]> git.proxmox.com Git - ovs.git/log
ovs.git
6 years agodb-ctl-base: Fix build with gcc 7.3 with O3.
Darrell Ball [Mon, 16 Jul 2018 18:33:39 +0000 (11:33 -0700)]
db-ctl-base: Fix build with gcc 7.3 with O3.

Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agostream-ssl: Don't enable new TLS versions by default
Timothy Redaelli [Fri, 27 Jul 2018 14:29:40 +0000 (16:29 +0200)]
stream-ssl: Don't enable new TLS versions by default

Currently protocol_flags is populated by the list of SSL and TLS
protocols by hand. This means that when a new TLS version is added to
openssl (in this case TLS v1.3 is added to openssl 1.1.1 beta)
ovsdb-server automatically enable support to it with the default ciphers.
This can be a security problem (since other ciphers can be enabled) and it
also makes a test (SSL db: implementation) to fail.

This commit changes the 'protocol_flags' to use the list of all protocol
flags as provided by openssl library (SSL_OP_NO_SSL_MASK) so there is no
need to keep the list updated by hand.

Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoutilities: don't use a bashism to check that datapath exists
Timothy Redaelli [Wed, 1 Aug 2018 15:48:21 +0000 (17:48 +0200)]
utilities: don't use a bashism to check that datapath exists

[[ ]] syntax is not supported, at least, by dash that Debian, Ubuntu and other
linux distributions may use instead of bash.

This commit uses, instead, a POSIX way that is compatible with any POSIX
shell (bash, dash, busybox sh, etc).

CC: Martin Xu <martinxu9.ovs@gmail.com>
Fixes: 9763d17fbd05 ("utilities: check datapath exists before conntrack flush")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
6 years agopcap-file: Fix formatting of log message.
Ben Pfaff [Tue, 31 Jul 2018 20:34:59 +0000 (13:34 -0700)]
pcap-file: Fix formatting of log message.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
6 years agometa-flow: Make mf_vl_mff_mf_from_nxm_header() require a valid field.
Ben Pfaff [Tue, 31 Jul 2018 21:51:54 +0000 (14:51 -0700)]
meta-flow: Make mf_vl_mff_mf_from_nxm_header() require a valid field.

All the users of mf_vl_mff_mf_from_nxm_header() expect it to always obtain
a valid field or to report an error.  In practice, it did not report an
error in the case where the field was unknown (although it did report an
error in some other cases).  This commit fixes the problem.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9652
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
6 years agoovsdb-cluster: Add comment to test.
Ben Pfaff [Fri, 3 Aug 2018 23:39:44 +0000 (16:39 -0700)]
ovsdb-cluster: Add comment to test.

I thought I had added this while revising a previous patch but oops.

Fixes: 7ee9c6e03416 ("tests: Fix cluster torture test.")
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovsdb-tool: Only check leader completeness when we can, in "check-cluster".
Ben Pfaff [Wed, 25 Jul 2018 21:10:26 +0000 (14:10 -0700)]
ovsdb-tool: Only check leader completeness when we can, in "check-cluster".

Generally when we know the leader for a term, in "check-cluster", it's
because we read that leader's log file.  In that case, we have the leader's
log_end because it told us.  However, taking a snapshot can discard that
data.  In that case, log_end is 0 and we should not try to check for leader
completeness on that basis.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
6 years agoovsdb-tool: Check for duplicate server IDs in "check-cluster".
Ben Pfaff [Wed, 25 Jul 2018 20:58:12 +0000 (13:58 -0700)]
ovsdb-tool: Check for duplicate server IDs in "check-cluster".

The user shouldn't provide a given server's log more than once but this
check makes sure.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
6 years agoovsdb-tool: Read server headers first, before full logs, in "check-cluster".
Ben Pfaff [Wed, 25 Jul 2018 20:57:38 +0000 (13:57 -0700)]
ovsdb-tool: Read server headers first, before full logs, in "check-cluster".

Having the headers available before reading the complete logs means that
server IDs can be associated with the server file names earlier, which can
improve error messages in some cases.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
6 years agoovsdb-tool: Fix logic for displaying server names in "check-cluster".
Ben Pfaff [Wed, 25 Jul 2018 20:44:49 +0000 (13:44 -0700)]
ovsdb-tool: Fix logic for displaying server names in "check-cluster".

Without this patch, server names are displayed as UUIDs even when we know
the file name; file names are easier for the user to read.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
6 years agotests: Suppress "long poll interval" messages for ovsdb-cluster tests.
Ben Pfaff [Thu, 26 Jul 2018 16:35:28 +0000 (09:35 -0700)]
tests: Suppress "long poll interval" messages for ovsdb-cluster tests.

The cluster torture tests can provoke these messages, especially if run in
parallel or with valgrind, and they shouldn't cause a failure.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
6 years agotests: Fix use of variable in cluster torture test.
Ben Pfaff [Wed, 25 Jul 2018 17:55:59 +0000 (10:55 -0700)]
tests: Fix use of variable in cluster torture test.

remove_server() is supposed to deal with its argument $i, not $victim.  In
this case they happen to have the same value so the difference is moot,
but it's still best to be clear.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
6 years agotests: Fix cluster torture test.
Ben Pfaff [Wed, 25 Jul 2018 17:31:47 +0000 (10:31 -0700)]
tests: Fix cluster torture test.

A previous commit to improve timing also caused the cluster torture test to
be skipped (unless it failed early).  This is related to the shell "while"
loop's use of a variable $phase to indicate how far it got in the test
procedure.  A very fast machine, or one on which the races went just the
right way, might finish the test before all the torture properly starts, so
the code is designed to just skip the test if that happens.  However, a
commit to improve the accuracy ended up skipping it all the time.

Prior to the timing commit, the loop looked something like this:

    phase=0
    while :; do
        ...things that eventually increment $phase to 2...
    done
    AT_SKIP_IF([test $phase != 2])

This works fine.

The timing commit changed the "while :" to "(...something...) | while
read".  This looks innocuous but it actually causes everything inside the
"while" loop to run in a subshell.  Thus, the increments to $phase are not
visible after the loop ends, and the test always gets skipped.

This commit fixes the problem by storing the phase in a file instead of a
shell variable.

Fixes: 0f03ae3754ec ("ovsdb: Improve timing in cluster torture test.")
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
6 years agonx-match: Fix memory leak in oxm_pull_field_array() error case.
Ben Pfaff [Thu, 26 Jul 2018 22:43:27 +0000 (15:43 -0700)]
nx-match: Fix memory leak in oxm_pull_field_array() error case.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9424
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
6 years agorhel: bug fix kmod spec file, rhel6
Martin Xu [Wed, 1 Aug 2018 23:00:59 +0000 (16:00 -0700)]
rhel: bug fix kmod spec file, rhel6

This patch fixes a scenario not working for RHEL7.3 in commit 89dd5819cf18.
When multiple versions passed into the kversion for the spec file, the
variable is used as is for the kernel module paths for command
weak-modules --add-modules. Then the modules cannot be found.

Fixes: 89dd5819cf18 (rhel: support kmod-openvswitch build against
multiple kernels, rhel6)

Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com>
CC: Greg Rose <gvrose8192@gmail.com>
CC: Ben Pfaff <blp@ovn.org>
CC: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
6 years agorhel: support kmod build against multiple 7.2 kernels, rhel6
Martin Xu [Wed, 1 Aug 2018 23:00:58 +0000 (16:00 -0700)]
rhel: support kmod build against multiple 7.2 kernels, rhel6

This patch extends commit 89dd5819cf18 (rhel: support kmod-openvswitch
build against multiple kernels, rhel6) to support building kmod RPMs
with multiple minor revisions within 3.10.0-327 kernels. It was
discovered for RHEL 7.2 that 41.3 minor revision introduced backward
incompatible changes.

VMware-BZ: #2170334

Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com>
CC: Greg Rose <gvrose8192@gmail.com>
CC: Ben Pfaff <blp@ovn.org>
CC: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
6 years agounixctl: Use absolute paths on Windows too.
Ben Pfaff [Tue, 24 Jul 2018 16:58:56 +0000 (09:58 -0700)]
unixctl: Use absolute paths on Windows too.

When this case was adapted for Windows, asb_file_name() simply didn't work
at all there.  Now, it should work OK, and it seems like the right thing
to do, and it makes the code more straightforward too.

Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoutil: Fix abs_file_name() bugs on Windows.
Ben Pfaff [Tue, 24 Jul 2018 16:48:45 +0000 (09:48 -0700)]
util: Fix abs_file_name() bugs on Windows.

abs_file_name() believed that a file name that begins with / or contains :
is absolute and that any other file name is relative.  On Windows, this is
wrong in at least the following ways:

   * / and \ are interchangeable on Windows.

   * A name that begins with \\ or // is also absolute.

   * A name that begins with X: but not X:\ is not absolute.

   * A name with : in some position other than the second position is
     not absolute (although it might not be valid either?).

Furthermore, Windows has more than one current working directory (one per
volume letter), so trying to make a file name absolute by just prefixing
the current working directory for the current volume results in silliness.

This patch attempts to fix the problem.

This makes OVS link against shlwapi, which is needed to use
PathIsRelative().

Found by inspection.

Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn: Modify restart_controller in ovn-ctl to use --restart
Mark Michelson [Mon, 30 Jul 2018 13:47:45 +0000 (09:47 -0400)]
ovn: Modify restart_controller in ovn-ctl to use --restart

The --restart flag allows for uninterrupted packet flowage when exiting
ovn-controller. This patch modifies the restart_controller argument to
ovn-ctl to use --restart.

Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn: Add '--restart' flag to ovn-controller exit.
Mark Michelson [Mon, 30 Jul 2018 13:47:44 +0000 (09:47 -0400)]
ovn: Add '--restart' flag to ovn-controller exit.

When "--restart" is passed to ovn-controller's exit command, then
database entries are not removed for this hypervisor. This means that
* Encaps
* Chassis
* OVS ports
are not removed.

The reasoning is that if the intent is to restart ovn-controller, this
will allow for tunnels to remain up and allow for traffic not to be
interrupted during the restart. When ovn-controller is started again, it
picks back up from where it was.

Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoAUTHORS: Update email address for Jakub Sitnicki.
Jakub Sitnicki [Thu, 2 Aug 2018 08:33:06 +0000 (10:33 +0200)]
AUTHORS: Update email address for Jakub Sitnicki.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
6 years agoovn: Allow for automatic dynamic updates of IPAM
Mark Michelson [Thu, 2 Aug 2018 12:52:56 +0000 (08:52 -0400)]
ovn: Allow for automatic dynamic updates of IPAM

OVN offers a method of IP address management that allows for an IPv4 subnet or
IPv6 prefix to be specified on a logical switch. Then by specifying a
switch port's address as "dynamic" or "<mac address> dynamic", OVN will
automatically assign addresses to the switch port.

While this works great for initial assignment of addresses, addresses do
not automatically adjust when changes are made to the switch's
configuration. For instance:
* If the subnet, ipv6_prefix, or exclude_ips for a logical switch
changes, the affected switch ports are not updated.
* If a switch port with a static IP address is added to the switch, and
that address conflicts with a dynamically assigned IP address, the
dynamic address is not updated.
* If a MAC address switched from being statically assigned to
dynamically assigned, the MAC address would not be updated.
* If a statically assigned MAC address changed, then the IPv6 address
would not be updated.

This patch solves all of the above issues by changing the algorithm for
IPAM assignment. There are essentially three steps.
1) While joining logical ports, all statically-assigned addresses (i.e.
any ports without "dynamic" addresses) have their addresses registered
to IPAM. This gives them top priority.
2) All logical ports with dynamic addresses are inspected. Any changes
that must be made to the addresses are collected to be made later. Any
addresses that do not require change are registered to IPAM. This allows
for previously assigned dynamic addresses to be kept.
3) All gathered changes are enacted.

The change contains new tests that ensure that dynamic addresses are
updated when appropriate.

This patch also alters some existing IPAM tests. Those tests assumed
that dynamic addresses would not be updated automatically, so those
tests either had to be altered or removed.

Signed-off-by: Mark Michelson <mmichels@redhat.com>
Acked-by: Jakub Sitnicki <jsitnicki@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn: Fix typos in "ovn -- Address Set generation..." test.
Ben Pfaff [Tue, 31 Jul 2018 19:45:41 +0000 (12:45 -0700)]
ovn: Fix typos in "ovn -- Address Set generation..." test.

These caused the test to fail.

CC: Jakub Sitnicki <jkbs@redhat.com>
Fixes: 984c7d5ea8fe ("ovn-northd: Propagate dynamic addresses to port group address sets.")
Signed-off-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
6 years agoofproto-dpif: Fix typo in registered command
Alin Gabriel Serdean [Mon, 23 Jul 2018 14:45:30 +0000 (17:45 +0300)]
ofproto-dpif: Fix typo in registered command

Also split line at 79 characters.

Found by inspection.

Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agoAdd opterr and optopt to Windows headers
Alin Gabriel Serdean [Tue, 31 Jul 2018 12:08:13 +0000 (15:08 +0300)]
Add opterr and optopt to Windows headers

Until now we only had optind defined in the header.

Since we are using the BSD getopt variant add opterr and optopt.

Fixes: 3ec06ea9c668 ("ovn-nbctl: Initial support for daemon mode.")
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agoovs-pki: generate x.509 v3 certificate
Qiuyu Xiao [Tue, 31 Jul 2018 21:08:52 +0000 (14:08 -0700)]
ovs-pki: generate x.509 v3 certificate

This patch modifies ovs-pki to generate x.509 version 3 certificate.
Compared with the x.509 v1 certificate generated by ovs-pki, version 3
certificate adds subjectAltName field and sets its value the same as
common name (CN). The main reason for this change is to enable
strongSwan IKE daemon to extract certificate identity string from the
subjectAltName field, which makes OVN IPsec implementation easier.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agolib/tc: Support matching on ip tunnel tos and ttl
Or Gerlitz [Tue, 31 Jul 2018 10:40:39 +0000 (13:40 +0300)]
lib/tc: Support matching on ip tunnel tos and ttl

Support matching on tos and ttl of ip tunnels
for the TC data-path.

Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
6 years agolib/tc: Support setting tos and ttl for TC IP tunnels
Or Gerlitz [Tue, 31 Jul 2018 10:40:38 +0000 (13:40 +0300)]
lib/tc: Support setting tos and ttl for TC IP tunnels

Allow to set the tos and ttl for TC tunnels.

Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
6 years agolib/tc: Support matching on ip tos
Or Gerlitz [Tue, 31 Jul 2018 10:40:37 +0000 (13:40 +0300)]
lib/tc: Support matching on ip tos

Add the missing code to match on ip tos when dealing
with the TC data-path.

Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
6 years agolib/tc: Handle ttl for ipv6 too
Or Gerlitz [Tue, 31 Jul 2018 10:40:36 +0000 (13:40 +0300)]
lib/tc: Handle ttl for ipv6 too

TTL can and should be used to match on IPv6's hop-limit, fix that.

Fixes: ab7ecf266b0a ('netdev-tc-offloads: Add nw_ttl matching using flower')
Fixes: 0b4b5203d12e ('tc: Add ip layer ttl matching')
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
6 years agoAUTHORS: Add Qiuyu Xiao.
Ben Pfaff [Tue, 31 Jul 2018 22:19:54 +0000 (15:19 -0700)]
AUTHORS: Add Qiuyu Xiao.

Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agodatapath: add transport ports in route lookup for stt
Qiuyu Xiao [Tue, 31 Jul 2018 21:08:48 +0000 (14:08 -0700)]
datapath: add transport ports in route lookup for stt

This patch adds transport ports information for route lookup so that
IPsec can select stt tunnel traffic to do encryption.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Tested-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agodatapath: add transport ports in route lookup for vxlan
Qiuyu Xiao [Tue, 31 Jul 2018 21:08:47 +0000 (14:08 -0700)]
datapath: add transport ports in route lookup for vxlan

This patch adds transport ports information for route lookup so that
IPsec can select vxlan tunnel traffic to do encryption.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Tested-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agorelease-process.rst: Add "soft freeze" stage.
Ben Pfaff [Thu, 5 Jul 2018 21:31:00 +0000 (14:31 -0700)]
release-process.rst: Add "soft freeze" stage.

The last few OVS releases have included a "soft freeze" stage in the
release process, but this stage has never been formalized in the
documentation.  This adds a description.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Ian Stokes <ian.stokes@intel.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoutilities: check datapath exists before conntrack flush
Martin Xu [Tue, 31 Jul 2018 05:47:18 +0000 (22:47 -0700)]
utilities: check datapath exists before conntrack flush

As part of "force-reload-kmod," conntrack flush command is issued as
'action "ovs-appctl dpctl/flush-conntrack"'. In case no datapath exists
yet when issuing "force-reload-kmod," there is an error message
"ovs-vswitchd: no datapaths exist\ ovs-appctl: ovs-vswitchd: server
returned an error", which is harmless but potentially shows up as "FAILED."
Add an if condition to check whether datapath exists before running the
conntrack flush command.

VMware-BZ: #2170402
Fixes: 265d70310c69 ("utilities: Fix conntrack flush command")
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com>
CC: Greg Rose <gvrose8192@gmail.com>
CC: Aaron Conole <aconole@redhat.com>
CC: Justin Pettit <jpettit@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoselinux: more changes to support newer hugetlbfs restrictions
Timothy Redaelli [Tue, 31 Jul 2018 17:18:44 +0000 (19:18 +0200)]
selinux: more changes to support newer hugetlbfs restrictions

The new 'map' action is needed for 'hugetlbfs_t:file' too.

CC: Aaron Conole <aconole@redhat.com>
Fixes: d2675a146130 ("selinux: changes to support newer hugetlbfs restrictions")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
6 years agoofp-actions: Split ofpacts_check__() into many functions.
Ben Pfaff [Fri, 15 Jun 2018 23:29:22 +0000 (16:29 -0700)]
ofp-actions: Split ofpacts_check__() into many functions.

ofpacts_check__() was a huge switch statement with special cases for many
different kinds of actions.  This made it unwieldy and put the special
cases far away from the rest of the code related to a given action.  This
commit refactors the code to avoid the problem.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Tested-by: Yifeng Sun <pkusunyifeng@gmail.com>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
6 years agoerspan: set bso bit based on mirrored packet's len
Greg Rose [Wed, 18 Jul 2018 16:22:13 +0000 (09:22 -0700)]
erspan: set bso bit based on mirrored packet's len

Upstream commit:
    Before the patch, the erspan BSO bit (Bad/Short/Oversized) is not
    handled.  BSO has 4 possible values:
      00 --> Good frame with no error, or unknown integrity
      11 --> Payload is a Bad Frame with CRC or Alignment Error
      01 --> Payload is a Short Frame
      10 --> Payload is an Oversized Frame

    Based the short/oversized definitions in RFC1757, the patch sets
    the bso bit based on the mirrored packet's size.

Reported-by: Xiaoyan Jin <xiaoyanj@vmware.com>
Signed-off-by: William Tu <u9012063@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: William Tu <u9012063@gmail.com>
Signed-off-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: William Tu <u9012063@gmail.com>
6 years agoDocumentation: Add netstat to testing instructions
Greg Rose [Mon, 16 Jul 2018 16:54:01 +0000 (09:54 -0700)]
Documentation: Add netstat to testing instructions

Add netstat when mentioning testing.  Many check-kmod failures result
when it is not present.

Signed-off-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
6 years agocompat: ip6_tunnel: improve error message.
William Tu [Fri, 27 Jul 2018 16:30:09 +0000 (09:30 -0700)]
compat: ip6_tunnel: improve error message.

When loading compact ip6 tunnel, if the system already loads upstream
kernel's ip6 tunnel, print error message before return.

Signed-off-by: William Tu <u9012063@gmail.com>
Cc: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-nbctl: Initialize arguments to avoid compilation warnings.
Ian Stokes [Wed, 25 Jul 2018 14:00:43 +0000 (15:00 +0100)]
ovn-nbctl: Initialize arguments to avoid compilation warnings.

Output arguments for parse_priority() and dhcp_options_get() may not be
initialized when either function returns an error.

This causes compilation warnings for GCC 6.3.x regarding use of
uninitialized variable use and null-pointer-arithmetic.

Fix this by initializing priority_p* value to 0 for priority_parse()
when an error occurs during parsing.

For dhcp_options_get() set *dhcp_opts_p = dhcp_opts regardless as
dhcp_opts will be equal to NULL when an error occurs within the function
anyhow.

Cc: Jakub Sitnicki <jkbs@redhat.com>
Fixes: 3844c85de979 ("ovn-nbctl: Don't die in dhcp_options_get()."
Fixes: bc8223df3b01 ("ovn-nbctl: Don't die in parse_priority().")
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jakub Sitnicki <jkbs@redhat.com>
6 years agoIntroduce ovs-appctl command to monitor HVs sb connection status
Lorenzo Bianconi [Tue, 31 Jul 2018 15:35:00 +0000 (17:35 +0200)]
Introduce ovs-appctl command to monitor HVs sb connection status

Add 'connection-status' command to ovs-appctl utility in order to check
if a given chassis is currently connected to SB db

Acked-by: Mark Michelson <mmichels@redhat.com>
Co-authored-by: aginwala <aginwala@ebay.com>
Signed-off-by: aginwala <aginwala@ebay.com>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-nbctl: Detect unrecognized short options in server mode.
Jakub Sitnicki [Wed, 25 Jul 2018 15:26:54 +0000 (17:26 +0200)]
ovn-nbctl: Detect unrecognized short options in server mode.

Because getopt() will set optopt for both known and unknown options,
we need to differentiate between them ourselves by checking if we
know the option. Do that by looking up its value.

Also, because we are using GNU extensions to getopt(), we need to be
resetting getopt() state by setting optind to 0 instead of 1 as
pointed out in NOTES in getopt(3) man-page. Not doing so results in
invalid reads and optopt being set to a garbarge value.

Fixes: 3ec06ea9c668 ("ovn-nbctl: Initial support for daemon mode.")
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-northd: Propagate dynamic addresses to port group address sets.
Jakub Sitnicki [Mon, 30 Jul 2018 14:37:49 +0000 (16:37 +0200)]
ovn-northd: Propagate dynamic addresses to port group address sets.

If a logical switch port belongs to a port group and has dynamic
addresses assigned, propagate the addresses to the auto-generated
address sets for the port group.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Acked-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-northd: Make use of svec for storing lists of addresses.
Jakub Sitnicki [Mon, 30 Jul 2018 14:37:48 +0000 (16:37 +0200)]
ovn-northd: Make use of svec for storing lists of addresses.

Get rid of what is, esentially, an open-coded version of svec.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Acked-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-nbctl: Allow referring to port groups by name.
Jakub Sitnicki [Mon, 30 Jul 2018 14:37:47 +0000 (16:37 +0200)]
ovn-nbctl: Allow referring to port groups by name.

Be user-friendly and allow using port group's name as its identifier in
database commands.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Acked-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoofctrl: Placate GCC.
Ben Pfaff [Tue, 31 Jul 2018 16:46:55 +0000 (09:46 -0700)]
ofctrl: Placate GCC.

Some GCC versions don't like ".x.y =", complaining about an uninitialized
field.

Without this patch we get travis failures, e.g.
https://travis-ci.org/openvswitch/ovs/jobs/410404752:

    ovn/controller/ofctrl.c: In function â€˜ofctrl_put’:
    ovn/controller/ofctrl.c:1086:9: error: missing initializer for field â€˜flags’ of â€˜struct ofputil_meter_config’ [-Werror=missing-field-initializers]
             };
             ^
    In file included from ovn/controller/ofctrl.c:35:0:
    ./include/openvswitch/ofp-meter.h:53:14: note: â€˜flags’ declared here
         uint16_t flags;
                  ^

With it, it passes.

Fixes: 185b13f228ac ("ovn: Add Meter and Meter_Band tables to the NB and SB databases.")
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
6 years agoovn: Clean up log() action parsing errors.
Justin Pettit [Tue, 31 Jul 2018 03:00:23 +0000 (20:00 -0700)]
ovn: Clean up log() action parsing errors.

This also add some OVN action parsing tests.

Suggested-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
6 years agoovn: Add rate-limiting for ACL logs.
Justin Pettit [Wed, 4 Jul 2018 05:05:40 +0000 (22:05 -0700)]
ovn: Add rate-limiting for ACL logs.

Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agoofproto: Add support for specifying a meter in controller actions.
Justin Pettit [Wed, 20 Jun 2018 01:28:46 +0000 (18:28 -0700)]
ofproto: Add support for specifying a meter in controller actions.

Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agoovn: Support configuring meters through SB Meter table.
Justin Pettit [Thu, 26 Jul 2018 18:27:04 +0000 (11:27 -0700)]
ovn: Support configuring meters through SB Meter table.

Add the ability to configure meters through the newly introduced Meter
table in the Southbound database.  Previously, meters were configured by
providing strings to describe the meter in the extended meter table.
This patch changes the behavior so that the extended meter table's
strings are references to names in the Meter table.  The old behavior is
still supported if the extended meter table entry begins with "__string: "

Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agoovn: Add Meter and Meter_Band tables to the NB and SB databases.
Justin Pettit [Sun, 1 Jul 2018 23:22:57 +0000 (16:22 -0700)]
ovn: Add Meter and Meter_Band tables to the NB and SB databases.

Add support for configuring meters through the Meter and Meter_Band
tables in the Northbound database.  This commit also has ovn-northd
sync those tables between the Northbound and Southbound databases.

Add support for configuring meters with ovn-nbctl.

Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-controller: Add "group-table-list" ovs-appctl command.
Justin Pettit [Mon, 2 Jul 2018 06:33:48 +0000 (23:33 -0700)]
ovn-controller: Add "group-table-list" ovs-appctl command.

Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-controller: Add "meter-table-list" ovs-appctl command.
Justin Pettit [Mon, 2 Jul 2018 06:27:38 +0000 (23:27 -0700)]
ovn-controller: Add "meter-table-list" ovs-appctl command.

Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agoovn: Use C strings instead of ds for extended tables.
Justin Pettit [Mon, 2 Jul 2018 22:28:07 +0000 (15:28 -0700)]
ovn: Use C strings instead of ds for extended tables.

Dynamic strings are not needed for the most part and are introduing
additional conversions back and forth with C strings.

Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agorhel: bug fix kmod-openvswitch spec file, rhel6
Martin Xu [Sun, 29 Jul 2018 07:02:57 +0000 (00:02 -0700)]
rhel: bug fix kmod-openvswitch spec file, rhel6

Previous patch removed the if condition for postun script by
mistake. The weak-update symlinks should be removed only for
uninstallation not upgrade.

VMware-BZ: #2169383
Fixes: 89dd5819cf18 ("rhel: support kmod-openvswitch build against multiple kernels, rhel6")
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com>
CC: Greg Rose <gvrose8192@gmail.com>
CC: Ben Pfaff <blp@ovn.org>
CC: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agodebian: Add ovn-detrace to ovn-common package.
Han Zhou [Sun, 29 Jul 2018 23:26:55 +0000 (16:26 -0700)]
debian: Add ovn-detrace to ovn-common package.

Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: aginwala <aginwala@ebay.com>
6 years agodpif-netlink: Add meter support.
Andy Zhou [Fri, 17 Nov 2017 10:15:47 +0000 (02:15 -0800)]
dpif-netlink: Add meter support.

To work with kernel datapath that supports meter.

Signed-off-by: Andy Zhou <azhou@ovn.org>
Co-authored-by: Justin Pettit <jpettit@ovn.org>
Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agodpif: Move common meter checks into the dpif layer.
Justin Pettit [Wed, 25 Jul 2018 04:07:04 +0000 (21:07 -0700)]
dpif: Move common meter checks into the dpif layer.

Another dpif provider will soon add support for meters, so move
some of the common sanity checks up into the dpif layer so that each
provider doesn't need to re-implement them.

Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agodatapath: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found
Stefano Brivio [Tue, 17 Jul 2018 00:56:01 +0000 (17:56 -0700)]
datapath: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found

Upstream commit:

    commit 72f17baf2352ded6a1d3f4bb2d15da8c678cd2cb
    Author: Stefano Brivio <sbrivio@redhat.com>
    Date:   Thu May 3 18:13:25 2018 +0200

    openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found

    If an OVS_ATTR_NESTED attribute type is found while walking
    through netlink attributes, we call nlattr_set() recursively
    passing the length table for the following nested attributes, if
    different from the current one.

    However, once we're done with those sub-nested attributes, we
    should continue walking through attributes using the current
    table, instead of using the one related to the sub-nested
    attributes.

    For example, given this sequence:

    1  OVS_KEY_ATTR_PRIORITY
    2  OVS_KEY_ATTR_TUNNEL
    3 OVS_TUNNEL_KEY_ATTR_ID
    4 OVS_TUNNEL_KEY_ATTR_IPV4_SRC
    5 OVS_TUNNEL_KEY_ATTR_IPV4_DST
    6 OVS_TUNNEL_KEY_ATTR_TTL
    7 OVS_TUNNEL_KEY_ATTR_TP_SRC
    8 OVS_TUNNEL_KEY_ATTR_TP_DST
    9  OVS_KEY_ATTR_IN_PORT
    10 OVS_KEY_ATTR_SKB_MARK
    11 OVS_KEY_ATTR_MPLS

    we switch to the 'ovs_tunnel_key_lens' table on attribute #3,
    and we don't switch back to 'ovs_key_lens' while setting
    attributes #9 to #11 in the sequence. As OVS_KEY_ATTR_MPLS
    evaluates to 21, and the array size of 'ovs_tunnel_key_lens' is
    15, we also get this kind of KASan splat while accessing the
    wrong table:

    [ 7654.586496] ==================================================================
    [ 7654.594573] BUG: KASAN: global-out-of-bounds in nlattr_set+0x164/0xde9 [openvswitch]
    [ 7654.603214] Read of size 4 at addr ffffffffc169ecf0 by task handler29/87430
    [ 7654.610983]
    [ 7654.612644] CPU: 21 PID: 87430 Comm: handler29 Kdump: loaded Not tainted 3.10.0-866.el7.test.x86_64 #1
    [ 7654.623030] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.1.7 06/16/2016
    [ 7654.631379] Call Trace:
    [ 7654.634108]  [<ffffffffb65a7c50>] dump_stack+0x19/0x1b
    [ 7654.639843]  [<ffffffffb53ff373>] print_address_description+0x33/0x290
    [ 7654.647129]  [<ffffffffc169b37b>] ? nlattr_set+0x164/0xde9 [openvswitch]
    [ 7654.654607]  [<ffffffffb53ff812>] kasan_report.part.3+0x242/0x330
    [ 7654.661406]  [<ffffffffb53ff9b4>] __asan_report_load4_noabort+0x34/0x40
    [ 7654.668789]  [<ffffffffc169b37b>] nlattr_set+0x164/0xde9 [openvswitch]
    [ 7654.676076]  [<ffffffffc167ef68>] ovs_nla_get_match+0x10c8/0x1900 [openvswitch]
    [ 7654.684234]  [<ffffffffb61e9cc8>] ? genl_rcv+0x28/0x40
    [ 7654.689968]  [<ffffffffb61e7733>] ? netlink_unicast+0x3f3/0x590
    [ 7654.696574]  [<ffffffffc167dea0>] ? ovs_nla_put_tunnel_info+0xb0/0xb0 [openvswitch]
    [ 7654.705122]  [<ffffffffb4f41b50>] ? unwind_get_return_address+0xb0/0xb0
    [ 7654.712503]  [<ffffffffb65d9355>] ? system_call_fastpath+0x1c/0x21
    [ 7654.719401]  [<ffffffffb4f41d79>] ? update_stack_state+0x229/0x370
    [ 7654.726298]  [<ffffffffb4f41d79>] ? update_stack_state+0x229/0x370
    [ 7654.733195]  [<ffffffffb53fe4b5>] ? kasan_unpoison_shadow+0x35/0x50
    [ 7654.740187]  [<ffffffffb53fe62a>] ? kasan_kmalloc+0xaa/0xe0
    [ 7654.746406]  [<ffffffffb53fec32>] ? kasan_slab_alloc+0x12/0x20
    [ 7654.752914]  [<ffffffffb53fe711>] ? memset+0x31/0x40
    [ 7654.758456]  [<ffffffffc165bf92>] ovs_flow_cmd_new+0x2b2/0xf00 [openvswitch]

    [snip]

    [ 7655.132484] The buggy address belongs to the variable:
    [ 7655.138226]  ovs_tunnel_key_lens+0xf0/0xffffffffffffd400 [openvswitch]
    [ 7655.145507]
    [ 7655.147166] Memory state around the buggy address:
    [ 7655.152514]  ffffffffc169eb80: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
    [ 7655.160585]  ffffffffc169ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 7655.168644] >ffffffffc169ec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
    [ 7655.176701]                                                              ^
    [ 7655.184372]  ffffffffc169ed00: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 05
    [ 7655.192431]  ffffffffc169ed80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
    [ 7655.200490] ==================================================================

Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Fixes: 982b52700482 ("openvswitch: Fix mask generation for nested attributes.")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Tested-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Justin Pettit <jpettit@ovn.org>
6 years agodatapath: NAT support for shifted portmap ranges
Yi-Hung Wei [Tue, 17 Jul 2018 00:56:00 +0000 (17:56 -0700)]
datapath: NAT support for shifted portmap ranges

This patch backports the following upstream commit from net-next, and
defines HAVE_NF_NAT_RANGE2 to determine whether to use
'struct nf_nat_range2'.

Upstream commit:
    commit 2eb0f624b709e78ec8e2f4c3412947703db99301
    Author: Thierry Du Tre <thierry@dtsystems.be>
    Date:   Wed Apr 4 15:38:22 2018 +0200

    netfilter: add NAT support for shifted portmap ranges

    This is a patch proposal to support shifted ranges in portmaps.  (i.e. tcp/udp
    incoming port 5000-5100 on WAN redirected to LAN 192.168.1.5:2000-2100)

    Currently DNAT only works for single port or identical port ranges.  (i.e.
    ports 5000-5100 on WAN interface redirected to a LAN host while original
    destination port is not altered) When different port ranges are configured,
    either 'random' mode should be used, or else all incoming connections are
    mapped onto the first port in the redirect range. (in described example
    WAN:5000-5100 will all be mapped to 192.168.1.5:2000)

    This patch introduces a new mode indicated by flag NF_NAT_RANGE_PROTO_OFFSET
    which uses a base port value to calculate an offset with the destination port
    present in the incoming stream. That offset is then applied as index within the
    redirect port range (index modulo rangewidth to handle range overflow).

    In described example the base port would be 5000. An incoming stream with
    destination port 5004 would result in an offset value 4 which means that the
    NAT'ed stream will be using destination port 2004.

    Other possibilities include deterministic mapping of larger or multiple ranges
    to a smaller range : WAN:5000-5999 -> LAN:5000-5099 (maps WAN port 5*xx to port
    51xx)

    This patch does not change any current behavior. It just adds new NAT proto
    range functionality which must be selected via the specific flag when intended
    to use.

    A patch for iptables (libipt_DNAT.c + libip6t_DNAT.c) will also be proposed
    which makes this functionality immediately available.

Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Justin Pettit <jpettit@ovn.org>
6 years agodatapath: Introduce net_rwsem and remove rtnl_lock()
Yi-Hung Wei [Tue, 17 Jul 2018 00:55:59 +0000 (17:55 -0700)]
datapath: Introduce net_rwsem and remove rtnl_lock()

This patch backports the following two upstream commits and
add a new symbol HAVE_NET_RWSEM in acinclude.m4 to determine
whether to use new introduced rw_semaphore, net_rwsem.

Upstream commit:
    commit f0b07bb151b098d291fd1fd71ef7a2df56fb124a
    Author: Kirill Tkhai <ktkhai@virtuozzo.com>
    Date:   Thu Mar 29 19:20:32 2018 +0300

    net: Introduce net_rwsem to protect net_namespace_list

    rtnl_lock() is used everywhere, and contention is very high.
    When someone wants to iterate over alive net namespaces,
    he/she has no a possibility to do that without exclusive lock.
    But the exclusive rtnl_lock() in such places is overkill,
    and it just increases the contention. Yes, there is already
    for_each_net_rcu() in kernel, but it requires rcu_read_lock(),
    and this can't be sleepable. Also, sometimes it may be need
    really prevent net_namespace_list growth, so for_each_net_rcu()
    is not fit there.

    This patch introduces new rw_semaphore, which will be used
    instead of rtnl_mutex to protect net_namespace_list. It is
    sleepable and allows not-exclusive iterations over net
    namespaces list. It allows to stop using rtnl_lock()
    in several places (what is made in next patches) and makes
    less the time, we keep rtnl_mutex. Here we just add new lock,
    while the explanation of we can remove rtnl_lock() there are
    in next patches.

    Fine grained locks generally are better, then one big lock,
    so let's do that with net_namespace_list, while the situation
    allows that.

Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream commit:
    commit ec9c780925c57588637e1dbd8650d294107311c0
    Author: Kirill Tkhai <ktkhai@virtuozzo.com>
    Date:   Thu Mar 29 19:21:09 2018 +0300

    ovs: Remove rtnl_lock() from ovs_exit_net()

    Here we iterate for_each_net() and removes
    vport from alive net to the exiting net.

    ovs_net::dps are protected by ovs_mutex(),
    and the others, who change it (ovs_dp_cmd_new(),
    __dp_destroy()) also take it.
    The same with datapath::ports list.

    So, we remove rtnl_lock() here.

Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Justin Pettit <jpettit@ovn.org>
6 years agodatapath: meter: fix the incorrect calculation of max delta_t
zhangliping [Tue, 17 Jul 2018 00:55:58 +0000 (17:55 -0700)]
datapath: meter: fix the incorrect calculation of max delta_t

Upstream commit:
    commit ddc502dfed600bff0b61d899f70d95b76223fdfc
    Author: zhangliping <zhangliping02@baidu.com>
    Date:   Fri Mar 9 10:08:50 2018 +0800

    openvswitch: meter: fix the incorrect calculation of max delta_t

    Max delat_t should be the full_bucket/rate instead of the full_bucket.
    Also report EINVAL if the rate is zero.

Fixes: 96fbc13d7e77 ("openvswitch: Add meter infrastructure")
Cc: Andy Zhou <azhou@ovn.org>
Signed-off-by: zhangliping <zhangliping02@baidu.com>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Tested-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Justin Pettit <jpettit@ovn.org>
6 years agoselinux: changes to support newer hugetlbfs restrictions
Aaron Conole [Wed, 18 Jul 2018 14:53:03 +0000 (10:53 -0400)]
selinux: changes to support newer hugetlbfs restrictions

Newer selinux base policies now split out 'map' actions, as well as
adding more explicit checks for hugetlbfs objects.  Where previously these
weren't required, recent changes have flagged the allocation of hugepages
and subsequent clearing.  This means that the hugepage storage information
for the DPDK .rte_config, and clearing actions copying from /dev/zero will
trigger selinux denials.

This commit allows openvswitch to have more permissions for the hugetlbfs
allocation and use.

Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Ansis Atteka <aatteka@ovn.org>
6 years agocompat: Allow IPv6 GRE/ERSPAN Tx when ip6_gre is loaded
Greg Rose [Fri, 27 Jul 2018 18:20:08 +0000 (11:20 -0700)]
compat: Allow IPv6 GRE/ERSPAN Tx when ip6_gre is loaded

When for some reason the built-in kernel ip6_gre module is loaded that
would prevent the openvswitch kernel driver from loading.  Even when
the built-in kernel ip6_gre module is loaded we can still perform
port mirroring via Tx.  Adjust the error handling and detect when
the ip6_gre kernel module is loaded and in that case still enable
IPv6 GRE/ERSPAN Tx.

Signed-off-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: William Tu <u9012063@gmail.com>
6 years agocompat: Initialize IPv4 reassembly secret timer
Greg Rose [Fri, 20 Jul 2018 01:48:31 +0000 (18:48 -0700)]
compat: Initialize IPv4 reassembly secret timer

The RHEL 7 kernels expect the secret timer interval to be initialized
before calling the inet_frags_init() function.  By not initializing it
the inet_frags_secret_rebuild() function was running on every tick
rather than on the expected interval.  This caused occasional panics
from page faults when inet_frags_secret_rebuild() would try to rearm a
timer from the openvswitch kernel module which had just been removed.

Also remove the prior, and now unnecessary, work around.

VMware BZ 2094203

Fixes: 595e069a ("compat: Backport IPv4 reassembly.")
Signed-off-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
6 years agoRevert "dpctl: Expand the flow dump type filter"
Justin Pettit [Wed, 25 Jul 2018 20:52:42 +0000 (13:52 -0700)]
Revert "dpctl: Expand the flow dump type filter"

Commit ab15e70eb587 ("dpctl: Expand the flow dump type filter") had a
number of issues with style, build breakage, and failing unit tests.
The patch is being reverted so that they can addressed.

This reverts commit ab15e70eb5878b46f8f84da940ffc915b6d74cad.

CC: Gavi Teitz <gavi@mellanox.com>
CC: Simon Horman <simon.horman@netronome.com>
CC: Roi Dayan <roid@mellanox.com>
CC: Aaron Conole <aconole@redhat.com>
Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agoRevert "dpif-netdev: Use compatible function type to fix broken build."
Justin Pettit [Wed, 25 Jul 2018 20:51:09 +0000 (13:51 -0700)]
Revert "dpif-netdev: Use compatible function type to fix broken build."

Commit ab15e70eb587 ("dpctl: Expand the flow dump type filter") will be
reverted, which this patch fixed, so it needs to be reverted as well.

This reverts commit b10ac772218afd4f296db866f6b80258e1d1ca8a.

CC: Gavi Teitz <gavi@mellanox.com>
CC: Simon Horman <simon.horman@netronome.com>
CC: Roi Dayan <roid@mellanox.com>
CC: Aaron Conole <aconole@redhat.com>
Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agofaq: Add explanation of Signed-off-by.
Ben Pfaff [Tue, 24 Jul 2018 23:46:56 +0000 (16:46 -0700)]
faq: Add explanation of Signed-off-by.

Suitable for cutting and pasting into explanatory emails.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
6 years agotc: Fix sparse warnings.
Ben Pfaff [Wed, 25 Jul 2018 18:06:50 +0000 (11:06 -0700)]
tc: Fix sparse warnings.

Fixes the following warnings:

    ../lib/tc.c:817:37: error: incorrect type in assignment (different base types)
    ../lib/tc.c:817:37:    expected restricted ovs_be16 [usertype] vlan_push_tpid
    ../lib/tc.c:817:37:    got unsigned short
    ../lib/tc.c:1522:54: error: incorrect type in argument 2 (different base types)
    ../lib/tc.c:1522:54:    expected unsigned short [unsigned] [usertype] tpid
    ../lib/tc.c:1522:54:    got restricted ovs_be16 [usertype] vlan_push_tpid

CC: Jianbo Liu <jianbol@mellanox.com>
CC: Simon Horman <simon.horman@netronome.com>
Fixes: 61e8655cfc7a ("tc: Add VLAN tpid for push action")
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
6 years agodpif-netdev: Use compatible function type to fix broken build.
Aaron Conole [Wed, 25 Jul 2018 18:22:31 +0000 (14:22 -0400)]
dpif-netdev: Use compatible function type to fix broken build.

The dpif_provder flow_dump_create function signature was changed, but
the netdev dpif was not updated along with it.  This generated a build
error with the following warnings:

libtool: compile:  gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I ./include -I ./include -I ./lib -I ./lib -Wstrict-prototypes -Wall -Wextra -Wno-sign-compare -Wpointer-arith -Wformat -Wformat-security -Wswitch-enum -Wunused-parameter -Wbad-function-cast -Wcast-align -Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes -Wmissing-field-initializers -fno-strict-aliasing -Wshadow -Wno-null-pointer-arithmetic -Werror -Werror -g -O2 -MT lib/dpif-netdev.lo -MD -MP -MF lib/.deps/dpif-netdev.Tpo -c lib/dpif-netdev.c -o lib/dpif-netdev.o
lib/dpif-netdev.c:6812:5: error: initialization from incompatible pointer type [-Werror]
     dpif_netdev_flow_dump_create,
     ^
lib/dpif-netdev.c:6812:5: error: (near initialization for 'dpif_netdev_class.flow_dump_create') [-Werror]

Fixes: ab15e70eb587 ("dpctl: Expand the flow dump type filter")
Cc: Gavi Teitz <gavi@mellanox.com>
Cc: Roi Dayan <roid@mellanox.com>
Cc: Simon Horman <simon.horman@netronome.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agonetlink-conntrack: undef the correct macro
Aaron Conole [Mon, 23 Jul 2018 20:40:49 +0000 (16:40 -0400)]
netlink-conntrack: undef the correct macro

Fixes: 6830a0c0e6bf ("netlink-conntrack: New module.")
Cc: Daniele Di Proietto <daniele.di.proietto@gmail.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agodpctl: Expand the flow dump type filter
Gavi Teitz [Sun, 8 Jul 2018 11:15:38 +0000 (14:15 +0300)]
dpctl: Expand the flow dump type filter

Added new types to the flow dump filter, and allowed multiple filter
types to be passed at once, as a comma separated list. The new types
added are:
 * tc - specifies flows handled by the tc dp
 * non-offloaded - specifies flows not offloaded to the HW
 * all - specifies flows of all types

The type list is now fully parsed by the dpctl, and a new struct was
added to dpif which enables dpctl to define which types of dumps to
provide, rather than passing the type string and having dpif parse it.

Signed-off-by: Gavi Teitz <gavi@mellanox.com>
Acked-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
6 years agoAdd support to offload QinQ double VLAN headers match
Jianbo Liu [Tue, 17 Jul 2018 02:01:57 +0000 (02:01 +0000)]
Add support to offload QinQ double VLAN headers match

Currently the inner VLAN header is ignored when using the TC data-path.
As TC flower supports QinQ, now we can offload the rules to match on both
outer and inner VLAN headers.

Signed-off-by: Jianbo Liu <jianbol@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
6 years agoflow: Refactor some of VLAN helper functions
Jianbo Liu [Tue, 17 Jul 2018 02:01:56 +0000 (02:01 +0000)]
flow: Refactor some of VLAN helper functions

By default, these function are to change the first vlan vid and pcp
in the flow. Add a parameter as index for vlans if we want to handle
the second ones.

Signed-off-by: Jianbo Liu <jianbol@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
6 years agonetdev-tc-offloads: Add support to match on 802.1AD ethertype
Jianbo Liu [Tue, 17 Jul 2018 02:01:55 +0000 (02:01 +0000)]
netdev-tc-offloads: Add support to match on 802.1AD ethertype

Currently, we assume VLAN ethtertype is 0x8100, but it could
be 0x88a8 if QinQ is supported.

Signed-off-by: Jianbo Liu <jianbol@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
6 years agotc: Add VLAN tpid for push action
Jianbo Liu [Tue, 17 Jul 2018 02:01:54 +0000 (02:01 +0000)]
tc: Add VLAN tpid for push action

Currently we only support 802.1q, so we can offload push action without
specifying any vlan type. Kernel will push 802.1q ethertype by default.

But to support QinQ, we need to tell what ethertype is in push action as
it could be 802.1ad.

Signed-off-by: Jianbo Liu <jianbol@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
6 years agoPrepare for post-2.10.0 (2.10.90).
Justin Pettit [Tue, 24 Jul 2018 22:29:56 +0000 (15:29 -0700)]
Prepare for post-2.10.0 (2.10.90).

Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agoPrepare for 2.10.0.
Justin Pettit [Tue, 24 Jul 2018 22:28:08 +0000 (15:28 -0700)]
Prepare for 2.10.0.

Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
6 years agoPermit to build OVS with only Python3 installed
Timothy Redaelli [Fri, 22 Jun 2018 18:04:10 +0000 (20:04 +0200)]
Permit to build OVS with only Python3 installed

This commit renames HAVE_PYTHON to HAVE_PYTHON2 and PYTHON to PYTHON2
and adds HAVE_PYTHON and PYTHON with a different semantics:
- If PYTHON environment variable is set, use it as PYTHON
- If a python2 interpreter is available, PYTHON became the python2 interpreter
- If a python3 interpreter is available, PYTHON became the python3 interpreter

PYTHON is only used to run the python scripts needed by the build system

NOTE:
Since currently most of the utilities and bugtool doesn't support Python3,
they're installed only if python2 is available. This will be fixed in later
commits.

Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovs-tcpdump: Fix incompatibilities with python3
Timothy Redaelli [Tue, 24 Jul 2018 16:35:13 +0000 (18:35 +0200)]
ovs-tcpdump: Fix incompatibilities with python3

Opening a file with 'rw' in Python3 returns an error, moreover using 'rw' in
Python2 is wrong too since it opens the file using O_RDONLY and not by using
O_RDWR.

This commit fixes it by using the low-level os.open function with O_RDWR
as suggested by the Linux kernel (tuntap.txt) documentation.

This commit fixes also some usual bytes vs string incompatibilities.

Tested on Python 2.7.15 and Python 3.6.5

Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovs-tcpundump: Fix incompatibilities with python3
Timothy Redaelli [Tue, 24 Jul 2018 16:35:22 +0000 (18:35 +0200)]
ovs-tcpundump: Fix incompatibilities with python3

Added parenthesis after print and use "as" instead of "," in except.

This commit fixes also a couple of flake8 warnings:

    utilities/ovs-tcpundump:23:1: E302 expected 2 blank lines, found 1
    utilities/ovs-tcpundump:35:1: E305 expected 2 blank lines after class or
    function definition, found 1

Tested on Python 2.7.15 and Python 3.6.5

Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agosparse: Add support for DPDK.
Ben Pfaff [Thu, 12 Jul 2018 21:55:44 +0000 (14:55 -0700)]
sparse: Add support for DPDK.

This allows netdev-dpdk.c to compile cleanly with sparse.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
6 years agonetdev-dpdk: Use ETH_ADDR_BYTES_ARGS instead of open-coding it.
Ben Pfaff [Thu, 12 Jul 2018 21:55:43 +0000 (14:55 -0700)]
netdev-dpdk: Use ETH_ADDR_BYTES_ARGS instead of open-coding it.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
6 years agonetdev-dpdk: Fix sparse complaints.
Ben Pfaff [Thu, 12 Jul 2018 21:55:42 +0000 (14:55 -0700)]
netdev-dpdk: Fix sparse complaints.

Neither of these is a real problem.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
6 years agonetdev-dpdk: Fix incorrect byte order conversion in log message.
Ben Pfaff [Thu, 12 Jul 2018 21:55:41 +0000 (14:55 -0700)]
netdev-dpdk: Fix incorrect byte order conversion in log message.

uint8_t values shouldn't be passed to ntohs().

Found by soarse.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
6 years agoDocs: Improve OVS DPDK version mapping notice.
Ian Stokes [Thu, 12 Jul 2018 18:48:42 +0000 (19:48 +0100)]
Docs: Improve OVS DPDK version mapping notice.

A common issue is users pairing the incorrect version of OVS to DPDK
when working outside of the build tree.

To avoid this, this commit updates the OVS DPDK documentation to explicitly
flag that users should consult the OVS to DPDK release mapping in FAQ if
working outside of the OVS build tree.

Suggested-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>
6 years agodpif-netdev: Add SMC cache after EMC cache
Yipeng Wang [Tue, 10 Jul 2018 10:14:06 +0000 (03:14 -0700)]
dpif-netdev: Add SMC cache after EMC cache

This patch adds a signature match cache (SMC) after exact match
cache (EMC). The difference between SMC and EMC is SMC only stores
a signature of a flow thus it is much more memory efficient. With
same memory space, EMC can store 8k flows while SMC can store 1M
flows. It is generally beneficial to turn on SMC but turn off EMC
when traffic flow count is much larger than EMC size.

SMC cache will map a signature to an dp_netdev_flow index in
flow_table. Thus, we add two new APIs in cmap for lookup key by
index and lookup index by key.

For now, SMC is an experimental feature that it is turned off by
default. One can turn it on using ovsdb options.

Signed-off-by: Yipeng Wang <yipeng1.wang@intel.com>
Co-authored-by: Jan Scheurich <jan.scheurich@ericsson.com>
Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com>
Acked-by: Billy O'Mahony <billy.o.mahony@intel.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
6 years agoNEWS: Mention daemon mode support for ovn-nbctl.
Jakub Sitnicki [Tue, 24 Jul 2018 14:21:58 +0000 (16:21 +0200)]
NEWS: Mention daemon mode support for ovn-nbctl.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agotests: Add test for ovn-nbctl's command parser error paths.
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:26 +0000 (15:51 +0200)]
tests: Add test for ovn-nbctl's command parser error paths.

Preparatory work for getting rid of ctl_fatal() in command parser.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agotests: Add test for oneline-formatted output for ovn-nbctl.
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:25 +0000 (15:51 +0200)]
tests: Add test for oneline-formatted output for ovn-nbctl.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agotests: Add test for ovn-nbctl dry run mode.
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:24 +0000 (15:51 +0200)]
tests: Add test for ovn-nbctl dry run mode.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-nbctl: Initial support for daemon mode.
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:23 +0000 (15:51 +0200)]
ovn-nbctl: Initial support for daemon mode.

Make ovn-nbctl act as a unixctl server if we were asked to detach. This
turns ovn-nbctl into a long-lived process that acts a proxy for
interacting with NB DB. The main difference to regular mode of ovn-nbctl
is that in the daemon mode, a local copy of database contents has to be
obtained only once.

Just two unixctl commands are supported 'run' and 'exit'. The former can
be used to run any ovn-nbctl command or a batch of them as so:

  ovs-appctl -t ovn-nbctl run [OPTIONS] COMMAND [-- [OPTIONS] COMMAND] ...

Running commands that have not yet been converted to not use ctl_fatal()
will result in death of the daemon process. However, --monitor option
can be used to keep the daemon running.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-nbctl: Extract a helper for appending command options.
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:22 +0000 (15:51 +0200)]
ovn-nbctl: Extract a helper for appending command options.

Will be reused when parsing options in daemon mode.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-nbctl: Extract a helper for building short options string.
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:21 +0000 (15:51 +0200)]
ovn-nbctl: Extract a helper for building short options string.

Will be reused for parsing options in daemon mode.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-nbctl: Extract handling of options that affect main loop.
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:20 +0000 (15:51 +0200)]
ovn-nbctl: Extract handling of options that affect main loop.

Provide a handler for options that change how the main loop behaves.

This will allow code reuse for option parsing in daemon mode.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-nbctl: Extract helper for printing oneline output.
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:19 +0000 (15:51 +0200)]
ovn-nbctl: Extract helper for printing oneline output.

This will allow us to direct oneline-formatted output to other sinks
than stdout if needed. Preparatory work for daemon mode.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-nbctl: Introduce a poll_timer based wait timeout.
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:18 +0000 (15:51 +0200)]
ovn-nbctl: Introduce a poll_timer based wait timeout.

Extend the main loop and the command runner so that the caller can
specify a timeout for poll_block(). This will allow us to break out of
the main loop when waiting on IDL, like in the blocked '--wait=sb/hv
sync' case.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-nbctl: Propagate errors from prerequisites runner.
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:17 +0000 (15:51 +0200)]
ovn-nbctl: Propagate errors from prerequisites runner.

Instead of terminating the process, return the error to the caller.

This will allow us to reuse the prerequisites runner in daemon mode.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
6 years agoovn-nbctl: Propagate errors from the main loop.
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:16 +0000 (15:51 +0200)]
ovn-nbctl: Propagate errors from the main loop.

Let the caller handle the errors instead of reporting it and
terminating. Prepare for reusing the main loop in daemon mode.

Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>