Ben Pfaff [Fri, 3 Feb 2017 16:58:27 +0000 (08:58 -0800)]
netdev: Reject empty names in netdev_open().
The empty string is not a valid name for a network device. I would have
expected that each of the netdev provider implementations would reject an
empty string, but there was a special case for Linux tap devices where they
instead caused unexpected behavior. This commit should fix the problem for
those devices and every other kind.
Reported-by: Gabor Locsei <gabor.locsei@ericsson.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2017-February/043613.html Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Girish Moodalbail <girish.moodalbail@oracle.com> Acked-by: Andy Zhou <azhou@ovn.org>
Ian Stokes [Thu, 2 Feb 2017 16:30:15 +0000 (16:30 +0000)]
doc: Update DPDK version for 2.7 release.
Add DPDK version required for the OVS 2.7 release in documentation.
Signed-off-by: Ian Stokes <ian.stokes@intel.com> Acked-by: Kevin Traynor <ktraynor@redhat.com> Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>
dpif-netdev: Pass Openvswitch other_config smap to dpif.
Currently we parse the 'other_config' column in Openvswitch table in
bridge.c. We extract the values (just 'pmd-cpu-mask' for now) and we
pass them down to the datapath, via different layers.
If we want to pass other values to dpif-netdev.c (like we recently
discussed) we would have to touch ofproto.c, ofproto-dpif.c and dpif.c.
This patch sends the entire other_config column to dpif-netdev, so that
dpif-netdev can extract the values it's interested in.
No functional change.
Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com> Acked-by: Ben Pfaff <blp@ovn.org>
Russell Bryant [Thu, 2 Feb 2017 07:04:07 +0000 (02:04 -0500)]
ovn: Add missing netdev_close in setup_qos.
We missed calling netdev_close in a couple of places. One was in an error
condition rarely hit. The second was just introduced and would be hit in
all cases where QoS is not in use.
Fixes: dc2dab6e6de5 ("ovn-controller: Configure interface QoS only if it would actually be used.") Signed-off-by: Russell Bryant <russell@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
Russell Bryant [Thu, 2 Feb 2017 07:02:34 +0000 (02:02 -0500)]
docs: Add OVS and OVN headings to pages.
Update the "deep dive" and "howto" pages with headings that more clearly
indicate the separate lists of OVS or OVN content. Also add a link to
ovn-architecture from the "deep dive" page as it seems quite relevant
there.
Signed-off-by: Russell Bryant <russell@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
The code to wait for a particular type of flow
in ovs-vswitchd was not specific enough. This commit
changes that and to be doubly sure, also uses the
sync command.
Reported-by: Andy Zhou <azhou@ovn.org> Reported-by: Joe Stringer <joe@ovn.org> Signed-off-by: Gurucharan Shetty <guru@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
Alin Serdean [Tue, 10 Jan 2017 16:48:30 +0000 (16:48 +0000)]
datapath-windows: GENEVE Check for flow destination port
Change the UDP destination port(GENEVE header) to check if it was set by
the userspace, use it if it was set.
If the userspace did not specify a destination port, use the configured
vport destination port.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Sairam Venugopal <vsairam@vmware.com>
Alin Serdean [Tue, 10 Jan 2017 16:48:29 +0000 (16:48 +0000)]
datapath-windows: STT Check for flow destination port
Change the TCP destination port(STT header) to check if it was set by
the userspace, use it if it was set.
If the userspace did not specify a destination port, use the configured
vport destination port.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Sairam Venugopal <vsairam@vmware.com>
Alin Serdean [Tue, 10 Jan 2017 16:48:29 +0000 (16:48 +0000)]
datapath-windows: VXLAN Check for flow destination port
Change the UDP destination port(VXLAN header) to check if it was set by
the userspace, use it if it was set.
If the userspace did not specify a destination port, use the configured
vport destination port.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Sairam Venugopal <vsairam@vmware.com>
bridge("br0")
-------------
>>>> Recirculation context not found for ID 2 <<<<
Final flow: unchanged
Megaflow: recirc_id=0x2,ip,in_port=1,nw_frag=no
Datapath actions: drop
Translation failed (No recirculation context), packet is dropped.
"
Since eviction of the flows is not needed for the current logic,
this commit adds a time/stop to bypass the problem.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Yi-Hung Wei [Fri, 20 Jan 2017 23:12:21 +0000 (15:12 -0800)]
ofp-actions: Fix variable length meta-flow OXMs.
Previously, if a flow action that involves a tunnel metadata meta-flow
field is dumped from vswitchd, the replied field length in the OXM header
is filled with the maximum possible field length, instead of the length
configured in the tunnel TLV mapping table. To solve this issue, this patch
introduces the following changes.
In order to maintain the correct length of variable length mf_fields (i.e.
tun_metadata), this patch creates a per-switch based map (struct vl_mff_map)
that hosts the variable length mf_fields. This map is updated when a
controller adds/deletes tlv-mapping entries to/from a switch. Although the
per-swtch based vl_mff_map only hosts tun_metadata for now, it is able to
support new variable length mf_fields in the future.
With this commit, when a switch decodes a flow action with mf_field, the switch
firstly looks up the global mf_fields map to identify the mf_field type. For
the variable length mf_fields, the switch uses the vl_mff_map to get the
configured mf_field entries. By lookig up vl_mff_map, the switch can check
if the added flow action access beyond the configured size of a variable
length mf_field, and the switch reports an ofperr if the controller adds a flow
with unmapped variable length mf_field. Later on, when a controller request
flows from the switch, with the per-switch based mf_fields, the switch will
encode the OXM header with correct length for variable length mf_fields.
To use the vl_mff_map for decoding flow actions, extract-ofp-actions is
updated to pass the vl_mff_map to the required action decoding functions.
Also, a new error code is introduced to identify a flow with an invalid
variable length mf_field. Moreover, a testcase is added to prevent future
regressions.
Committer notes:
- Factor out common code
- Style fixups
- Rename OFPERR_NXFMFC_INVALID_VL_MFF -> OFPERR_NXFMFC_INVALID_TLV_FIELD
VMWare-BZ: #1768370 Reported-by: Harold Lim <haroldl@vmware.com> Suggested-by: Joe Stringer <joe@ovn.org> Suggested-by: Jarno Rajahalme <jarno@ovn.org> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Joe Stringer <joe@ovn.org>
Ben Pfaff [Wed, 1 Feb 2017 17:21:38 +0000 (09:21 -0800)]
ovn-controller: Configure interface QoS only if it would actually be used.
Until now, ovn-controller has unconditionally configured linux-htb on
physical interfaces. QoS is pretty much always trouble, but it's even more
trouble if we set it up for no good reason. We received a bug report, in
particular, that doing this disrupts connectivity in Docker.
This commit attempts to make that less likely, by making ovn-controller
only configure a qdisc if QoS support has in turn been configured in OVN.
The same problems as before will recur if QoS support is actually
configured, but at least now there's some purpose, and possibly a symptom
that the user can better diagnose ("I turned on QoS and OVN stopped
working" is at least a cause-and-effect chain that makes some sense).
Reported-by: Ritesh Rekhi <ritesh.rekhi@nutanix.com> Reported-by: Hexin Wang <hexin.wang@nutanix.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2017-February/043564.html Tested-by: Hexin Wang <hexin.wang@nutanix.com>
Tested-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2017-February/043575.html Signed-off-by: Ben Pfaff <blp@ovn.org>
Guoshuai Li [Wed, 11 Jan 2017 12:11:33 +0000 (04:11 -0800)]
ovn: fix slave node can not connect to the master node using SSL, for pacemaker
The default slave node connect to the master node using TCP, and
the pacemaker can not modify the protocol and port of the
connection. Add pacemaker parameters to support the connection of
the slave node to the master node using a different protocol and port.
Signed-off-by: Guoshuai Li <ligs@dtdream.com> Acked-by: Andy Zhou <azhou@ovn.org>
Sha Zhang [Tue, 31 Jan 2017 23:07:15 +0000 (15:07 -0800)]
ofproto-dpif: Reduce the time to create many bridges.
This patch moves xlate_txn_start() and xlate_txn_commit() out of the loop
traversing all the ofproto-dpifs to reduce the time of creating a large mount
of bridges in separate database transactions. As a global variable, new_xcfg
should only be allocated at the beginning and commited at the end once time,
rather than doing it repeatedly in the loop body.
Signed-off-by: Sha Zhang <zhangsha.zhang@huawei.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Numan Siddique [Sun, 15 Jan 2017 07:06:09 +0000 (12:36 +0530)]
ovn-controller: Provide the option to set Encap.options:csum
ovn-controller by default enables tunnel encapsulation checksums
for geneve tunnels. With this patch user can set the desired value
in Open_vSwitch.external_ids:ovn_encap_csum.
This option will be useful in cases where enabling tunnel
encapsulation checksums incur significant performance loss due to
limitations in checksum offloading capabilities of the nics.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
The OVSDPDKBond case wasn't handled in the rhel ifdown script.
Fixes: f6bf8880613a ("rhel: Add support DPDK port creation via network scripts") Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com> Acked-by: Aaron Conole <aconole@redhat.com>
Numan Siddique [Fri, 27 Jan 2017 13:06:51 +0000 (18:36 +0530)]
rhel: Add missing unpackaged file 'ovs-fields.7.gz' in the %files list
Fixes: 96fee5e0a2a0 ("ovs-fields: New manpage to document Open vSwitch and OpenFlow fields") Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>
Alin Serdean [Mon, 30 Jan 2017 07:42:31 +0000 (07:42 +0000)]
windows: wmi add include
Add 'util.h' to includes otherwise the result of the function
'ovs_format_message' will be unknown and be converted to int,
triggering an abort of vswitchd.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Reported-at: https://github.com/openvswitch/ovs-issues/issues/123 Reported-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com> Acked-by: Sairam Venugopal <vsairam@vmware.com> Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Pravin B Shelar [Wed, 28 Dec 2016 19:41:25 +0000 (11:41 -0800)]
ovs-router: introduce pkt-mark.
OVS router is basically partial copy of linux kernel FIB.
kernel routing table uses skb-mark along with usual routing
parameters. Following patch brings in support for skb-mark
to ovs-router so that we can lookup route for given skb-mark.
Signed-off-by: Pravin B Shelar <pshelar@ovn.org> Acked-by: Jarno Rajahalme <jarno@ovn.org>
Pravin B Shelar [Tue, 17 Jan 2017 18:16:09 +0000 (10:16 -0800)]
tunnel: Add support to configure ptk_mark
Today packet mark action is broken for Tunnel ports with
tunnel monitoring. User can write a flow to set pkt-mark for
any tunnel traffic, but there is no way to set the packet
mark for corresponding BFD traffic.
Following patch introduces new option in OVSDB tunnel
configuration so that user can set skb-mark for given
tunnel endpoint. OVS would set the mark according to the
skb-mark option for all tunnel traffic including packets
generated by vSwitchd like tunnel monitoring BFD packet.
Signed-off-by: Pravin B Shelar <pshelar@ovn.org> Acked-by: Jarno Rajahalme <jarno@ovn.org>
Alin Serdean [Thu, 26 Jan 2017 18:32:56 +0000 (18:32 +0000)]
tests windows: change service test
Skip the test if the service 'ovsdb-server' is already defined.
The arguments of the service are incomplete: in the former state
it will try to create the pidfile and unixctl in the configuration path.
This patch adds those arguments.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com> Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Alin Serdean [Thu, 26 Jan 2017 23:45:16 +0000 (23:45 +0000)]
datapath-windows: Add function to get continuous buffer from context
This patch extracts the code that tries to get a continuous IPv4 header
buffer from the function 'OvsUpdateIPv4Header' and moves it to a new
function 'OvsGetHeaderBySize'.
The new function can be used later when trying to change the UDP/TCP/MPLS
etc., headers.
Sairam Venugopal [Fri, 27 Jan 2017 07:56:04 +0000 (23:56 -0800)]
Windows: Fix wmi.c to use count of wchar_t instead of sizeof
wcscat_s and wcscpy_s requires number of elements as argument. wchar_t
uses 2 bytes for storage and using sizeof(internal_port_query) causes
access violation error on Windows 2012 R2 (64 bit). This patch introduces
a #define WMI_QUERY_COUNT set to 2048 and uses that instead.
Mickey Spiegel [Fri, 27 Jan 2017 01:31:10 +0000 (17:31 -0800)]
ovn: rewrite redirect-chassis description in ovn-nb.xml
This optional patch addresses offline comments that the documentation
in ovn-nb.xml should not describe southbound constructs or flow
details, since it is user facing documentation.
Mickey Spiegel [Fri, 27 Jan 2017 01:31:08 +0000 (17:31 -0800)]
ovn: distributed NAT flows
This patch implements the flows required in the ingress and egress
pipeline stages in order to support NAT on a distributed logical router.
NAT functionality is associated with the logical router gateway port.
The flows that carry out NAT functionality all have match conditions on
inport or outport equal to the logical router gateway port. There are
additional flows that are used to redirect traffic when necessary,
using the tunnel key of a "chassisredirect" SB port binding in order to
redirect traffic to the instance of the logical router gateway port on
the centralized "redirect-chassis".
North/south traffic subject to one-to-one "dnat_and_snat" is handled
in a distributed manner, with south-to-north traffic going to the
local instance of the logical router gateway port. North/south
traffic subject to (possibly one-to-many) "snat" is handled in a
centralized manner, with south-to-north traffic going to the instance
of the logical router gateway port on the "redirect-chassis".
North-to-south traffic is directed to the corresponding chassis by
limiting ARP responses to the appropriate instance of the logical
router gateway port on one chassis. For centralized NAT rules, this
is the instance on the "redirect-chassis". For distributed NAT rules,
this is the chassis where the corresponding logical port resides, using
an ethernet address specified in the NB NAT rule to trigger upstream
MAC learning.
East/west NAT traffic is all handled in a centralized manner. While it
is certainly possible to handle some of this traffic in a distributed
manner, the centralized approach keeps the NAT flows simpler and
cleaner. The expectation is that east/west NAT traffic is not as
important to optimize as north/south NAT traffic, with most east/west
traffic not requiring NAT.
Automated tests are currently limited to only a single node. The
single node automated tests cover both north/south and east/west
traffic flows.
Mickey Spiegel [Fri, 27 Jan 2017 01:31:07 +0000 (17:31 -0800)]
ovn: avoid snat recirc only on gateway routers
Currently, for performance reasons on gateway routers, ct_snat
that does not specify an IP address does not immediately trigger
recirculation. On gateway routers, ct_snat that does not specify
an IP address happens in the UNSNAT pipeline stage, which is
followed by the DNAT pipeline stage that triggers recirculation
for all packets. This DNAT pipeline stage recirculation takes
care of the recirculation needs of UNSNAT as well as other cases
such as UNDNAT.
On distributed routers, UNDNAT is handled in the egress pipeline
stage, separately from DNAT in the ingress pipeline stages. The
DNAT pipeline stage only triggers recirculation for some packets.
Due to this difference in design, UNSNAT needs to trigger its own
recirculation.
This patch restricts the logic that avoids recirculation for
ct_snat, so that it only applies to datapaths representing
gateway routers.
Mickey Spiegel [Fri, 27 Jan 2017 01:31:06 +0000 (17:31 -0800)]
ovn: move load balancing flows after NAT flows
This will make it easy for distributed NAT to reuse some of the
existing code for NAT flows, while leaving load balancing and defrag
as functionality specific to gateway routers. There is no intent to
change any functionality in this patch.
Andy Zhou [Tue, 17 Jan 2017 23:56:58 +0000 (15:56 -0800)]
dp-packet: Enhance packet batch APIs.
One common use case of 'struct dp_packet_batch' is to process all
packets in the batch in order. Add an iterator for this use case
to simplify the logic of calling sites,
Another common use case is to drop packets in the batch, by reading
all packets, but writing back pointers of fewer packets. Add macros
to support this use case.
Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Jarno Rajahalme <jarno@ovn.org>
Andy Zhou [Wed, 18 Jan 2017 10:30:26 +0000 (02:30 -0800)]
netdev-dummy: Add --len option for netdev-dummy/receive command
Currently, there is no way to specify the packet size when injecting
a packet via "netdev-dummy/receive" with a flow specification. Thus
far, packet size is not important for testing OVS features, but it
becomes useful in writing unit tests for the future patches.
Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Jarno Rajahalme <jarno@ovn.org>
Aaron Conole [Thu, 26 Jan 2017 19:07:00 +0000 (14:07 -0500)]
libX.pc: use the correct output directory
When the ovsdb library pkgconfig changes were introduced, they placed
generated output in the src directory. This is incorrect, however, as
the output files should actually be placed in the build directory. It
is only seen when running `make distcheck` after enabling shared
libraries (ex: `./configure --enable-shared`).
Fixes: commit e72e07a97e95 ("lib: Add support for pkgconfig for libovsdb.") Signed-off-by: Aaron Conole <aconole@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Thu, 26 Jan 2017 04:29:48 +0000 (20:29 -0800)]
extract-ofp-fields: Define .TQ directive in nroff output.
This missing directive caused groff warnings and probably some erroneous
output too.
Fixes: 96fee5e0a2a0 ("ovs-fields: New manpage to document Open vSwitch and OpenFlow fields.") Reported-by: Daniele Di Proietto <diproiettod@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Daniele Di Proietto <diproiettod@ovn.org>
Ben Pfaff [Thu, 26 Jan 2017 04:28:06 +0000 (20:28 -0800)]
ovs-fields: Eliminate non-ASCII characters from groff input.
It's difficult to make groff portably accept non-ASCII characters. It's
easier to replace them by groff escapes for the same characters, which
this commit does.
Fixes: 96fee5e0a2a0 ("ovs-fields: New manpage to document Open vSwitch and OpenFlow fields.") Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
Numan Siddique [Wed, 25 Jan 2017 07:55:12 +0000 (13:25 +0530)]
ovn-northd: Add flows in DHCP_OPTIONS pipeline to support renew requests
ovn-northd adds the flows to send the DHCPv4 packets to ovn-controller
only with the match ip4.src = 0.0.0.0 and ip4.dst = 255.255.255.255.
When a DHCPv4 lease is about to expire, before sending a DHCPDISCOVER
packet, the client can send a DHCPREQUEST packet to renew its ip
with ip4.src set to its offered ip and ip4.dst set to the DHCP server
ip or broadcast ip.
This patch supports this missing scenario by adding the necessary
flows in DHCP_OPTIONS ingress pipeline.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Russell Bryant <russell@ovn.org>
Andy Zhou [Wed, 11 Jan 2017 02:13:47 +0000 (18:13 -0800)]
dpif-netdev: Add clone action
Add support for userspace datapath clone action. The clone action
provides an action envelope to enclose an action list.
For example, with actions A, B, C and D, and an action list:
A, clone(B, C), D
The clone action will ensure that:
- D will see the same packet, and any meta states, such as flow, as
action B.
- D will be executed regardless whether B, or C drops a packet. They
can only drop a clone.
- When B drops a packet, clone will skip all remaining actions
within the clone envelope. This feature is useful when we add
meter action later: The meter action can be implemented as a
simple action without its own envolop (unlike the sample action).
When necessary, the flow translation layer can enclose a meter action
in clone.
The clone action is very similar with the OpenFlow clone action.
This is by design to simplify vswitchd flow translation logic.
Without datapath clone, vswitchd simulate the effect by inserting
datapath actions to "undo" clone actions. The above flow will be
translated into A, B, C, -C, -B, D.
However, there are two issues:
- The resulting datapath action list may be longer without using
clone.
- Some actions, such as NAT may not be possible to reverse.
This patch implements clone() simply with packet copy. The performance
can be improved with later patches, for example, to delay or avoid
packet copy if possible. It seems datapath should have enough context
to carry out such optimization without the userspace context.
Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Jarno Rajahalme <jarno@ovn.org>
Andy Zhou [Fri, 20 Jan 2017 06:13:19 +0000 (22:13 -0800)]
dpif-netdev: Avoid sending probe packets
When ofproto probe for datapath features, no packets should actually
be sent to the network. This pactch fixes the userspace by dropping
probe packets before action execution.
Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Jarno Rajahalme <jarno@ovn.org>
Russell Bryant [Thu, 19 Jan 2017 19:11:48 +0000 (14:11 -0500)]
doc: Remove tutorials/ovn-basics.
The only thing worse than a lack of documentation is incorrect or
out-of-date documentation. Over time, this document has not kept up with
the pace of OVN and is no longer a good current resource.
For a sandbox based tutorial like this, I'd like to start over using
ovn-trace as the basis.
An even more important type of tutorial would be something along the lines
of: http://blog.spinhirne.com/p/blog-series.html
That blog series was fantastic and has been the primary tutorial reference
I have been sending people to since it was written.
Signed-off-by: Russell Bryant <russell@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Fri, 20 Jan 2017 16:56:19 +0000 (08:56 -0800)]
actions: Introduce enum ovnact_pipeline.
This isn't used yet by the actions code, but an upcoming commit will
introduce a user. This commit just adjusts ovn-trace to use this common
type instead of its own local type.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mickey Spiegel <mickeys.dev@gmail.com>
Ben Pfaff [Fri, 20 Jan 2017 21:44:27 +0000 (13:44 -0800)]
actions: Omit table number when possible for formatting "next" action.
Until now, formatting the "next" action has always required including
the table number, because the action struct didn't include enough context
so that the formatter could decide whether the table number was the next
table or some other table. This is more or less OK, but an upcoming commit
will add a "pipeline" field to the "next" action, which means that the same
policy there would require that the pipeline always be printed. That's a
little obnoxious because 99+% of the time, the pipeline to be printed is
the same pipeline that the flow is in and printing it would be distracting.
So it's better to store some context to help with formatting. This commit
begins adopting that policy for the existing table number field.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mickey Spiegel <mickeys.dev@gmail.com>
Ben Pfaff [Fri, 20 Jan 2017 06:29:17 +0000 (22:29 -0800)]
actions: Separate action structures for "next" and "ct_next".
These actions aren't very similar but until now they both had the same
action structure. These structures are going to diverge in an upcoming
commit, so separate them now.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mickey Spiegel <mickeys.dev@gmail.com>
Ben Pfaff [Thu, 19 Jan 2017 19:11:04 +0000 (11:11 -0800)]
actions: Make "free" functions per-struct, not per-action.
In some cases multiple kinds of OVN action share the same structure. In
all of these cases, a given kind of structure is freed one particular way
(it would be confusing if this were not the case), so there's no benefit
in having per-action free functions. Therefore, this commit switches to
a free function per structure type.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mickey Spiegel <mickeys.dev@gmail.com>
Ben Pfaff [Fri, 20 Jan 2017 04:39:26 +0000 (20:39 -0800)]
actions: Make "arp { drop; };" acceptable.
Before this commit, the OVN action parser would accept "arp {};" and then
the formatter would format it back as "arp { drop; };", but the parser
didn't accept the latter. There were basically two choices: make the
parser accept "arp { drop; };" or make the formatter output "arp {};"
(or both). This patch does (only) the former, and adds a test to avoid
regression.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mickey Spiegel <mickeys.dev@gmail.com>
Ben Pfaff [Fri, 20 Jan 2017 03:55:41 +0000 (19:55 -0800)]
lex: Make lexer_force_match() work for LEX_T_END.
Without this change, lexer_force_match(lex, LEX_T_END) mostly works, except
that in the failure case it emits an error that says "expecting `$'",
which is a surprising error message.
Arguably, lexer_force_end() could be removed entirely, but I don't see a
real problem with the existing arrangement.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mickey Spiegel <mickeys.dev@gmail.com>
Ben Pfaff [Thu, 19 Jan 2017 23:47:49 +0000 (15:47 -0800)]
actions: Fix "arp" and "nd_na" followed by another action.
OVN logical actions are supposed to be padded to a multiple of 8 bytes,
but the code for parsing "arp" and "nd_na" actions didn't do this properly.
The result was that it worked OK if one of these actions was the last one
in a sequence of logical actions, but failed badly if they were in the
middle. This commit fixes the problem, adds assertions to make it harder
for the problem to recur, and adds a test.
Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Mickey Spiegel <mickeys.dev@gmail.com>
Ben Pfaff [Fri, 20 Jan 2017 17:27:38 +0000 (09:27 -0800)]
tnl-neigh-cache: Force revalidation for a new neighbor entry.
When a new ARP or ND entry was added, the code failed to force
revalidation. This commit fixes the problem.
Reported-by: László Sürü <laszlo.suru@ericsson.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2017-January/327788.html Tested-by: László Sürü <laszlo.suru@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Mickey Spiegel [Mon, 9 Jan 2017 00:21:14 +0000 (16:21 -0800)]
ovn: Introduce distributed gateway port and "chassisredirect" port binding
Currently OVN distributed logical routers achieve reachability to
physical networks by passing through a "join" logical switch to a
centralized gateway router, which then connects to another logical
switch that has a localnet port connecting to the physical network.
This patch adds logical port and port binding abstractions that allow
an OVN distributed logical router to connect directly to a logical
switch that has a localnet port connecting to the physical network.
In this patch, this logical router port is called a "distributed
gateway port".
The primary design goal of distributed gateway ports is to allow as
much traffic as possible to be handled locally on the hypervisor
where a VM or container resides. Whenever possible, packets from
the VM or container to the outside world should be processed
completely on that VM's or container's hypervisor, eventually
traversing a localnet port instance on that hypervisor to the
physical network. Whenever possible, packets from the outside
world to a VM or container should be directed through the physical
network directly to the VM's or container's hypervisor, where the
packet will enter the integration bridge through a localnet port.
However, due to the implications of the use of L2 learning in the
physical network, as well as the need to support advanced features
such as one-to-many NAT (aka IP masquerading), where multiple
logical IP addresses spread across multiple chassis are mapped to
one external IP address, it will be necessary to handle some of the
logical router processing on a specific chassis in a centralized
manner. For this reason, the user must associate a chassis with
each distributed gateway port.
In order to allow for the distributed processing of some packets,
distributed gateway ports need to be logical patch ports that
effectively reside on every hypervisor, rather than "l3gateway"
ports that are bound to a particular chassis. However, the flows
associated with distributed gateway ports often need to be
associated with physical locations. This is implemented in this
patch (and subsequent patches) by adding "is_chassis_resident()"
match conditions to several logical router flows.
While most of the physical location dependent aspects of distributed
gateway ports can be handled by restricting some flows to specific
chassis, one additional mechanism is required. When a packet
leaves the ingress pipeline and the logical egress port is the
distributed gateway port, one of two different sets of actions is
required at table 32:
- If the packet can be handled locally on the sender's hypervisor
(e.g. one-to-one NAT traffic), then the packet should just be
resubmitted locally to table 33, in the normal manner for
distributed logical patch ports.
- However, if the packet needs to be handled on the chassis
associated with the distributed gateway port (e.g. one-to-many
SNAT traffic or non-NAT traffic), then table 32 must send the
packet on a tunnel port to that chassis.
In order to trigger the second set of actions, the
"chassisredirect" type of southbound port_binding is introduced.
Setting the logical egress port to the type "chassisredirect"
logical port is simply a way to indicate that although the packet
is destined for the distributed gateway port, it needs to be
redirected to a different chassis. At table 32, packets with this
logical egress port are sent to a specific chassis, in the same
way that table 32 directs packets whose logical egress port is a
VIF or a type "l3gateway" port to different chassis. Once the
packet arrives at that chassis, table 33 resets the logical egress
port to the value representing the distributed gateway port. For
each distributed gateway port, there is one type "chassisredirect"
port, in addition to the distributed logical patch port
representing the distributed gateway port.
A "chassisredirect" port represents a particular instance, bound
to a specific chassis, of an otherwise distributed port. A
"chassisredirect" port is associated with a chassis in the same
manner as a "l3gateway" port. However, unlike "l3gateway" ports,
"chassisredirect" ports have no associated IP or MAC addresses,
and "chassisredirect" ports should never be used as the "inport".
Any pipeline stages that depend on port specific IP or MAC addresses
should be carried out in the context of the distributed gateway
port's logical patch port.
Although the abstraction represented by the "chassisredirect" port
binding is generalized, in this patch the "chassisredirect" port binding
is only created for NB logical router ports that specify the new
"redirect-chassis" option. There is no explicit notion of a
"chassisredirect" port in the NB database. The expectation is when
capabilities are implemented that take advantage of "chassisredirect"
ports (e.g. distributed gateway ports), flows specifying a
"chassisredirect" port as the outport will be added as part of that
capability.
Signed-off-by: Mickey Spiegel <mickeys.dev@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Mickey Spiegel [Mon, 9 Jan 2017 00:21:13 +0000 (16:21 -0800)]
ovn: add is_chassis_resident match expression component
This patch introduces a new match expression component
is_chassis_resident(). Unlike match expression comparisons,
is_chassis_resident is not pushed down to OpenFlow. It is a
conditional that is evaluated in the controller during expr_simplify(),
when it is replaced by a boolean expression. The is_chassis_resident
conditional evaluates to "true" when the specified string identifies a
port name that is resident on this controller chassis, i.e., the
corresponding southbound database Port_Binding has a chassis column
that matches this chassis. Otherwise it evaluates to "false".
This allows higher level features to specify flows that are only
installed on some chassis rather than on all chassis with the
corresponding datapath.
Suggested-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Mickey Spiegel <mickeys.dev@gmail.com> Acked-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
Shu Shen [Wed, 18 Jan 2017 18:55:20 +0000 (10:55 -0800)]
lacp: add test step for link recovery
An additional step is added to test case "lacp - negotiation" to
ensure the bond port and its slave interfaces properly re-negotiate
after a link previously down comes back.
Signed-off-by: Shu Shen <shu.shen@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Utilities like ovs-vsctl have the ability to bootstrap
CA certificate. It looks useful for ovn-nbctl to have
the same ability too. One could connect over to OVN NB
database over SSL for transactions without having to
copy over the certificate being used by ovsdb-server
backing OVN NB.
Jarno Rajahalme [Wed, 18 Jan 2017 23:26:03 +0000 (15:26 -0800)]
ofproto-dpif: Use acquire/release barriers with 'tables_version'.
Use memory_order_release when updating the tables version number to
make sure no memory accesses before the atomic_store (possibly
relating to setting up the new version) are reordered to take place
after the atomic_store, which makes the new version available to other
threads.
Correspondingly, use memory_order_acquire when reading the
current tables_version to make sure no later memory accesses (possibly
relating to the current version) are reordered to take place before
the atomic_read to ensure that those memory accesses can not relate to
an older version than returned by the atomic_read.
Suggested-by: Daniele Di Proietto <ddiproietto@vmware.com> Fixes: 621b8064b7 ("ofproto: Infra for table versioning.") Signed-off-by: Jarno Rajahalme <jarno@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
ovn-ctl: Add bootstrap ovn-controller CA certificate option.
ovn-controller accepts the option --bootstrap-ca-cert. With this
commit, ovn-ctl will let user pass a value for that via
--ovn-controller-ssl-bootstrap-ca-cert option.
Bootstrapping is useful for ovn-controller as you don't have to
copy the controller's certificate (self-signed or otherwise) to every host.
This allows releases of Open vSwitch libraries to reflect which specific
versions they came with, and sets up a psuedo ABI-versioning scheme. In
this fashion, future releases of Open vSwitch could be installed
alongside older releases, allowing 3rd party utilities linked against
previous versions to continue to function.
dpif-netdev: Centralized threads and queues handling code.
Currently we have three different code paths that deal with pmd threads
and queues, in response to different input
1. When a port is added
2. When a port is deleted
3. When the cpumask changes or a port must be reconfigured.
1. and 2. are carefully written to minimize disruption to the running
datapath, while 3. brings down all the threads reconfigure all the ports
and restarts everything.
This commit removes the three separate code paths by introducing the
reconfigure_datapath() function, that takes care of adapting the pmd
threads and queues to the current datapath configuration, no matter how
we got there.
This aims at simplifying maintenance and introduces a long overdue
improvement: port reconfiguration (can happen quite frequently for
dpdkvhost ports) is now done without shutting down the whole datapath,
but just by temporarily removing the port that needs to be reconfigured
(while the rest of the datapath is running).
We now also recompute the rxq scheduling from scratch every time a port
is added of deleted. This means that the queues will be more balanced,
especially when dealing with explicit rxq-affinity from the user
(without shutting down the threads and restarting them), but it also
means that adding or deleting a port might cause existing queues to be
moved between pmd threads. This negative effect can be avoided by
taking into account the existing distribution when computing the new
scheduling, but I considered code clarity and fast reconfiguration more
important than optimizing port addition or removal (a port is added and
removed only once, but can be reconfigured many times)
Lastly, this commit moves the pmd threads state away from ovs-numa. Now
the pmd threads state is kept only in dpif-netdev.
projects / ovs.git / log