Ben Pfaff [Tue, 29 Sep 2015 22:40:22 +0000 (15:40 -0700)]
ovn: Implement basic end-to-end full mesh test.
This is a really basic test of the OVN features. It verifies that basic
L2 connectivity works as expected over a 3-hypervisor setup with 3 VMs
per hypervisor and all 9 VMs on a single logical switch, with a few ACLs.
The infrastructure added by this patch, which is based on similar code
from ovs-sim, should be useful as a basis for later and more advanced
OVN end-to-end tests.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Justin Pettit <jpettit@nicira.com>
Ben Pfaff [Tue, 29 Sep 2015 17:19:37 +0000 (10:19 -0700)]
tests: Ignore more error messages for hidden rules test.
This test intentionally configures an unreachable controller. It ignored
some error messages in the log, specifically
br0: cannot find route for controller (240.0.0.1): ...
but a bug report says that other forms of messages can also appear, e.g.
br0<->tcp:240.0.0.1:6653: connection dropped (No route to host)
This commit therefore expands the logged error messages that will be
ignored to any message that includes the IP address 240.0.0.1.
ofproto-dpif-upcall: Use flow_wildcards_has_extra().
Update the comment in ukey_revalidate() to reflect the fact that the
mask in ukey is not the datapath mask, but the originally translated
flow wildcards.
Use flow_wildcards_has_extra() instead of open coding equivalent (but
different) functionality. The old form and the code in
flow_wildcards_has_extra() ((dp | wc != dp) and (dp & wc != wc),
respecively) give the same result:
The name 'lport_to_ofport' gives the impression that the
simap contains all the logical port to ofport mapping. In
reality, it only contains a local vif to ofport mapping.
The name 'localvif_to_ofport' feels to be a better fit.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> Acked-by: Russell Bryant <rbryant@redhat.com>
This patch adds the modifications needed to compile under x64 under
Windows:
- created a new macro for testing if we are compiling under x64.
this will define the linker flag: "/MACHINE:X64" as per documentation
(https://msdn.microsoft.com/en-us/library/9yb4317s.aspx).
- added x64 pthread libraries under the pthread defines
- add documentation on how to build under x64
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com> Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
datapath: Backport "skbuff: Fix skb checksum flag on skb pull"
Upstream commit:
VXLAN device can receive skb with checksum partial. But the checksum
offset could be in outer header which is pulled on receive. This results
in negative checksum offset for the skb. Such skb can cause the assert
failure in skb_checksum_help(). Following patch fixes the bug by setting
checksum-none while pulling outer header.
Following is the kernel panic msg from old kernel hitting the bug.
Reported-by: Anupam Chanda <achanda@vmware.com> Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 6ae459bdaae ("skbuff: Fix skb checksum flag on skb pull") Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Jesse Gross <jesse@nicira.com>
Zoltan Kiss [Fri, 25 Sep 2015 18:42:40 +0000 (11:42 -0700)]
ofproto-dpif: Do not block on uninitialized pause barriers.
e4e74c3a "dpif-netdev: Purge all ukeys when reconfigure pmd." introduced a new
dp_purge_cb function, which calls udpif_pause_revalidators() and that tries to
block on pause_barrier.
But if OVS was started with flow-restore-wait="true" (e.g. through ovs-ctl),
type_run() will have backer->recv_set_enable == false, and udpif_set_threads
won't initialize the barrier, which leads to a segfault like this:
This patch introduces ofproto_dpif_backer_enabled(), which checks
recv_set_enable before touching the latch and blocking on pause_barrier.
Signed-off-by: Zoltan Kiss <zoltan.kiss@linaro.org> Acked-by: Joe Stringer <joestringer@nicira.com>
datapath: Backport "openvswitch: Zero flows on allocation."
Upstream commit:
openvswitch: Zero flows on allocation.
When support for megaflows was introduced, OVS needed to start
installing flows with a mask applied to them. Since masking is an
expensive operation, OVS also had an optimization that would only
take the parts of the flow keys that were covered by a non-zero
mask. The values stored in the remaining pieces should not matter
because they are masked out.
While this works fine for the purposes of matching (which must always
look at the mask), serialization to netlink can be problematic. Since
the flow and the mask are serialized separately, the uninitialized
portions of the flow can be encoded with whatever values happen to be
present.
In terms of functionality, this has little effect since these fields
will be masked out by definition. However, it leaks kernel memory to
userspace, which is a potential security vulnerability. It is also
possible that other code paths could look at the masked key and get
uninitialized data, although this does not currently appear to be an
issue in practice.
This removes the mask optimization for flows that are being installed.
This was always intended to be the case as the mask optimizations were
really targetting per-packet flow operations.
Fixes: 03f0d916 ("openvswitch: Mega flow implementation") Signed-off-by: Jesse Gross <jesse@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: ae5f2fb1 ("openvswitch: Zero flows on allocation.") Signed-off-by: Jesse Gross <jesse@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
This patch adds an additional include file while compiling under MSVC.
Found by compiling under MSVC x64 and hitting the following problem:
http://stackoverflow.com/questions/23144151/64-bit-function-returns-32-bit-pointer
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com> Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Andy Zhou [Tue, 15 Sep 2015 20:51:17 +0000 (13:51 -0700)]
ofproto/bond: simplify rebalancing logic
The current bond relancing logic is more complicated than necessary.
When considering a bucket for rebalancing, we just need to make sure
post rebalancing traffic will be closer to the ideal traffic split
than before. This patch implements the simplification.
There is a bug is current algorithm that causes a heavyly loaded bucket
to ping-pong for each reblancing interval. The simplied loigc also fixes
this bug.
Though not the main motivation for the change, computations are now
done with integer math rather than floating math.
Reported-by: Gregory Smith <gasmith@nutanix.com>
tested-by: Gregory Smith <gasmith@nutanix.com> Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Fixes following compilation error:
In file included from ovs/datapath/linux/actions.c:30: ovs/datapath/linux/compat/include/linux/if_vlan.h:65:
error: redefinition of ‘__vlan_hwaccel_push_inside’ include/linux/if_vlan.h:353: note: previous definition of
‘__vlan_hwaccel_push_inside’ was here ovs/datapath/linux/compat/include/linux/if_vlan.h:83:
Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Jesse Gross <jesse@nicira.com>
Enable support for Checksum offloads in STT if it's enabled in the Windows
VM. Set the Checksum Partial and Checksum Verified flags as mentioned in
the STT Draft - https://tools.ietf.org/html/draft-davie-stt-06
datapath-windows: Removed hardcoded names for internal/external vports
The internal/external vports will have the actual OS-based names, which
represent the NIC interface alias that is displayed by running
'Get-NetAdapter' Hyper-V PS command.
Ben Pfaff [Sat, 19 Sep 2015 16:48:26 +0000 (09:48 -0700)]
tests: Shorten line in table-features test.
By inserting "dnl" a few places in this 1000+ character line, we bring
the physical line length down (making "git format-patch" willing to put
it into a patch) but m4 will still paste it together into a single line.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Joe Stringer <joestringer@nicira.com>
The Netlink encoding of datapath flow keys cannot express wildcarding
the presence of a VLAN tag. Instead, a missing VLAN tag is interpreted
as exact match on the fact that there is no VLAN. This makes reading
datapath flow dumps confusing, since for everything else, a missing
key value means that the corresponding key was wildcarded.
Unless we refactor a lot of code that translates between Netlink and
struct flow representations, we have to do the same in the userspace
datapath. This makes at least the flow install logs show that the
vlan_tci field is matched to zero. However, the datapath flow dumps
remain as they were before, as they are performed using the netlink
format.
Add a test to verify that packet with a vlan will not match a rule
that may seem wildcarding the presence of the vlan tag. Applying this
test without the userspace datapath modification showed that the
userspace datapath failed to create a new datapath flow for the VLAN
packet before this patch.
Reported-by: Tony van der Peet <tony.vanderpeet@gmail.com> Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
datapath: Backport "openvswitch: allocate nr_node_ids flow_stats instead of num_possible_nodes"
Upstream commit:
openvswitch: allocate nr_node_ids flow_stats instead of num_possible_nodes
Some architectures like POWER can have a NUMA node_possible_map that
contains sparse entries. This causes memory corruption with openvswitch
since it allocates flow_cache with a multiple of num_possible_nodes() and
assumes the node variable returned by for_each_node will index into
flow->stats[node].
Use nr_node_ids to allocate a maximal sparse array instead of
num_possible_nodes().
The crash was noticed after 3af229f2 was applied as it changed the
node_possible_map to match node_online_map on boot. Fixes: 3af229f2071f5b5cb31664be6109561fbe19c861 Signed-off-by: Chris J Arges <chris.j.arges@canonical.com> Acked-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Nishanth Aravamudan <nacc@linux.vnet.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: bac541e4631(""openvswitch: allocate nr_node_ids flow_stats
instead of num_possible_nodes")
Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Jesse Gross <jesse@nicira.com>
stream-ssl: Get peer-ca-cert functionality to work.
When --certificate option is provided, we currently use
SSL_CTX_use_certificate_chain_file() function to add
that certificate. If our single certificate file had multiple
certificates (as a chain), all of them would get added and sent
to the remote peer. But once you call
SSL_CTX_use_certificate_chain_file(), any future calls to
SSL_CTX_add_extra_chain_cert() (called when --peer-ca-cert option
is used) had no effect.
Since our man pages and INSTALL.SSL.md say that --certificate
is used to specify one certificate and additional certificates
are sent via --peer-ca-cert, this commit changes
SSL_CTX_use_certificate_chain_file() use to
SSL_CTX_use_certificate_file(). With this, additional certificates
can now be added via --peer-ca-cert option.
The test case added with this commit would fail without the
above changes.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
The test claimed to test peer-ca-cert functionality. But the
certificate provided via --peer-ca-cert was not actually sent
to the peer for bootstrapping. The bootstrapping was successful
because cert provided via --certificate was self-signed. Since the test
was not really testing the --peer-ca-cert functionality, change
the name of the test. We do not have any tests for bootstrapping,
so this test is still useful.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Currently when running the vswitch daemon we get a lot of messages of the
form:
2015-09-10T23:04:21Z|07255|dpif(revalidator11)|WARN|system@ovs-system: failed
to flow_del (Invalid argument).
The userspace expects after sending a delete flow command, to receive the flow
key of the deleted flow.
Currently we only send back the statiscs. This patch appends back the flow key
attribute for to the response buffer for the flow commands new, modify and
delete.
This patch also responds to the userspace with ENOENT in the case the flow
was not modified, deleted, created or retrieved.
Also incorporate some refactors.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com> Acked-by: Sorin Vinturis <svinturis@cloudbasesolutions.com> Acked-by: Sairam Venugopal <vsairam@vmware.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
If we have a flow rule of the following form:
actions=strip_vlan,set_tunnel:0x3e9,15,16,17 (Where port 15, 16 and 17 are
VXLAN OF ports with different tunnelling information)
Current implementation is that if a packet will hit that specific flow,
only one packet will be sent out with the first tunnelling information.
This patch saves the initial packet source port for further use of the
currently implemented pipeline and ignores the latter if it
is the last tunnelling port.
Ben Pfaff [Thu, 10 Sep 2015 17:00:41 +0000 (10:00 -0700)]
ofp-util: Fix struct ofputil_requestforward union membership.
'bands' should be paired with 'meter_mod' because 'bands' may hold the
storage for the meter's bands. ('bands' has nothing to do with
'group_mod'.)
Reported-by: niti Rohilla <niti1489@gmail.com>
Reported-at: http://openvswitch.org/pipermail/dev/2015-September/059847.html Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Andy Zhou <azhou@nicira.com>
datapath: Backport "openvswitch: Fix mask generation for nested attributes."
Upstream commit:
openvswitch: Fix mask generation for nested attributes.
Masks were added to OVS flows in a way that was backwards compatible
with userspace programs that did not generate masks. As a result, it is
possible that we may receive flows that do not have a mask and we need
to synthesize one.
Generating a mask requires iterating over attributes and descending into
nested attributes. For each level we need to know the size to generate the
correct mask. We do this with a linked table of attribute types.
Although the logic to handle these nested attributes was there in concept,
there are a number of bugs in practice. Examples include incomplete links
between tables, variable length attributes being treated as nested and
missing sanity checks.
Signed-off-by: Jesse Gross <jesse@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 982b5270 ("openvswitch: Fix mask generation for nested attributes.") Signed-off-by: Jesse Gross <jesse@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
tunneling: Track recursion levels across ARP generation.
If a packet is output to a tunnel port when userspace tunneling is
enabled, it will cause an ARP packet to be generated if the destination
is unknown. This ARP packet is injected into the physical bridge as
a new packet, where it is flooded.
If there is a loop (such as if the tunnel destination is the same bridge),
the result will be infinite recursion. Even though we currently track
recursion limits, they are not effective here since each ARP packet is
considered to be a new translation. This changes the behavior so that
each ARP flow translation is initialized with the recursion counter of
the previous flow. Note that the problem only applies to ARP - data
packets in a loop will hit an existing recursion counter in the datapath.
An additional side effect of this change is that ARP packets are no
longer unconditionally flooded in the new bridge. They will now follow any
flow rules in the new bridge that might apply to them, the same as with
the kernel datapath.
Reported-by: David Evans <davidjoshuaevans@gmail.com> Tested-by: David Evans <davidjoshuaevans@gmail.com> Signed-off-by: Jesse Gross <jesse@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Russell Bryant [Thu, 17 Sep 2015 18:27:07 +0000 (14:27 -0400)]
ovn: Update TODO with some notes on security.
The impact of the compromise of a chassis running ovn-controller came
up in a discussion with the developers of a system that could
potentially use OVN. Capture some notes on this issue as a todo item.
Signed-off-by: Russell Bryant <rbryant@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
configure: Fix DPDK linking when using a relative path
When linking with DPDK, if a relative path is used with the
'--with-dpdk' flag, then OVS will always be compiled with vHost Cuse
support, even if it is not enabled in the DPDK build.
This patch fixes this problem, and enables the correct version of
vHost despite whether or not a relative or absolute path is used.
Signed-off-by: Ciara Loftus <ciara.loftus@intel.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Sat, 12 Sep 2015 03:14:59 +0000 (20:14 -0700)]
ovn-nbctl: Enable database commands using db-ctl-base infrastructure.
This makes ovn-nbctl into a pretty slavish imitation of ovn-sbctl, using
almost the same code. It has two immediate benefits. First, multiple
commands can now be chained together into a single ovn-nbctl invocation.
Second, the database commands such as "create", "set", and so on allow
queries and modifications that don't have specific commands already.
In the following commit, this allows testing the OVN ACL feature.
Alex Wang [Thu, 6 Aug 2015 22:40:57 +0000 (15:40 -0700)]
ovn-controller-vtep: Extend vtep module to install Ucast_Macs_Remote.
This commit extends the vtep module to support creating the
'Ucast_Macs_Remote' table entries in the vtep database for
MAC addresses on the ovn logical ports.
Signed-off-by: Alex Wang <ee07b291@gmail.com> Acked-by: Russell Bryant <rbryant@redhat.com> Acked-by: Justin Pettit <jpettit@nicira.com>
Alex Wang [Sat, 4 Jul 2015 06:13:24 +0000 (23:13 -0700)]
ovn-controller-vtep: Add vtep module.
This commit adds the vtep module to ovn-controller-vtep. The
module will scan through the Port_Binding table in OVN-SB database,
and update the vtep logcial switches tunnel keys.
Signed-off-by: Alex Wang <ee07b291@gmail.com> Acked-by: Russell Bryant <rbryant@redhat.com> Acked-by: Justin Pettit <jpettit@nicira.com>
datapath: Use netlink ipv4 API to handle the ipv4 addr attributes.
upstream: ("netlink: implement nla_put_in_addr and nla_put_in6_addr")
upstream: ("netlink: implement nla_get_in_addr and nla_get_in6_addr")
IP addresses are often stored in netlink attributes. Add generic functions
to do that.
Signed-off-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Ben Pfaff [Sat, 12 Sep 2015 03:09:21 +0000 (20:09 -0700)]
ovn-nbctl: Give handler functions more specific names.
I find that it's nice to give functions for commands names specific to the
utility, even though they're static, because occasionally it makes it
easier to find them using "tags", "grep", etc.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Alex Wang <ee07b291@gmail.com>
tunnel: Validate IP header for userspace tunneling.
Currently, when doing userspace tunneling we don't perform much in
the way of integrity checks on the incoming IP header. The case of
tunneling is different from the usual case of switching since we are
acting as the endpoint here and should not allow invalid packets to
pass.
This adds checks for IP checksum, version, total length, and options and
drops packets that don't pass.
Signed-off-by: Jesse Gross <jesse@nicira.com> Acked-by: Pravin B Shelar <pshelar@nicira.com>
Ben Pfaff [Thu, 27 Aug 2015 05:40:11 +0000 (22:40 -0700)]
expr: Properly handle several cases involving string variables.
The expr test cases covered string variables poorly and thus a number of
bugs and omissions slipped through. This fixes them and generalizes the
test cases to better cover string variables.
Joe Stringer [Fri, 11 Sep 2015 01:00:21 +0000 (18:00 -0700)]
ipfix: Fix SIGFPE in bridge exporter sampling.
A divide-by-zero exception like the below could occur when IPFIX
configuration is cleared while handling sampled packets from the
datapath. While it's not valid to configure the sampling probability of
IPFIX to zero via explicitly setting it in OVSDB, it is possible to
clear the configuration, which results in a probability of zero. In this
case, there is a window during which it is possible for upcalls to find
the cleared IPFIX object and attempt to perform sampling using it. Fix
the issue by ensuring that the probability is nonzero before using it.
"Program terminated with signal SIGFPE, Arithmetic exception."
dpif_ipfix_bridge_sample (...) at ../ofproto/ofproto-dpif-ipfix.c:1701
process_upcall (...) at ../ofproto/ofproto-dpif-upcall.c:1145
recv_upcalls (...) at ../ofproto/ofproto-dpif-upcall.c:705
udpif_upcall_handler (...) at ../ofproto/ofproto-dpif-upcall.c:631
ovsthread_wrapper (...) at ../lib/ovs-thread.c:340
start_thread (...) at pthread_create.c:312
clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Romain Lenglet <romain.lenglet@oracle.com>
Ben Pfaff [Fri, 11 Sep 2015 20:42:41 +0000 (13:42 -0700)]
ovn-northd: Minor logical flow table optimizations.
There's no need to add a priority-0 "drop" flow, because OVN logical flow
tables always drop non-matching packets.
There's no need to add a "drop" flow for ingress port security on disabled
logical ports, because no other flow would allow those packets; it's
more efficient to omit the logical flow entirely.
Finally, there's no need to add disabled logical ports to the MC_UNKNOWN
multicast group, since packets won't be delivered to a disabled logical
port anyway. (This is just an optimization; the packets were dropped in
the egress pipeline anyway.)
Found by inspection.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Justin Pettit <jpettit@nicira.com>
Ben Pfaff [Fri, 11 Sep 2015 20:40:36 +0000 (13:40 -0700)]
ovn-northd: Don't deliver even broadcast packets to disabled logical ports.
Until now, the priority-100 flow for broadcast and multicast packets caused
such packets to be delivered to disabled logical ports. This commit makes
ovn-northd add a priority-150 flow for each disabled logical port to
override that behavior.
Found by inspection.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Justin Pettit <jpettit@nicira.com>
Joe Stringer [Thu, 10 Sep 2015 02:00:18 +0000 (19:00 -0700)]
ofp-actions: Allow special handling for nested actions.
The next patch will introduce nested actions with special restrictions.
Refactor the action verification to allow ofpacts_verify() to identify
nesting so that these restrictions may be applied.
Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Justin Pettit [Fri, 28 Aug 2015 17:38:17 +0000 (10:38 -0700)]
ovn-nb: Add direction and reduce max priority for ACLs.
Introduce a new "direction" column to the ACL table that accepts the
values "to-lport" and "from-lport". Also reserve the ACL priority 65535
for return traffic associated with the "allow-related" action.
Signed-off-by: Justin Pettit <jpettit@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Niti Rohilla [Wed, 9 Sep 2015 12:03:42 +0000 (17:33 +0530)]
ofproto: Implement OF1.4 Group & Meter change notification messages
This patch adds support for Openflow1.4 Group & meter change notification
messages. In a multi controller environment, when a controller modifies the
state of group and meter table, the request that successfully modifies this
state is forwarded to other controllers. Other controllers are informed with
the OFPT_REQUESTFORWARD message. Request forwarding is enabled on a per
controller channel basis using the Set Asynchronous Configuration Message.
Signed-off-by: Niti Rohilla <niti.rohilla@tcs.com> Co-authored-by: Ben Pfaff <blp@nicira.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Tue, 21 Jul 2015 23:19:54 +0000 (16:19 -0700)]
tnl-arp-cache: Add a command to add or modify an ARP cache entry.
This allows the ARP cache to be prepopulated for testing purposes, so
that tests don't lose the first packet to each destination. (I guess
this feature could have other uses too.)
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Andy Zhou <azhou@nicira.com>
Ben Pfaff [Wed, 22 Jul 2015 18:22:01 +0000 (11:22 -0700)]
pcap-file: Flush packets to operating system immediately.
This makes the pcap files written by netdev-dummy up-to-date even if one
kills the process with a signal. This could be a performance hit if
the pcap file writer were to be used in some kind of performance critical
situation, but so far it's only used in netdev-dummy, which is just for
testing.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Andy Zhou <azhou@nicira.com>
Ben Pfaff [Wed, 9 Sep 2015 17:20:14 +0000 (10:20 -0700)]
tests: Automatically initialize OVS_*DIR vars when tests begin.
A lot of tests need to initialize the OVS_RUNDIR, OVS_LOGDIR, etc.
variables to point to the directory in which the tests run. Until now,
each of them has had to do this individually, which is redundant. This
commit starts to do this automatically.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Andy Zhou <azhou@nicira.com>
Ben Pfaff [Tue, 8 Sep 2015 23:31:30 +0000 (16:31 -0700)]
ofproto-dpif-xlate: Lower missing netdev_max_backlog from WARN to INFO.
In a network namespace, /proc/sys/net/core/netdev_max_backlog is not
present, so people running OVS inside Docker will always get a log message
here. That's not important enough to rise to a WARN level that causes
tests to fail, especially since the default value is rarely changed (and
wouldn't normally be lowered), so reduce the log leve for this to INFO.
travis: Fix build with --enable-shared and DPDK 2.1.
When building OVS with --enable-shared, -fPIC should be used in DPDK
CFLAGS. We used to add a custom option for this (CONFIG_RTE_BUILD_FPIC)
to the DPDK configuration, right after CONFIG_RTE_LIBNAME.
Since CONFIG_RTE_LIBNAME has been removed, it seems simpler to add our
custom option at the end of the file.
Furthermore, since vhost support is enabled by default in DPDK 2.1 and
vhost-user is OVS primary target, there's no need to customize the vhost
related option anymore.
Jesse Gross [Mon, 31 Aug 2015 21:20:17 +0000 (14:20 -0700)]
tun-metadata: Provide error messages during auto-allocation.
In cases where we don't have a map of tunnel metadata options (such
as with ovs-ofctl) we dynamically allocate them as part of the match.
However, dynamic allocation brings the possibility of errors such as
duplicate entries or running out of space. Up until now, anything that
would cause an error was silently ignored. Since that is not very user
friendly, this adds a mechanism for reporting these types of errors.
Signed-off-by: Jesse Gross <jesse@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
ofp-parse: Allow ofctl flow monitor filtering on field existence.
It is supposed to be possible to allow ovs-ofctl to filter flows
it is monitoring based on a match string. However, the parser will
reject expressions that match only on a field's existence (such as
Geneve options). This relaxes the restriction to bring it in line
with matches supported by other commands.
Signed-off-by: Jesse Gross <jesse@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Currently, each token in an OpenFlow match field is treated separately -
whether this is a name, a value, or a single identifier. However, this
means that attempting to get a value may result in grabbing the next
token if no value exists. This avoids that problem by breaking the match
string down into its components and then individually separating it into
name/value pairs if appropriate.
Signed-off-by: Jesse Gross <jesse@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Timo Puha [Wed, 1 Jul 2015 10:49:12 +0000 (11:49 +0100)]
netdev-dpdk: Add some missing statistics.
New stats for vhost ports are rx_bytes, tx_bytes, multicast, rx_errors and
rx_length_errors. New stats for PMD ports are rx_dropped, rx_length_errors,
rx_crc_errors and rx_missed_errors. DPDK imissed packets are now classified
as dropped instead of errors.
Signed-off-by: Timo Puha <timox.puha@intel.com> Tested-by: Daniele Di Proietto <diproiettod@vmware.com> Acked-by: Flavio Leitner <fbl@sysclose.org> Signed-off-by: Ben Pfaff <blp@nicira.com>
Russell Bryant [Wed, 9 Sep 2015 12:37:14 +0000 (08:37 -0400)]
rhel: s/OVN_DB/OVS_DB/ in ovn-controller unit.
I added a variable called OVN_DB, but had mixed up what this parameter
to ovn-controller was for. This parameter is the location of the db
for the local ovs-vswitchd. It then gets the OVN database location
from *that* db. It seems fine to keep the env var in case someone
needs to override it for some reason, but correct the name and
description of what it is.
Signed-off-by: Russell Bryant <rbryant@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Russell Bryant [Wed, 9 Sep 2015 01:46:28 +0000 (21:46 -0400)]
ovn-sbctl: Adjust width for priority in lflow-list.
The format string for the output of lflow-list included a width of 3
characters for the priority. ACLs use priorities up to 5 digits, so
change the width from 3 to 5. This restores alignment of the next
field, "match".
Signed-off-by: Russell Bryant <rbryant@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
This seemed like a bit too much code for something as simple as
initializing an smap with a single key-value pair. This commit allows the
code to be reduced to just:
This new form also eliminates multiple memory allocation and free
operations, but I doubt that has any real effect on performance;
the primary goal here is code readability.
Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Russell Bryant <rbryant@redhat.com>
tnl-ports: Add destination IP and MAC address to the match.
Currently tnl-port table wildcard destination ip and mac addresses
for given tunnel packet. That could result accepting tunnel
packets destined for other hosts. Following patch adds
support for matching for ip and mac address.
IP address upates to tnl-port table are piggybacked on
ovs-router updates.
Reported-by: Ben Pfaff <blp@nicira.com> Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
Russell Bryant [Thu, 3 Sep 2015 16:45:01 +0000 (12:45 -0400)]
ovn: Add "localnet" logical port type.
Introduce a new logical port type called "localnet". A logical port
with this type also has an option called "network_name". A "localnet"
logical port represents a connection to a network that is locally
accessible from each chassis running ovn-controller. ovn-controller
will use the ovn-bridge-mappings configuration to figure out which
patch port on br-int should be used for this port.
OpenStack Neutron has an API extension called "provider networks" which
allows an administrator to specify that it would like ports directly
attached to some pre-existing network in their environment. There was a
previous thread where we got into the details of this here:
The case where this would be used is an environment that isn't actually
interested in virtual networks and just wants all of their compute
resources connected up to externally managed networks. Even in this
environment, OVN still has a lot of value to add. OVN implements port
security and ACLs for all ports connected to these networks. OVN also
provides the configuration interface and control plane to manage this
across many hypervisors.
As a specific example, consider an environment with two hypvervisors
(A and B) with two VMs on each hypervisor (A1, A2, B1, B2). Now imagine
that the desired setup from an OpenStack perspective is to have all of
these VMs attached to the same provider network, which is a physical
network we'll refer to as "physnet1".
The first step here is to configure each hypervisor with bridge mappings
that tell ovn-controller that a local bridge called "br-eth1" is used to
reach the network called "physnet1". We can simulate the inital setup
of this environment in ovs-sandbox with the following commands:
# Setup the local hypervisor (A)
ovs-vsctl add-br br-eth1
ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth1
To get the behavior we want, we model every Neutron port connected to a
Neutron provider network as an OVN logical switch with 2 ports. The
first port is a normal logical port to be used by the VM. The second
logical port is a special port with its type set to "localnet".
To simulate the creation of the OVN logical switches and OVN logical
ports for A1, A2, B1, and B2, you can run the following commands:
# Create 4 OVN logical switches. Each logical switch has 2 ports,
# port1 for a VM and physnet1 for the existing network we are
# connecting to.
for n in 1 2 3 4; do
ovn-nbctl lswitch-add provnet1-$n
# Bind lport1 (A1) and lport2 (A2) to the local hypervisor.
ovs-vsctl add-port br-int lport1 -- set Interface lport1 external_ids:iface-id=provnet1-1-port1
ovs-vsctl add-port br-int lport2 -- set Interface lport2 external_ids:iface-id=provnet1-2-port1
# Bind the other 2 ports to the fake remote hypervisor.
ovn-sbctl lport-bind provnet1-3-port1 fakechassis
ovn-sbctl lport-bind provnet1-4-port1 fakechassis
After running these commands, we have the following logical
configuration:
Now we can generate several packets to test how a packet would be
processed on hypervisor A. The OpenFlow port numbers in this demo are:
1 - patch port to br-eth1 (physnet1)
2 - tunnel to fakechassis
3 - lport1 (A1)
4 - lport2 (A2)
Packet test #1: A1 to A2 - This will be output to ofport 1. Despite
both VMs being local to this hypervisor, all packets betwen the VMs go
through physnet1. In practice, this will get optimized at br-eth1.
Packet test #2: physnet1 to A2 - Consider this a continuation of test
is attached to will be considered. The end result should be that the
only output is to ofport 4 (A2).
Packet test #3: A1 to B1 - This will be output to ofport 1, as physnet1
is to be used to reach any other port. When it arrives at hypervisor B,
processing would look just like test #2.
Packet test #5: B1 broadcast arriving at hypervisor A. This is somewhat
a continuation of test #4. When a broadcast packet arrives from
physnet1 on hypervisor A, we should see it output to both A1 and A2
(ofports 3 and 4).
Russell Bryant [Thu, 3 Sep 2015 16:45:00 +0000 (12:45 -0400)]
ovn: Automatically create br-int in ovn-controller.
ovn-controller previously required the integration bridge to be
created before running ovn-controller. This patch makes
ovn-controller automatically create it if it doesn't already exist.
Signed-off-by: Russell Bryant <rbryant@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Timo Puha [Fri, 4 Sep 2015 12:35:57 +0000 (13:35 +0100)]
dpdk: add support for v2.1.0
Update relevant artifacts to add support for DPDK v2.1.0
- INSTALL.DPDK.md
- acinclude.m4: Change DPDK library name
- netdev-dpdk: Limit minimum mbuf size to to adapt to DPDK bug fix that
changes the treatment of the requested mbuf size
- build.sh: Change DPDK version number
Note that this breaks compatibility with DPDK v2.0.0 although only
for the library name change.
Note that throughput for vhost ports with mergeable buffers is reduced
about 10% due to a necessary bug fix in DPDK vhost code.
Signed-off-by: Mark Kavanagh <mark.b.kavanagh@intel.com> Signed-off-by: Michal Weglicki <michalx.weglicki@intel.com> Signed-off-by: Timo Puha <timox.puha@intel.com> Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
Ben Pfaff [Mon, 31 Aug 2015 16:53:18 +0000 (09:53 -0700)]
ovsdb: Update _version more accurately in transaction commit.
The _version column in each OVSDB row is supposed to be updated whenever
any other column in the row changes. However, the transaction code was
not careful to do this only when a row actually changed--there were other
cases where a row was considered at transaction commit time and _version
updated even though the row did not actually change. For example,
ovsdb_txn_adjust_atom_refs() calls find_or_make_txn_row(), which calls
ovsdb_txn_row_modify(), which updates _version, but
ovsdb_txn_adjust_atom_refs() doesn't actually update any data.
One way to fix this would be to carefully consider and adjust all the code
that looks at transaction rows. However, this seems somewhat error prone
and thus difficult to test. This commit takes a different approach: it
drops the code that adjusts _version on the fly, instead replacing it by
a final pass over the database at the end of the commit process that checks
for each row whether any columns changed and updates _version at that point
if any did. That seems pretty foolproof to me.
Reported-by: RishiRaj Maulick <rishi.raj2509@gmail.com>
Reported-at: http://openvswitch.org/pipermail/dev/2015-August/059439.html Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Andy Zhou <azhou@nicira.com> Tested-by: RishiRaj Maulick <rishi.raj2509@gmail.com>