Russell Bryant [Thu, 10 Dec 2015 19:08:44 +0000 (14:08 -0500)]
xml2nroff: Fix issues pointed out by flake8.
This patch includes a few minor fixes pointed out by the flake8 tool.
It drops an unused variable and the related imports, adds some blank
lines where the PEP8 formatting standard indicates they should be, and
does a comparison with None as "is None" instead of "== None".
Signed-off-by: Russell Bryant <russell@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org>
Russell Bryant [Tue, 17 Nov 2015 22:00:06 +0000 (14:00 -0800)]
ovn: Fix ACLs for child logical ports.
The physical input flows for child logical ports (for the
container-in-a-VM use case, for example) did not set a conntrack zone
ID. The previous code only allocated a zone ID for local VIFs and
missed doing it for child ports.
Signed-off-by: Russell Bryant <russell@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org>
This bug fix is not required for OVS use cases. But is it
nice to keep function consistent with upstream implementation.
Upstream commit:
Earlier patch 6ae459bda tried to detect void ckecksum partial
skb by comparing pull length to checksum offset. But it does
not work for all cases since checksum-offset depends on
updates to skb->data.
Following patch fixes it by validating checksum start offset
after skb-data pointer is updated. Negative value of checksum
offset start means there is no need to checksum.
Fixes: 6ae459bda ("skbuff: Fix skb checksum flag on skb pull") Reported-by: Andrew Vagin <avagin@odin.com> Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 31b33dfb0a1 ("skbuff: Fix skb checksum partial check"); Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Jesse Gross <jesse@kernel.org>
Pravin B Shelar [Thu, 10 Dec 2015 22:19:56 +0000 (14:19 -0800)]
datapath: Fix STT packet receive handling.
STT reassembly can generate list of packets. But it was
handled as a single skb. Following patch fixes it.
Fixes: e23775f20 ("datapath: Add support for lwtunnel"). Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Jesse Gross <jesse@kernel.org> Acked-by: Joe Stringer <joe@ovn.org>
odp-util: Correctly [de]serialize mask for ND attributes.
When converting between ODP attributes and struct flow_wildcards, we
check that all the prerequisites are exact matched on the mask.
For ND(ICMPv6) attributes, an exact match on tp_src and tp_dst
(which in this context are the icmp type and code) shold look like
htons(0xff), not htons(0xffff). Fix this in two places.
The consequences were that the ODP mask wouldn't include the ND
attributes and the flow would be deleted by the revalidation.
odp-util: Return exact mask if netlink mask attribute is missing.
In the ODP context an empty mask netlink attribute usually means that
the flow should be an exact match.
odp_flow_key_to_mask{,_udpif}() instead return a struct flow_wildcards
with matches only on recirc_id and vlan_tci.
A more appropriate behavior is to handle a missing (zero length) netlink
mask specially (like we do in userspace and Linux datapath) and create
an exact match flow_wildcards from the original flow.
This fixes a bug in revalidate_ukey(): every flow created with
megaflows disabled would be revalidated away, because the mask would
seem too generic. (Another possible fix would be to handle the special
case of a missing mask in revalidate_ukey(), but this seems a more
generic solution).
commit_set_icmp_action() should do its job only if the packet is ICMP,
otherwise there will be two problems:
* A set ICMP action will be inserted in the ODP actions and the flow
will be slow pathed.
* The tp_src and tp_dst field will be unwildcarded.
Normal TCP or UDP packets won't be impacted, because
commit_set_icmp_action() is called after commit_set_port_action() and it
will see the fields as already committed (TCP/UCP transport ports and ICMP
code/type are stored in the same members in struct flow).
MPLS packets though will hit the bug, causing a nonsensical set action
(which will end up zeroing the transport source port) and an invalid
mask to be generated.
The commit also alters an MPLS testcase to trigger the bug.
tnl-ports: Generate mask with correct prerequisites.
We should match on the transport ports only if the tunnel has a UDP
header. It doesn't make sense to match on transport port for GRE
tunnels.
Also, to match on fragment bits we should use FLOW_NW_FRAG_MASK instead
of 0xFF. FLOW_NW_FRAG_MASK is what we get if we convert to the ODP
netlink format and back.
Adding the correct masks in the tunnel router classifier helps in making
sure that the translation generates masks that respect prerequisites.
If the mask has some fields that do not respect prerequisites, the flow
will get deleted by revalidation, because translating to ODP format and
back will generate a more generic mask, which will be perceived as too
generic (compared with the one generated by the translation).
ofproto-dpif-xlate: Fix revalidation in execute_controller_action().
If there's no actual packet (e.g. during revalidation),
execute_controller_action() exits right away, without calling
xlate_commit_actions().
xlate_commit_actions() might have an influence on slow_path reason
(which is included in the generated ODP actions), meaning that the
revalidation will not generate the same actions than the original
translation.
Fix the problem by making execute_controller_action() call
xlate_commit_actions() even without a packet.
Joe Stringer [Wed, 9 Dec 2015 00:14:06 +0000 (16:14 -0800)]
datapath: Respect conntrack zone even if invalid.
If userspace executes ct(zone=1), and the connection tracker determines
that the packet is invalid, then the ct_zone flow key field is populated
with the default zone rather than the zone that was specified. Even
though connection tracking failed, this field should be updated with the
value that userspace specified. Fix the issue.
Fixes: a94ebc39996b ("datapath: Add conntrack action") Signed-off-by: Joe Stringer <joe@ovn.org> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Russell Bryant [Tue, 8 Dec 2015 22:32:47 +0000 (17:32 -0500)]
ovn: Fix ct_state bit mappings in OVN symtab.
The OVN symbol table contained outdated mappings between connection
states and the corresponding bit in the ct_state field. This patch
updates the symbol table with the proper values as defined in
lib/packets.h.
Signed-off-by: Russell Bryant <russell@ovn.org> Fixes: 63bc9fb1c69f ("packets: Reorder CS_* flags to remove gap.") Acked-by: Joe Stringer <joe@ovn.org>
Nithin Raju [Wed, 25 Nov 2015 20:32:33 +0000 (12:32 -0800)]
datapath-windows: Don't assert for unknown actions
On Hyper-V, we currently don't validate a flow to see if datapath can
indeed execute all the actions specified or not. While support for it
gets implemented, an ASSERT seems too strong. I'm working on the support
for actions validation. Here's a workaround in the meantime to help
debugging.
Pravin B Shelar [Tue, 8 Dec 2015 02:23:21 +0000 (18:23 -0800)]
datapath: Backport: vxlan: interpret IP headers for ECN correctly
Upstream commit:
When looking for outer IP header, use the actual socket address family, not
the address family of the default destination which is not set for metadata
based interfaces (and doesn't have to match the address family of the
received packet even if it was set).
Fix also the misleading comment.
Signed-off-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: ce212d0f6f5 ("vxlan: interpret IP headers for ECN correctly") Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Jesse Gross <jesse@kernel.org>
Pravin B Shelar [Tue, 8 Dec 2015 02:23:20 +0000 (18:23 -0800)]
datapath: Backport: vxlan: fix incorrect RCO bit in VXLAN header
Upstream commit:
Commit 3511494ce2f3d ("vxlan: Group Policy extension") changed definition of
VXLAN_HF_RCO from 0x00200000 to BIT(24). This is obviously incorrect. It's
also in violation with the RFC draft.
Fixes: 3511494ce2f3d ("vxlan: Group Policy extension") Cc: Thomas Graf <tgraf@suug.ch> Cc: Tom Herbert <therbert@google.com> Signed-off-by: Jiri Benc <jbenc@redhat.com> Acked-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: c5fb8caaf91 ("vxlan: fix incorrect RCO bit in VXLAN header") Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Jesse Gross <jesse@kernel.org>
Upstream commit:
After 614732eaa12d, no refcount is maintained for the vport-vxlan module.
This allows the userspace to remove such module while vport-vxlan
devices still exist, which leads to later oops.
v1 -> v2:
- move vport 'owner' initialization in ovs_vport_ops_register()
and make such function a macro
Fixes: 614732eaa12d ("openvswitch: Use regular VXLAN net_device device") Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 83e4bf7a74 ("openvswitch: properly refcount vport-vxlan
module"). Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Jesse Gross <jesse@kernel.org>
Pravin B Shelar [Tue, 8 Dec 2015 02:23:18 +0000 (18:23 -0800)]
datapath: Backport: openvswitch: fix hangup on vxlan/gre/geneve device deletion
Upstream commit:
Each openvswitch tunnel vport (vxlan,gre,geneve) holds a reference
to the underlying tunnel device, but never released it when such
device is deleted.
Deleting the underlying device via the ip tool cause the kernel to
hangup in the netdev_wait_allrefs() loop.
This commit ensure that on device unregistration dp_detach_port_notify()
is called for all vports that hold the device reference, properly
releasing it.
Fixes: 614732eaa12d ("openvswitch: Use regular VXLAN net_device device") Fixes: b2acd1dc3949 ("openvswitch: Use regular GRE net_device instead of vport") Fixes: 6b001e682e90 ("openvswitch: Use Geneve device.") Signed-off-by: Paolo Abeni <pabeni@redhat.com> Acked-by: Flavio Leitner <fbl@sysclose.org> Acked-by: Pravin B Shelar <pshelar@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 131753030("openvswitch: fix hangup on vxlan/gre/geneve device
deletion"). Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Jesse Gross <jesse@kernel.org>
Ilya Maximets [Mon, 7 Dec 2015 10:02:41 +0000 (13:02 +0300)]
ofproto-dpif: add reply on error in ofproto/tnl-push-pop
Fixes hang of 'ovs-appctl ofproto/tnl-push-pop' when an invalid
argument passed.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
The NAT validation is similar (and based on) the existing conntrack
validation: when a dpif backer is created, we try to install a flow with
the ct_state NAT bits set. If the flow setup fails we assume that the
backer doesn't support NAT and we reject OpenFlow flows with a NAT
action or a match on the ct_state NAT bits.
Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>
Jarno Rajahalme [Fri, 4 Dec 2015 18:19:07 +0000 (10:19 -0800)]
bond: Use correct type for slave's change_seq.
seq values are 64-bit, and storing them to a 32-bit variable causes
the stored value never to match actual seq value after the seq value
gets big enough.
This is a likely cause of OVS main thread using 100% CPU in a system
using bonds after some runtime.
VMware-BZ: #1564993 Reported-by: Hiram Bayless <hbayless@vmware.com> Signed-off-by: Jarno Rajahalme <jarno@ovn.org> Acked-by: Joe Stringer <joe@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Fri, 4 Dec 2015 07:00:32 +0000 (23:00 -0800)]
ovs-ofctl: Fix manpage formatting typo.
Only the names of the fields were supposed to be bold here, but omitting
the "fR" from "\fR" made everything between the field names bold too,
which looked funny.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org>
Based on IPv4 tests, test tunnels over IPv6. In order to do that, add
netdev-dummy/ip6addr command for dummy bridges, and get_in6 support for
netdev-dummy as well.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
tnl_arp_lookup is not used anymore. All users have been converted to
IPv4-mapped addresses. New users need to use IPv4-mapped addresses and use
tnl_neigh_lookup.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Joe Stringer [Fri, 4 Dec 2015 01:11:49 +0000 (17:11 -0800)]
ovn-northd: Only run idl loop if something changed.
Before refactoring the main loop to reuse ovsdb_idl_loop_* functions, we
would use a sequence to see if anything changed in NB database to
compute and notify the SB database, and vice versa. This logic got
dropped with the refactor, causing a testsuite failure in the ovn-sbctl
test. Reintroduce the IDL sequence number checking.
Fixes: 331e7aefe1c6 ("ovn-northd: Refactor main loop to use ovsdb_idl_loop_*
functions") Suggested-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Joe Stringer <joe@ovn.org> Signed-off-by: Justin Pettit <jpettit@ovn.org> Tested-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Acked-by: Ben Pfaff <blp@ovn.org>
Joe Stringer [Thu, 3 Dec 2015 07:53:56 +0000 (23:53 -0800)]
FAQ: Document kernel feature support.
Some recent features have more stringent requirements for kernel
versions than the FAQ describes. Add an entry to be more explicit on
which features work with which versions of the upstream kernel.
Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Joe Stringer [Thu, 3 Dec 2015 07:53:55 +0000 (23:53 -0800)]
datapath: Scrub skb between namespaces
If OVS receives a packet from another namespace, then the packet should
be scrubbed. However, people have already begun to rely on the behaviour
that skb->mark is preserved across namespaces, so retain this one field.
This is mainly to address information leakage between namespaces when
using OVS internal ports, but by placing it in ovs_vport_receive() it is
more generally applicable, meaning it should not be overlooked if other
port types are allowed to be moved into namespaces in future.
Upstream: 740dbc289155 ("openvswitch: Scrub skb between namespaces") Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Joe Stringer [Thu, 3 Dec 2015 07:53:53 +0000 (23:53 -0800)]
datapath: Allow attaching helpers to ct action
Add support for using conntrack helpers to assist protocol detection.
The new OVS_CT_ATTR_HELPER attribute of the CT action specifies a helper
to be used for this connection. If no helper is specified, then helpers
will be automatically applied as per the sysctl configuration of
net.netfilter.nf_conntrack_helper.
The helper may be specified as part of the conntrack action, eg:
ct(helper=ftp). Initial packets for related connections should be
committed to allow later packets for the flow to be considered
established.
Example ovs-ofctl flows allowing FTP connections from ports 1->2:
in_port=1,tcp,action=ct(helper=ftp,commit),2
in_port=2,tcp,ct_state=-trk,action=ct(recirc)
in_port=2,tcp,ct_state=+trk-new+est,action=1
in_port=2,tcp,ct_state=+trk+rel,action=1
Upstream: cae3a26 "openvswitch: Allow attaching helpers to ct action" Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Joe Stringer [Thu, 3 Dec 2015 07:53:52 +0000 (23:53 -0800)]
datapath: Allow matching on conntrack label
Allow matching and setting the ct_label field. As with ct_mark, this is
populated by executing the CT action. The label field may be modified by
specifying a label and mask nested under the CT action. It is stored as
metadata attached to the connection. Label modification occurs after
lookup, and will only persist when the conntrack entry is committed by
providing the COMMIT flag to the CT action. Labels are currently fixed
to 128 bits in size.
Upstream: c2ac667 "openvswitch: Allow matching on conntrack label" Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Joe Stringer [Thu, 3 Dec 2015 07:53:51 +0000 (23:53 -0800)]
datapath: Allow matching on conntrack mark
Allow matching and setting the ct_mark field. As with ct_state and
ct_zone, these fields are populated when the CT action is executed. To
write to this field, a value and mask can be specified as a nested
attribute under the CT action. This data is stored with the conntrack
entry, and is executed after the lookup occurs for the CT action. The
conntrack entry itself must be committed using the COMMIT flag in the CT
action flags for this change to persist.
Upstream: 182e304 "openvswitch: Allow matching on conntrack mark" Signed-off-by: Justin Pettit <jpettit@nicira.com> Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Joe Stringer [Thu, 3 Dec 2015 07:53:50 +0000 (23:53 -0800)]
datapath: Add conntrack action
Expose the kernel connection tracker via OVS. Userspace components can
make use of the CT action to populate the connection state (ct_state)
field for a flow. This state can be subsequently matched.
Exposed connection states are OVS_CS_F_*:
- NEW (0x01) - Beginning of a new connection.
- ESTABLISHED (0x02) - Part of an existing connection.
- RELATED (0x04) - Related to an established connection.
- INVALID (0x20) - Could not track the connection for this packet.
- REPLY_DIR (0x40) - This packet is in the reply direction for the flow.
- TRACKED (0x80) - This packet has been sent through conntrack.
When the CT action is executed by itself, it will send the packet
through the connection tracker and populate the ct_state field with one
or more of the connection state flags above. The CT action will always
set the TRACKED bit.
When the COMMIT flag is passed to the conntrack action, this specifies
that information about the connection should be stored. This allows
subsequent packets for the same (or related) connections to be
correlated with this connection. Sending subsequent packets for the
connection through conntrack allows the connection tracker to consider
the packets as ESTABLISHED, RELATED, and/or REPLY_DIR.
The CT action may optionally take a zone to track the flow within. This
allows connections with the same 5-tuple to be kept logically separate
from connections in other zones. If the zone is specified, then the
"ct_zone" match field will be subsequently populated with the zone id.
IP fragments are handled by transparently assembling them as part of the
CT action. The maximum received unit (MRU) size is tracked so that
refragmentation can occur during output.
IP frag handling contributed by Andy Zhou.
Based on original design by Justin Pettit.
Upstream: 7f8a436 "openvswitch: Add conntrack action" Signed-off-by: Joe Stringer <joestringer@nicira.com> Signed-off-by: Justin Pettit <jpettit@nicira.com> Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Joe Stringer [Thu, 3 Dec 2015 07:53:49 +0000 (23:53 -0800)]
datapath: Serialize acts with original netlink len
Previously, we used the kernel-internal netlink actions length to
calculate the size of messages to serialize back to userspace.
However,the sw_flow_actions may not be formatted exactly the same as the
actions on the wire, so store the original actions length when
de-serializing and re-use the original length when serializing.
Upstream: 8e2fed1 "openvswitch: Serialize acts with original netlink len" Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Joe Stringer [Thu, 3 Dec 2015 07:53:45 +0000 (23:53 -0800)]
compat: Backport IPv4 reassembly.
Backport IPv4 reassembly from the upstream commit caaecdd3d3f8 ("inet:
frags: remove INET_FRAG_EVICTED and use list_evictor for the test").
This is necessary because kernels prior to upstream commit d6b915e29f4a
("ip_fragment: don't forward defragmented DF packet") would not always
track the maximum received unit size during ip_defrag(). Without the
MRU, refragmentation cannot occur so reassembled packets are dropped.
Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Joe Stringer [Thu, 3 Dec 2015 07:53:44 +0000 (23:53 -0800)]
compat: Wrap IPv4 fragmentation.
Most kernels provide some form of ip fragmentation. However, until
recently many of them would always send ICMP responses for over_MTU
packets, even when operating in bridge mode. Backport the check to
ensure this doesn't occur.
Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Joe Stringer [Thu, 3 Dec 2015 07:53:38 +0000 (23:53 -0800)]
compat: Backport nf_ct_tmpl_alloc().
Loosely based upon Linux commit 0838aa7fcfcd "netfilter: fix netns
dependencies with conntrack templates" and commit 5e8018fc6142
"netfilter: nf_conntrack: add efficient mark to zone mapping".
Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Pravin B Shelar [Thu, 3 Dec 2015 19:40:53 +0000 (11:40 -0800)]
datapath: Add support for lwtunnel
Following patch adds support for lwtunnel to OVS datapath.
With this change OVS datapath detect lwtunnel support and
make use of new APIs if available. On older kernel where the
support is not there the backported tunnel modules are used.
These backported tunnel devices acts as lwtunnel devices.
I tried to keep backported module same as upstream for easier
bug-fix backport. Since STT and LISP are not upstream OVS
always needs to use respective modules from tunnel compat layer.
To make it work on kernel 4.3 I have converted STT and LISP
modules to lwtunnel API model.
lwtunnel make use of skb-dst to pass tunnel information to the
tunnel module. On older kernel this is not possible. So the in
case of old kernel metadata ref is stored in OVS_CB and direct
call to tunnel transmit function is made by respective tunnel
vport modules. Similarly on receive side tunnel recv directly
call netdev-vport-receive to pass the skb to OVS.
Major backported components include:
Geneve, GRE, VXLAN, ip_tunnel, udp-tunnels GRO.
Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Joe Stringer <joe@ovn.org> Acked-by: Jesse Gross <jesse@kernel.org>
Joe Stringer [Wed, 2 Dec 2015 00:17:45 +0000 (16:17 -0800)]
ofp-actions: Refactor ofpact_get_mf_dst().
This function finds the mf destination field for any ofpact, returning
NULL if not applicable. It will be used by the next patch to properly
reject OpenFlow flows with conntrack actions when conntrack is
unsupported by the datapath.
Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Wenyu Zhang [Wed, 2 Dec 2015 02:43:49 +0000 (18:43 -0800)]
ipfix: Skip BFD packets.
The patch is to skip BFD packets in ipfix.
Bidirectional Forwarding Detection (BFD) packets are for monitoring
the tunnel link status and consumed by ovs itself, no need to sample
them.
Refer to IETF RFC 5881, BFD control packets are the UDP packets with
destination port 3784 and BFD echo packets are the UDP packets with dst
destination port 3785.
Ipfix will skip both BFD control packets and BFD echo packets.
Signed-off-by: Wenyu Zhang <wenyuz@vmware.com>
[blp@ovn.org added check for IP] Signed-off-by: Ben Pfaff <blp@ovn.org>
After some experimentation on Ubuntu15.04, I see the
following behavior.
1. If you install openvswitch-switch with 'apt-get install',
then you automatically get a upstart and systemd config files
for openvswitch. The integration with 'interfaces' fails
because both the upstart and systemd jobs do not have logic
to handle it.
The above behavior will likely get fixed soon in upstream
Ubuntu.
2. If you install openvswitch-switch via the packages
created from the openvswitch repo, there is no systemd or
upstart conf files installed. But systemd notices this
and creates a runtime openvswitch conf file which does
nothing but call back the sysv startup script.
In the above case when you call
"/etc/init.d/openvswitch-switch start", it inturn calls
"/bin/systemctl start openvswitch-switch.service" and
that inturn again calls "/etc/init.d/openvswitch-switch start".
But the above for some reason simply hangs. It looks like a call
to ifup when invoked in this manner does not return.
I am not sure why this is happening.
We can avoid the above behavior completely by skipping the
systemctl redirect as done in this commit. This should fix
both 1. and 2. above.
Signed-off-by: Gurucharan Shetty <guru@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
Joe Stringer [Wed, 11 Nov 2015 19:39:51 +0000 (11:39 -0800)]
ofproto-dpif: Shortcut common case in rule_check().
Typically the datapath will support all available features, so check
that first before attempting to retrieve various values out of a
minimask as the latter doesn't need to be checked if all fields are
supported.
ct_state is an exception, because support for the bits in this field is
not binary; only some bits are defined so far, so they must still be
checked against the current known supported bits.
Joe Stringer [Wed, 11 Nov 2015 19:39:50 +0000 (11:39 -0800)]
ofproto-dpif: Validate ct_* field masks.
When inserting rules that match on connection tracking fields, datapath
support must be checked before allowing or denying the rule insertion.
Previously we only disallowed flows that had non-zero values for the
ct_* field, but allowed non-zero masks. This meant that, eg:
ct_state=-trk,...
Would be allowed, while
ct_state=+trk,...
Would be disallowed, due to lack of datapath support.
Fix this by performing the check on masks instead of the flows.
Joe Stringer [Wed, 11 Nov 2015 19:39:49 +0000 (11:39 -0800)]
ofproto-dpif: Reject partial ct_labels if unsupported.
If only half of a ct_label is present in a miniflow/minimask (eg, only
matching on one specific bit), then rule_check() would allow the flow
even if ct_label was unsupported, because it required both 64-bit fields
that comprise the ct_label to be present in the miniflow before
performing the check.
Fix this by populating the stack copy of the label directly from the
miniflow fields if available (or zero each 64-bit word if unavailable).
Simon Horman [Tue, 1 Dec 2015 06:03:09 +0000 (15:03 +0900)]
dp-packet: use dp_packet_reset_offsets during initialisation
Use dp_packet_reset_offsets() in dp_packet_init__() to make it
clearer that initialisation includes a reset of packets
packets the same way as callers to dp_packet_reset_offsets() reset packets.
Signed-off-by: Simon Horman <simon.horman@netronome.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Simon Horman [Tue, 1 Dec 2015 06:03:02 +0000 (15:03 +0900)]
odp-util: Limit scope of vlan in format_odp_action().
Limit the scope of the local vlan variable in format_odp_action()
to where it is used. This is consistent with the treatment of mpls
in the same function.
Signed-off-by: Simon Horman <simon.horman@netronome.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Tue, 1 Dec 2015 04:00:14 +0000 (20:00 -0800)]
csum: Inline csum_add16(), csum_add32().
These two functions are really simple, to the point that inlining them
yields less code than calling them: with GCC 4.9 on i386, this change
reduces the code generated for packet_csum_pseudoheader() from 112 bytes
to 100 bytes.
I didn't measure whether there is a performance improvement.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Ambika Arora [Mon, 30 Nov 2015 11:22:47 +0000 (16:52 +0530)]
ofproto: Implement OF1.4 error code for set-async-config
This patch adds support for Openflow1.4 error codes for set-async-config.
In this patch, a new error type, OFPET_ASYNC_CONFIG_FAILED is introduced
that enables the switch to properly inform the controller when controller
tries to set invalid mask or unsupported configuration.
Signed-off-by: Ambika Arora <ambika.arora@tcs.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Aymerich, Edward [Fri, 27 Nov 2015 16:57:07 +0000 (16:57 +0000)]
ovsdb-idl: Improve ovsdb_idl_add_table() comment.
The new comment reflects with more clarity what ovsdb_idl_add_table() does.
Previous comment could be misunderstood, leading to believe that this function
replicates all columns on IDL. Hopefully this fix clarifies that columns are
not replicated, just minimal data for reference integrity is replicated.
A comment in ovsdb_idl_table_class is also modified to better reflect this
behaviour.
Signed-off-by: Edward Aymerich <edward.aymerich@hpe.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jiri Benc [Wed, 25 Nov 2015 13:31:11 +0000 (11:31 -0200)]
tunneling: extend flow_tnl with ipv6 addresses
Note that because there's been no prerequisite on the outer protocol,
we cannot add it now. Instead, treat the ipv4 and ipv6 dst fields in the way
that either both are null, or at most one of them is non-null.
[cascardo: abstract testing either dst with flow_tnl_dst_is_set]
cascardo: using IPv4-mapped address is an exercise for the future, since this
would require special handling of MFF_TUN_SRC and MFF_TUN_DST and OpenFlow
messages.
Signed-off-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Co-authored-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
tnl-arp-cache: Rename module and functions to tnl-neigh-cache.
Since we don't distinguish between IPv4 and IPv6 lookups, consolidate ARP
and ND cache into neighbor cache. Other references to ARP related to the
ARP cache but that are not really about ARP have been renamed as well.
tnl_arp_lookup is kept for lookups using IPv4 instead of IPv4-mapped
addresses, but that is going to be removed in a later patch.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
ofproto-dpif-xlate: use IPv6 for orig_tunnel_ip_dst
orig_tunnel_ip_dst is replaced by orig_tunnel_ipv6_dst and represents IPv4
addresses as IPv4-mapped IPv6 addresses. Since this is only used in
ofproto-dpif-xlate, this change is well contained.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jiri Benc [Wed, 25 Nov 2015 13:31:08 +0000 (11:31 -0200)]
tunneling: add IPv6 support to netdev_tunnel_config
Allow configuration of IPv6 tunnel endpoints.
Signed-off-by: Jiri Benc <jbenc@redhat.com> Co-authored-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
ipv6_string_mapped stores an IPv6 or IPv4 representation of an IPv6 address
into a string. If the address is IPv4-mapped, it's represented in IPv4
dotted-decimal format.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Saloni Jain [Tue, 24 Nov 2015 12:20:22 +0000 (17:50 +0530)]
Implement Vacancy Events for OFPMP_TABLE_DESC.
This patch adds support for vacancy events in table-desc.
ovs-ofctl -O OpenFlow14 dump-tables-desc <switch>
-This command is enhanced to display the Vacancy Event configuration
of the tables on a <switch>, which is set using the mod-table command.
Saloni Jain [Tue, 24 Nov 2015 12:19:42 +0000 (17:49 +0530)]
Implement Openflow 1.4 Vacancy Events for OFPT_TABLE_MOD.
OpenFlow 1.4 introduces the ability to turn on vacancy events with an
OFPT_TABLE_MOD message specifying OFPTC_VACANCY_EVENTS. This commit adds
support for the new feature in ovs-ofctl mod-table.
As per the openflow specification-1.4, vacancy event adds a mechanism
enabling the controller to get an early warning based on capacity
threshold chosen by the controller.
With this commit, vacancy events can be configured as:
ovs-ofctl -O OpenFlow14 mod-table <bridge> <table> vacancy:<low,high>
<low,high> specify vacancy threshold values in percentage for vacancy_down
and vacancy_up respectively.
To disable vacancy events, following command should be given:
ovs-ofctl -O OpenFlow14 mod-table <bridge> <table> novacancy
Signed-off-by: Saloni Jain <saloni.jain@tcs.com> Co-authored-by: Shashwat Srivastava <shashwat.srivastava@tcs.com> Signed-off-by: Shashwat Srivastava <shashwat.srivastava@tcs.com> Co-authored-by: Sandeep Kumar <sandeep.kumar16@tcs.com> Signed-off-by: Sandeep Kumar <sandeep.kumar16@tcs.com>
[blp@ovn.org fixed a few typos] Signed-off-by: Ben Pfaff <blp@ovn.org>