If a table's schema allows no columns to be set when inserting,
python-ovs should handle that case.
Signed-off-by: Terry Wilson <twilson@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March
of 2021: https://datatracker.ietf.org/doc/rfc8996/
Both protocols should not generally be used (RFC says MUST NOT) and
are being actively removed from support by major distributions and
libraries. They were deprecated and disabled by default in OVS 3.5
with the following commit:
923a80d1d163 ("stream-ssl: Deprecate and disable TLSv1 and TLSv1.1.")
It's time to fully remove the support for these protocols.
Some infrastructure and parts of the documentation look a little
awkward since we're only supporting 2 versions of TLS now, so I tried
to re-word the text a little. But I kept the code intact so we can
easily add new versions when they appear or deprecate TLSv1.2 when
the time comes, even though it may not be soon.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
STT and LISP tunnel types were deprecated and marked for removal in
the following commits in the OVS 3.5 release:
3b37a6154a59 ("netdev-vport: Deprecate STT tunnel port type.")
8d7ac031c03d ("netdev-vport: Deprecate LISP tunnel port type.")
Main reasons were that STT was rejected in upstream kernel and the
LISP was never upstreamed as well and doesn't really have a supported
implementation. Both protocols also appear to have lost their former
relevance.
Removing both now. While at it, also fixing some small documentation
issues and comments.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Alin Serdean <aserdean@ovn.org>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
The commit "userspace: Enable non-bridge port as tunnel endpoint"
did not account for the ovs_router_get_netdev_source_address()
call. This patch ensures that the fix from "ofproto-dpif-xlate:
Fix netdev native tunnel neighbor discovery" remains functional
by properly calling the function with the output devices.
Fixes: dc0bd12f5b04 ("userspace: Enable non-bridge port as tunnel endpoint.")
Acked-by: Simon Horman <horms@ovn.org>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
When flows are added through TC, only the match and actions are
verified to determine if they can be handled by TC. If they can,
the TC flow is installed.
However, when the flow is a continuation of a previously recirculated flow,
it can happen that the flow performing the recirculation is installed
in the kernel. This may occur, for example, if it includes an action that
cannot be handled by TC.
If the kernel module has the first flow but not the second one (missing
because it is programmed in TC), the flow is sent to userspace via an
upcall.
This patch tracks which recirculation goto actions are handled by TC.
A matching TC rule is installed only if the corresponding recirculation
ID is confirmed to be handled by TC.
Acked-by: Simon Horman <horms@ovn.org>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
'tcp_flags' are not placed at the beginning of the 64-bit block, so
they have to be padded. Today it is done in a hacky way by pushing
zeroes over the last 32-bits of the arp_tha. When that was written
the miniflow_pad_from_64() didn't exist, but it's better to use it
now instead to avoid confusion.
'ct_tp_src/dst' are not actually extracted for IGMP. See the
write_ct_md() function. The pushes are there for the padding purposes,
since 'tp_dst' doesn't end on a 64-bit boundary and so we need to pad
before pushing the IGMP group. Use an explicit padding function
instead to avoid a false impression that IGMP can have non-zero
"ports" in the conntrack tuple.
This change should not change anything functionally.
Acked-by: Paolo Valerio <pvalerio@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Support for tnl_push/output already exists, add push_vlan.
Signed-off-by: Allen Chen <allen.chen@jaguarmicro.com>
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
The commit in the fixes tag erroneously changed the
`--disable-epsv` argument to `--disable-eps`, which does
not exist.
Curiously the version of curl in the GitHub Actions images
appears to accept the abbreviated option, whereas more recent
versions of curl will fail with a hard error code 2.
Fixes: 249a9b56e2b2 ("system-traffic: Fix syntax errors in FTP and IPv6 curl calls.")
Signed-off-by: Frode Nordahl <fnordahl@ubuntu.com>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
In the case where there is a NUMA node that has a zero variance
improvement, the log will report it's variance improvement as value for
a previous NUMA node with a non-zero variance improvement.
For example in an artificial case:
|dpif_netdev|DBG|Numa node 1. Current variance 1000 Estimated variance 0.
Variance improvement 100%.
^^^ correct value
|dpif_netdev|DBG|Numa node 0. Current variance 0 Estimated variance 0.
Variance improvement 100%.
^^^ incorrect value for Numa 0, value from Numa 1
This is caused by not resetting the improvement between loops.
This is a debug log reporting issue only, non-zero variance improvement
will still trigger rebalance where appropriate.
Move improvement and other variables into the loop code block to fix
logs.
Fixes: 46e04ec31bb2 ("dpif-netdev: Calculate per numa variance.")
Reported-at: https://issues.redhat.com/browse/FDP-1145
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Acked-by: Simon Horman <horms@ovn.org>
Reviewed-by: David Marchand <david.marchand@redhat.com>
Ales reported that ct_tp_{src,dst} matches are working only for the
first frag for the userspace datapath, whereas they are always working
for later frags in the case of kernel datapath.
The ipf propagates the info in packets metadata, but
miniflow_extract() has no handling for them.
Fix it by pushing the relevant fields in the miniflow.
tp_{src,dst} are not set for later frags, so fill them with padding as
ct_tp_{src,dst} are not aligned:
struct flow {
[...]
ovs_be16 tp_src; /* 656 2 */
ovs_be16 tp_dst; /* 658 2 */
ovs_be16 ct_tp_src; /* 660 2 */
ovs_be16 ct_tp_dst; /* 662 2 */
[...]
}
The patch also includes two tests to exercise the behavior.
Fixes: 4ea96698f667 ("Userspace datapath: Add fragmentation handling.")
Reported-at: https://issues.redhat.com/browse/FDP-124
Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Rather than drop all pending Tx offloads on recirculation,
preserve inner offloads (and mark packet with outer Tx offloads)
when parsing the packet again.
Fixes: c6538b443984 ("dpif-netdev: Fix crash due to tunnel offloading on recirculation.")
Fixes: 084c8087292c ("userspace: Support VXLAN and GENEVE TSO.")
Reported-at: https://issues.redhat.com/browse/FDP-1144
Acked-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: David Marchand <david.marchand@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Scanhub reported the following splat:
3. ovsdb/ovsdb-server.c:505:5:
freed_arg: "shash_replace_nocopy" frees "filename".
6. ovsdb/ovsdb-server.c:507:9:
pass_freed_arg: Passing freed pointer "filename" as an argument to
"vlog".
In all code paths with a duplicate configuration, OVSDB would print a
warning log message using a freed pointer. Now, the original option is
used.
Fixes: e76f8472090e ("ovsdb-server: Database config isolation.")
Reported-at: https://issues.redhat.com/browse/FDP-1118
Signed-off-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
All ipsec_* tunnel options are reported as invalid options.
This patch ensures that all of them are ignored, just like
the other IPSec related options.
Fixes: e8515c8cc082 ("ovs-monitor-ipsec: Allow custom options per tunnel.")
Reported-at: https://issues.redhat.com/browse/FDP-797
Acked-by: Simon Horman <horms@ovn.org>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Ensure that xlate_generic_encap_action() does not return a buffer
on error.
Acked-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Ensure a valid class is found before calling it's function pointer.
If it's not found, call ovs_assert().
Acked-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Add an ovs_assert() in this case, as a valid meter should exists.
Acked-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Coverity complains that we could potentially dereference a
NULL pointer. To prevent this warning, add an ovs_assert().
Acked-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
This patch addresses several common issues in various test programs
instead of sending multiple small patches. While these are not
critical, cleaning them up improves code quality.
- Fixed two resource leaks in test-aa.c and test-ovsdb.c.
- Fixed four instances of unchecked return values in test-ovsdb.c
and test-packet.c.
- Fixed one out-of-bounds read in test-ccmap.c
Acked-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Coverity flagged some cases where ovs_scan() was used without
checking its return value. This patch addresses the issue by
adding proper return checks and error reporting.
Additionally, test cases were added to ensure correctness.
Acked-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Previously, nxm_field_bytes() could return a negative value when given
an invalid header. To address this, we now assert when processing an
invalid value. Additionally, the function has been updated to return
an unsigned value.
Acked-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Fedora 39 is EoL since the end of November. Move to 41.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Sphinx v1.7.6 gives a warning for duplicate command options for
ovs-flowviz.
Warning, treated as error:
/root/ovs/Documentation/ref/ovs-flowviz.8.rst:162
Duplicate explicit target name: "cmdoption-h".
Fix by using the '.. program::' directive for the full sub-command.
Fixes: e532f937f58f ("documentation: Document ovs-flowviz.")
Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
A recent commit added condition to "route_table_parse__" function that
causes it to throw an error when parsing route without "nexthop
information" (either RTA_OIF, RTA_GATEWAY, RTA_VIA or RTA_MULTIPATH). While
this requirement is reasonable for regular routes, there are some route types
that don't need nexthop. We intend to use one of these types,
(RTN_BLACKHOLE)[0], in OVN for route advertising .
This change does not enforce the above-mentioned condition for those special
route types that don't require "nexthop information".
[0] https://mail.openvswitch.org/pipermail/ovs-dev/2025-January/419383.html
Fixes: 91fc51106cfe ("route-table: Support parsing multipath routes.")
Signed-off-by: Martin Kalcok <martin.kalcok@canonical.com>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
This commit introduces a command to inject user-defined
log messages at the info level. The primary use case is
debugging, enabling annotations to be added to the log
for better context.
The following is an example:
ovs-appctl vlog/message "Add the following to the log..."
Acked-by: Simon Horman <horms@ovn.org>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
When TC parses the flow to install, it assumes that the datalink type
mask is set. However, this may not always be the case, for example,
when multiple VLANs exist but only one is enabled (vlan-limit).
This patch will only process the dl_type if the mask is set. It also
includes a unit test to verify that the TC rules are offloaded in this
case.
Fixes: 1be33d52af77 ("netdev-tc-offloads: Don't offload header modification on ip fragments.")
Reported-at: https://issues.redhat.com/browse/FDP-1114
Acked-by: Aaron Conole <aconole@redhat.com>
Acked-by: Ilya Maximets <i.maximets@ovn.org>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Branches 2.17/3.0/3.1/3.2/3.3/3.4 are using newer DPDK LTS releases.
Update the faq.
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Bash command completion setup is done during login process. If a command
is not available, but it is tried to be run, there is then inconvenient
error messages at each login.
Signed-off-by: Markus Linnala <markus.linnala@gmail.com>
Signed-off-by: Simon Horman <horms@ovn.org>
ovs_get_program_version() already returns the formatted program name and
version instead of doing it again.
Signed-off-by: Roi Dayan <roid@nvidia.com>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Allow to set oom-score with --oom-score argument.
This argument can be set in ovs config file.
In rhel can set OPTIONS in /etc/sysconfig/openvswitch.
In debian can set OVS_CTL_OPTS in /etc/default/openvswitch-switch.
Acked-by: Eli Britstein <elibr@nvidia.com>
Acked-by: Simon Horman <horms@ovn.org>
Signed-off-by: Roi Dayan <roid@nvidia.com>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
New appctl 'dpdk/get-memzone-stats' implemented to get result of
'rte_memzone_dump()' function.
Could be used for debugging.
Acked-by: Roi Dayan <roid@nvidia.com>
Acked-by: Simon Horman <horms@ovn.org>
Signed-off-by: Eli Britstein <elibr@nvidia.com>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
This patch includes 'a-f' matching in the sed command.
Fixes: 7b3a4c2e866e ("Revert "odp-util: Always report ODP_FIT_TOO_LITTLE for IGMP."")
Acked-by: Simon Horman <horms@ovn.org>
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
The use of ofpbuf_use_data() would allow someone to change the
code to modify the buffer, which consequently would lead to memory
allocations. Since there are no ofpbuf_uninit() calls in place
that might invite a future bug.
Let's make use of ofpbuf_use_const() instead.
Fixes: 91fc51106cfe ("route-table: Support parsing multipath routes.")
Signed-off-by: Frode Nordahl <fnordahl@ubuntu.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
As highlighted by static analysis [0], a potential memory leak
was introduced in the commit referenced in the fixes tag.
The issue was introduced by what I can describe as premature
optimization, and while very unlikely to hit, let's make the code
correct.
The logic for cleanup assumes rdnh will always be added to the
list of nexthops, and then I apparently chose to skip that when
processing the outer message with a RTA_MULTIPATH attribute,
presumably because its nexthop attributes will be added when
processing nested attributes, making the list addition
redundant.
Skipping the list addition was technically safe, because at
this point rdnh would be pointing at primary_next_hop__ on the
stack.
Separate out the nexthop cleanup code in private helper for
internal use, while this is the only action for the public
route_data_destroy() today, it might grow other powers in the
future.
Always add rdnh to list of nexthops and remove it when processing
RTA_MULTIPATH nested attributes.
0: https://mail.openvswitch.org/pipermail/ovs-dev/2025-January/419818.html
Fixes: 91fc51106cfe ("route-table: Support parsing multipath routes.")
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Frode Nordahl <fnordahl@ubuntu.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
The gcc static analyzer pointed out a potential NULL pointer
dereference in route_table_parse().
While the probability is low, let's plug it.
Fixes: 0b8da9ae1f38 ("route: support IPv6 and use IPv4-mapped addresses")
Fixes: 71785737ded2 ("route-table: Split header and attribute parsing.")
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Frode Nordahl <fnordahl@ubuntu.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
The compilation would fail if ofp-ct.h was included in module that
didn't include dynamic-string.h before the ofp-ct.h include.
Signed-off-by: Ales Musil <amusil@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
This patch extends the userspace datapaths support of tunnel tso from
only supporting VxLAN and Geneve to also supporting GRE tunnels. There
is also a software fallback for cases where the egress netdev does not
support this feature.
Reviewed-by: David Marchand <david.marchand@redhat.com>
Signed-off-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Previously support was added for VXLAN and Geneve tunnels in the TSO
software fallback. However, the documentation was not updated
appropriately. Now the documentation is brought up to date and a NEWS
item is added.
Fixes: 82c1028e371e ("Userspace: Software fallback for UDP encapsulated TCP segmentation.")
Acked-by: David Marchand <david.marchand@redhat.com>
Signed-off-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Previously support for tunnels was added to userspace TSO. However, the
documentation was not updated appropriately. This patch adds VxLAN and
Geneve as supported tunnels.
Fixes: 084c8087292c ("userspace: Support VXLAN and GENEVE TSO.")
Acked-by: David Marchand <david.marchand@redhat.com>
Signed-off-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Note that the internal handling of routes in the ovs-route module
does currently not support multipath routes, so when presented
with one the first occurrence will be stored. This is not a
regression as these routes were previously not considered at all.
Storing the information in the route-table module data structure
will allow external to OVS projects make use of this data.
A test program run as part of the system tests that exercise the
route table API is added in this patch.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Co-Authored-by: Felix Huettner <felix.huettner@stackit.cloud>
Signed-off-by: Felix Huettner <felix.huettner@stackit.cloud>
Signed-off-by: Frode Nordahl <fnordahl@ubuntu.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Along with dependent data structures these functions are useful
for programs that build against OVS private library sources,
allowing them to make use of functionality provided by the
route-table module.
A test program to be run as part of the system tests that
exercise the exported interfaces will be added in a subsequent
patch.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Frode Nordahl <fnordahl@ubuntu.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
The nlmsg_type element comes from a unit16_t value defined in
lib/netlink-protocol.h.
Suggested-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Frode Nordahl <fnordahl@ubuntu.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Make it consistent with other attributes in the same category,
and also more clear.
Suggested-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Frode Nordahl <fnordahl@ubuntu.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Make it more clear what this element represents.
Suggested-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Frode Nordahl <fnordahl@ubuntu.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
