable to me to fix these.
Ilya Maximets [Fri, 11 Jan 2019 08:09:19 +0000 (11:09 +0300)]
vconn: Fix using of uninitialized deadline.
Typo introduced while making minor refactoring before applying the
patch.
Fixes logic and the clang build:
lib/vconn.c:707:47: error:
variable 'deadline' is uninitialized when
used within its own initialization [-Werror,-Wuninitialized]
? time_msec() + deadline
^~~~~~~~
Acked-by: Kevin Traynor <ktraynor@redhat.com> Fixes: 04895042e9f6 ("vconn: Allow timeout configuration for blocking connection.") Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Wed, 29 Aug 2018 18:14:31 +0000 (11:14 -0700)]
ofproto: Handle multipart requests with multiple parts.
OpenFlow has a concept of multipart messages, that is, messages that can be
broken into multiple pieces that are sent separately. Before OpenFlow 1.3,
only replies could actually have multiple pieces. OpenFlow 1.3 introduced
the idea that requests could have multiple pieces. This is only useful for
multipart requests that take an array as part of the request, which amounts
to only flow monitoring requests and table features requests. So far, OVS
hasn't implemented the multipart versions of these (it just reports an
error). This commit introduces the necessary infastructure to implement
them properly.
Acked-by: Justin Pettit <jpettit@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ilya Maximets [Wed, 9 Jan 2019 17:30:17 +0000 (20:30 +0300)]
vconn: Allow timeout configuration for blocking connection.
On some systems in case where remote is not responding, socket could
remain in SYN_SENT state for a really long time without errors waiting
for connection. This leads to situations where vconn connection hangs
for a few minutes waiting for connection to the DOWN remote.
For example, this situation emulated by "refuse-connection" vconn
testcase. This leads to test failures because Alarm signal arrives much
faster than ETIMEDOUT from the socket:
./vconn.at:21: ovstest test-vconn refuse-connection tcp
Alarm clock
stderr:
|socket_util|INFO|0:127.0.0.1: listening on port 63812
|poll_loop|DBG|wakeup due to 0-ms timeout
|poll_loop|DBG|wakeup due to 10155-ms timeout
|fatal_signal|WARN|terminating with signal 14 (Alarm clock)
./vconn.at:21: exit code was 142, expected 0
vconn.at:21: 535. tcp vconn - refuse connection (vconn.at:21): FAILED
This patch allowes to specify timeout value for vconn blocking
connections. If the connection takes more time, socket will be closed
with ETIMEDOUT error code. Negative value could be used to wait
infinitely.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ilya Maximets [Wed, 9 Jan 2019 17:30:16 +0000 (20:30 +0300)]
stream: Allow timeout configuration for open_block.
On some systems in case where remote is not responding, socket could
remain in SYN_SENT state for a really long time without errors waiting
for connection. This leads to situations where open_blok() hangs for
a few minutes waiting for connection to the DOWN remote.
For example, our "multiple remotes" idl tests hangs waiting for
connection to the WRONG_PORT on FreeBSD in CirrusCI environment.
This leads to test failures because Alarm signal arrives much faster
than ETIMEDOUT from the socket.
This patch allowes to specify timeout value for 'open_block' function.
If the connection takes more time, socket will be closed with
ETIMEDOUT error code. Negative value or None in python could be
used to wait infinitely.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
# ovs-ofctl -O OpenFlow15 insert-buckets br0 "group_id=10,type=select command_bucket_id=last,bucket=bucket_id=3,weight=100,actions=output:1"
ovs-ofctl: type is not needed
# ovs-ofctl -O OpenFlow15 insert-buckets br0 "group_id=10 command_bucket_id=last,bucket=bucket_id=3,weight=100,actions=output:1"
ovs-ofctl: Only select groups can have bucket weights.
This patch can help us. However, for other types that are not select, the
check of the parameters is not strict, but it does not affect their
function, because other types do not use this weight parameter.
Signed-off-by: solomon <liwei.solomon@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Eli Britstein [Wed, 26 Dec 2018 07:36:22 +0000 (09:36 +0200)]
netdev-tc-offloads: Support IPv6 hlimit rewrite
Add support for IPv6 hlimit field.
Signed-off-by: Eli Britstein <elibr@mellanox.com> Reviewed-by: Paul Blakey <paulb@mellanox.com> Signed-off-by: Simon Horman <simon.horman@netronome.com>
Eli Britstein [Wed, 26 Dec 2018 07:34:35 +0000 (09:34 +0200)]
netdev-tc-offloads: Do not set 0 port attribute to TC tunnel
For non UDP tunnels as GRE there is no UDP port, i.e initialized to 0.
Do not set the port attribute in such case.
Signed-off-by: Eli Britstein <elibr@mellanox.com> Reviewed-by: Paul Blakey <paulb@mellanox.com> Signed-off-by: Simon Horman <simon.horman@netronome.com>
Lorenzo Bianconi [Fri, 28 Dec 2018 17:18:04 +0000 (18:18 +0100)]
OVN: add mac address only support to IPAM/MACAM
Add the capability to assign just L2 address to IPAM/MACAM since
in the current implementation either subnet or ipv6_prefix are mandatory
to enable IPAM
Tested-by: Yossi Segev <ysegev@redhat.com> Acked-by: Mark Michelson <mmichels@redhat.com> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Han Zhou [Tue, 18 Dec 2018 22:18:34 +0000 (14:18 -0800)]
ovn-sb.ovsschema: Avoid duplicated IPs in Encap table.
When adding a new chassis, if there is an old chassis with same IP
existed in Encap table, it is allowed to be added today. However,
allowing it to be added results in problems:
1. The new chassis cannot work because none of the other chassises
are able to create tunnel to it, because of the IP confliction
with already existed tunnel to the old chassis.
2. All the other chassises will continuously retry creating the tunnel
and complaining about the error.
So, instead of hiding the problem, it is better to expose it while
trying to add the second chassis with duplicated IP. This patch
ensures it from the ovsdb schema.
Signed-off-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Yifeng Sun [Thu, 27 Dec 2018 00:52:23 +0000 (16:52 -0800)]
odp-util: Fix fuzz runtime error of invalid dont_send value
Oss-fuzz complains that (struct user_action_cookie)->controller->dont_send
has invalid vlue, like below:
runtime error: load of value 26, which is not a valid value for type 'bool'
From this piece of code "cookie.controller.dont_send ? 1 : 0", it looks
like that we want to tolerate values than 0 and 1.
Thus, this patch changes the types of dont_send and continuation from bool
to uint8_t in order to make oss-fuzz happy.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11330 Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
David Marchand [Fri, 21 Dec 2018 13:29:59 +0000 (14:29 +0100)]
system-traffic.at: avoid a race condition on monitor log
Rather than letting the test framework kill any remaining ofctl monitor,
ask and wait for it to gracefully exit before looking at the log file.
This solves random failures of tests 29, 30 and 50.
Signed-off-by: David Marchand <david.marchand@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
luzhipeng-zte [Sat, 22 Dec 2018 15:13:42 +0000 (23:13 +0800)]
fix rpmbuild fails for rhel
This patch fixes the rpm build fail for rhel. The error is:
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/openvswitch-2.10.0-1.x86_64
error: Installed (but unpackaged) file(s) found:
/usr/share/openvswitch/scripts/ovs-monitor-ipsec
Signed-off-by: ZhiPeng LU <luzhipeng@uniudc.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ilya Maximets [Wed, 26 Dec 2018 15:23:59 +0000 (18:23 +0300)]
ovsdb-idl.at: Increase timeouts for tests with multiple remotes.
Tests with multiple remotes always involves connection attempts
to the wrong destinations. This includes few reconnection cycles
for 1 second each and also possible long timeouts for blocking
connections.
Let's increase the timeouts for these tests to allow them finish
successfully.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ilya Maximets [Wed, 26 Dec 2018 15:23:57 +0000 (18:23 +0300)]
ovsdb-idl.at: Better choosing of wrong ports.
On some systems (ex. FreeBSD) kernel could allocate outcoming tcp ports
too close to the listening port of ovsdb-server. This could lead to having
outcoming tcp port of test-ovsdb application equal to one of the
WRONG_PORTs. In this case self-connection to the WRONG_PORT succeeds and
fails the tests:
Ilya Maximets [Wed, 26 Dec 2018 15:23:54 +0000 (18:23 +0300)]
python: jsonrpc: Pick new remote on disconnect.
If attempt to open non-blocking connection results with EINPROGRESS,
further polling will trigger DISCONNECT action in case of failures.
While handling this action, jsonrpc python library closes the
connection but does not change the current remote. This leads to
subsequent connection to the same remote. And the story starts from
the beginning producing infinite attempts to connect to a single
remote regardless of existense of others. Like this:
Fix that by always picking the new remote on disconnect.
This mimics the behaviour of jsonrpc C library.
Fixes "multiple remotes" tests on FreeBSD.
CC: Numan Siddique <nusiddiq@redhat.com> Fixes: 31e434fc985c ("python jsonrpc: Allow jsonrpc_session to have more than one remote.") Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Anand Kumar [Fri, 9 Nov 2018 19:08:33 +0000 (11:08 -0800)]
datapath-windows: Use layers info to extract IP header in IpFragment
- Rely on layers l3Offset field to get offset of IP header.
- Aslo fix passing 'newNbl' to IP fragment which is not required.
- Fixed including a header file twice.
Signed-off-by: Anand Kumar <kumaranand@vmware.com> Acked-by: Alin Gabriel Serdean <aserdean@ovn.org> Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Ilya Maximets [Thu, 20 Dec 2018 17:23:12 +0000 (20:23 +0300)]
ofproto-dpif.at: Make sFlow sampling tests invariant to IP version.
sflow.log reports the first ip address of the 'loopback' interface.
It could be different on different systems. For example, on FreeBSD
IPv6 [::1] address goes first despite of IPv4 127.0.0.1 on Linux.
Let's just replace it to IPv4 always to make tests work.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ilya Maximets [Thu, 20 Dec 2018 17:31:39 +0000 (20:31 +0300)]
ofproto-macros.at: Ignore attempts to open '127.0.0.1' as a device.
While configuring sFlow agent OVS tries to treat the value as a name
of the interface at first, after that it tries to treat it as an ip
address. While trying to create netdev from the 'agent', netdev-bsd
calls 'netdev_get_flags()' which produces following warning:
failed to get flags for network device 127.0.0.1
This does not happen with netdev-linux because it uses its own
implementation of 'get_flags' while creating the netdev.
Let's just ignore the warning for sFlow tests.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ilya Maximets [Thu, 20 Dec 2018 17:35:57 +0000 (20:35 +0300)]
python: Catch setsockopt exceptions for TCP stream.
'sock.setsockopt' could throw exceptions. For example, if non-blocking
connection failed before the call:
Traceback (most recent call last):
File "../.././test-ovsdb.py", line 896, in <module>
main(sys.argv)
File "../.././test-ovsdb.py", line 891, in main
func(*args)
File "../.././test-ovsdb.py", line 604, in do_idl
ovs.stream.Stream.open(r))
File "/root/git_/ovs/python/ovs/stream.py", line 190, in open
error, sock = cls._open(suffix, dscp)
File "/root/git_/ovs/python/ovs/stream.py", line 744, in _open
sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
File "/usr/local/lib/python2.7/socket.py", line 228, in meth
return getattr(self._sock,name)(*args)
socket.error: [Errno 54] Connection reset by peer
This fixes tests on FreeBSD.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ilya Maximets [Wed, 19 Dec 2018 15:00:20 +0000 (18:00 +0300)]
odp.at: Make 'sed -i' BSD compatible.
'sed -i' on FreeBSD always expects backup filename extention
passed while GNU version expects it only if specified without
extra space after the '-i'. Let's specify the backup extention
to make BSD sed work.
This fixes test on FreeBSD.
CC: Joe Stringer <joe@ovn.org> Fixes: 07659514c3c1 ("Add support for connection tracking.") Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ilya Maximets [Tue, 18 Dec 2018 15:56:16 +0000 (18:56 +0300)]
odp-util: Don't try to parse geneve data if not provided.
Despite of linux, 'strtoull' on FreeBSD sets errno to EINVAL in case
of no digits found. This causes odp_flow parsing failure if
there is no geneve data inside it. For example, ovs fails to parse
following flow on FreeBSD:
Ilya Maximets [Tue, 18 Dec 2018 12:54:53 +0000 (15:54 +0300)]
ovn.at: Drop bash specific 'function' keyword.
This keyword is not portable and also optional in bash.
Fixes test on FreeBSD.
CC: Miguel Angel Ajo <majopela@redhat.com> Fixes: 508b7f961bd6 ("ovn: l3ha, make is_chassis_active aware of gateway_chassis") Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ilya Maximets [Tue, 18 Dec 2018 16:38:27 +0000 (19:38 +0300)]
stopwatch: Fix qsort comparison function.
Current version is broken because it converts first argument to
integer and after that substracts the duoble value. At the end
the result converted to integer again.
This does not cause unit test failures because qsort on linux
accidentially makes right order. On FreeBSD this leads to the
test failure:
Ilya Maximets [Tue, 18 Dec 2018 11:57:24 +0000 (14:57 +0300)]
tests: Don't pass TESTSUITEFLAGS while re-checking.
This fixes 'RECHECK=yes' functionality in case of configured test
range. For example, before the patch following cmdline will result in
running all of the 1000 tests re-checking in case of any failure:
make -j8 check TESTSUITEFLAGS='1000-1999' RECHECK=yes
This happens because ranges and pattern matching options has higher
priority than the '--recheck'.
With patch, only failed tests from the range will be re-checked.
With this patch applied we're dropping support of '--verbose' and
'--trace' options while re-check, but, IMHO, these options makes
sense mostly while debugging individual tests and not much usable
while running recheck of a whole testsuite.
'--jobs' we're resetting each time anyway.
Not sure if someone overrides default '--directory'. For me it looks
not very useful. Changing the color mode also looks not much
profitable.
OTOH, re-checking the ranges or keyword matched tests is very useful,
for example, if you're trying to split up single testsuite check in
a few independent CI jobs.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Darrell Ball [Mon, 17 Dec 2018 22:43:13 +0000 (14:43 -0800)]
conntrack: Enforce conn_type for flush tuple.
The user should only reference a conntrack entry by the forward
direction context, as per 'conntrack_flush()', enforce this by
checking for 'default' conn_type. The likelihood of a user
not using the original tuple is low, but it should be guarded
against, logged and documented.
Signed-off-by: Darrell Ball <dlu998@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Darrell Ball [Mon, 17 Dec 2018 22:43:12 +0000 (14:43 -0800)]
conntrack: Check all addresses for ephemeral ports.
When fallback to ephemeral ports triggers to find a NAT translation,
it may happen that the full address range is not explored; i.e. if
all ephemeral ports are being used for the address range >= the
first address checked and there are other addresses in the
available range, then they would not be explored for availability.
The likelihood of hitting this condition is rare. The fix is to
reset the first address to the minimum address when starting to
search ephemeral ports. Found by inspection.
Darrell Ball [Mon, 17 Dec 2018 22:43:11 +0000 (14:43 -0800)]
conntrack: Skip ephemeral ports fallback for DNAT.
Ephemeral port fallback is being done for DNAT and the code could be hit in
some special cases and testing configurations. Also good packets are
expected to be persistently dropped in this case, which is not a common
user goal. Regardless, this is incorrect, so filter this out. Also, rename
the variable used for checking whether ephemeral ports need to be checked.
Greg Rose [Tue, 18 Dec 2018 17:43:19 +0000 (09:43 -0800)]
Revert "datapath: Derive IP protocol number for IPv6 later frags"
This reverts commit 2f748bf8016c ("datapath: Derive IP protocol...")
This commit is causing some ipv6 fragmentation errors in some older
kernels. Revert for now and then we can determine how to implement
this patch with appropriate compatability layer changes to prevent
errors on older kernels.
CC: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Yi-Hung Wei [Fri, 14 Dec 2018 23:28:55 +0000 (15:28 -0800)]
datapath: compat: Fix static key backport
The original static key backport is based on the upstream
net-next commit 11276d5306b8
("locking/static_keys: Add a new static_key interface").
However, in Canonical's Trusty kernel, it introduced partial static
support which have different definition of some of the macros that
breaks the compatibility code.
For example, in net-next git tree commit 11276d5306b8
("locking/static_keys: Add a new static_key interface").
+ #define DEFINE_STATIC_KEY_TRUE(name) \
+ struct static_key_true name = STATIC_KEY_TRUE_INIT
On the other hand, in Canonical's Trusty git tree commit 13f5d5d1cccb6
("x86/KVM/VMX: Add module argument for L1TF mitigation")
+ #define DEFINE_STATIC_KEY_TRUE(name) \
+ struct static_key name = STATIC_KEY_INIT_TRUE
This commit resolves the ovs kernel module compatibility issue on
Trusty kernel.
VMware-BZ: #2251101 Fixes: 6660a9597a49 ("datapath: compat: Introduce static key support") Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Numan Siddique [Mon, 17 Dec 2018 16:19:44 +0000 (21:49 +0530)]
ovn: Fix the invalid eth.dst and ip6.dst set by nd_ns action for certain cases.
When an IPv6 packet enters a router pipeline and it needs to be routed via
the nexthop IP address set in the static route, OVN generates an IPv6
Neigh Solicitation request if the nexthop IP is not resolved yet. But
right now, the generated IPv6 Neigh Solicitation packet doesn't set
the eth.dst to the mutlicast address derived from the nexthop and
ip6.dst to the solicited-node multicast address corresponding to the
nexthop address. Instead it generates these values from the actual
ip6.dst of the original packet.
This patch fixes this issue.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Add 'clone' action to kernel datapath by using existing functions.
When actions within clone don't modify the current flow, the flow
key is not cloned before executing clone actions.
This is a follow up patch for this incomplete work:
https://patchwork.ozlabs.org/patch/722096/
v1 -> v2:
Refactor as advised by reviewer.
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net> Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Co-authored-by: Andy Zhou <azhou@ovn.org> Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Andy Zhou <azhou@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Sun, 16 Dec 2018 16:25:59 +0000 (08:25 -0800)]
tests: Strip "lt-" prefix when checking daemon process names.
When libtool is in the picture to deal with shared libraries, processes
end up with an "lt-" prefix in their process names. This caused the
process name check in daemon.at to fail. This commit fixes the problem by
stripping off that prefix.
Fixes: d8c6955a03ea ("tests: Simplify and improve the daemon tests.") Reported-by: Timothy Redaelli <tredaelli@redhat.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-December/354574.html Acked-by: Timothy Redaelli <tredaelli@redhat.com> Tested-by: Timothy Redaelli <tredaelli@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
There is a spelling mistake in a net_warn_ratelimited message, fix this.
Signed-off-by: Colin Ian King <colin.king@canonical.com> Reviewed-by: Simon Horman <simon.horman@netronome.com> Signed-off-by: David S. Miller <davem@davemloft.net> CC: Colin Ian King <colin.king@canonical.com> Acked-by: William Tu <u9012063@gmail.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Load the respective NAT helper module if the flow uses it.
Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> CC: Flavio Leitner <fbl@redhat.com> Acked-by: Flavio Leitner <fbl@sysclose.org> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
net: ovs: fix return type of ndo_start_xmit function
The method ndo_start_xmit() is defined as returning an 'netdev_tx_t',
which is a typedef for an enum type, so make sure the implementation in
this driver has returns 'netdev_tx_t' value, and change the function
return type to netdev_tx_t.
Found by coccinelle.
Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> CC: YueHaibing <yuehaibing@huawei.com> Acked-by: William Tu <u9012063@gmail.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
openvswitch: Derive IP protocol number for IPv6 later frags
Currently, OVS only parses the IP protocol number for the first
IPv6 fragment, but sets the IP protocol number for the later fragments
to be NEXTHDF_FRAGMENT. This patch tries to derive the IP protocol
number for the IPV6 later frags so that we can match that.
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Acked-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net> CC: Yi-Hung Wei <yihung.wei@gmail.com> Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
datapath: check tunnel option type in tunnel flags
Upstream commit:
commit 256c87c17c53e60882a43dcf3e98f3bf859eaf6f
Author: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Date: Tue Jun 26 21:39:36 2018 -0700
net: check tunnel option type in tunnel flags
Check the tunnel option type stored in tunnel flags when creating options
for tunnels. Thereby ensuring we do not set geneve, vxlan or erspan tunnel
options on interfaces that are not associated with them.
Make sure all users of the infrastructure set correct flags, for the BPF
helper we have to set all bits to keep backward compatibility.
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Signed-off-by: David S. Miller <davem@davemloft.net> CC: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com> Acked-by: William Tu <u9012063@gmail.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>