Added test cases for encap, decap, replace and forwarding of NSH packets.
Also added a python script 'sendpkt.py' to send hex ethernet frames.
Signed-off-by: Ashish Varma <ashishvarma.ovs@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Tested-by: Greg Rose <gvrose8192@gmail.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
This is like netdev_get_in4_by_name() but accepts any IP address instead
of just an IPv4 address.
It will acquire its first user in an upcoming commit.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
The existing functions for working with sockaddr_storage that contain an
IPv4 or IPv6 address are useful. This commit adds more functions for
working with them, as well as a parallel set of functions for struct
sockaddr.
This also adds an initial user for some of the new sockaddr functions in
netdev.c.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
I didn't realize until now that the tree had two different ways of parsing
strings in the form <host>:<port> and <port>:<host>. There are the
long-standing inet_parse_active() and inet_parse_passive() functions, and
more recently the ipv46_parse() function. This commit eliminates the
latter and changes the code to use the former.
The two implementations interpreted some input differently. In particular,
the older functions required IPv6 addresses to be [bracketed], but the
newer ones do not. For compatibility this patch changes the merged code to
use the more liberal interpretation.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
Until now, the default_port parameters to these functions have had
different types and different behavior. There is a reason for this, since
it makes sense to listen on a kernel-selected port but it does not make
sense to connect to a kernel-selected port, but this overlooks the
possibility that a caller might want to parse a string in the format
understood by inet_parse_active() without actually using it to connect to
a remote host. This commit makes the behavior consistent and updates all
the callers to work with the new semantics.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
This better reuses existing code. It does require adding a slight variant
on ss_format_address(), but it still seems like a net win.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
The output for this function is a dynamic string and doesn't have a
fixed buffer size, so the comment was wrong.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
This patch drops the '--monitor' argument when running the ovsdb-server.
This can potentially increase the bug detection since the process will not
be restarted in certain situations.
Also, fixes the test under Windows since daemons do not have '--monitor'
argument.
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
Suggested-by: Ben Pfaff <blp@ovn.org>
Suggested-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-April/346135.html
Address sets are automatically generated from corresponding port
groups, and can be used directly in ACL match conditions.
There are two address sets generated for each port group:
<port group name>_ip4
<port group name>_ip6
For example, if port_group1 is created, we can directly use below
match condition in ACL:
"outport == @port_group1 && ip4.src == $port_group1_ip4"
This will simplify OVN client implementation, and avoid some tricky
problems such as race conditions when maintaining address set
memberships as discussed in the link below.
Reported-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046174.html
Reviewed-by: Mark Michelson <mmichels@redhat.com>
Reviewed-by: Daniel Alvarez <dalvarez@redhat.com>
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
ovn-controller when it sends out periodic RA packets, sets '0' in the
Router lifetime field. As per the RFC 4861, lifetime of 0 indicates that
the router is not a default router and SHOULD NOT appear on the default
router list. Without the default route, a VM will not able to reach to
other router ports attached to the same router unless a default route
is added by the user.
ovn-controller when encoding the 'put_nd_ra_opts' action sets the Router
Lifetime field to 0xffff. So this patch also sets the same value when
sending out the periodic RAs.
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1567735
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
GitHub uses a library called Licensee to identify a project's license
type. It shows this information in the status bar and via the API if it
can unambiguously identify the license.
This commit creates a LICENSE file that stores the full text of the
Apache license. It also removes the COPYING file and transfers its
contents to a new "License" section in the README.
Collectively, these changes allow Licensee to successfully identify the
license type of Open vSwitch's codebase as Apache.
Submitted-at: https://github.com/openvswitch/ovs/pull/224
Signed-off-by: Andrea Kao <eirinikos@gmail.com>
[blp@ovn.org removed references to COPYING and updated Makefile.am]
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
One issue with this test is that MSYS mangles the shorter form of the IPv6 address.
To solve this, we switch to the longer notation of it.
Another issue is that `printf` command does not add the leading `0` to the packet.
We switch to a more platform independent `awk` substitution.
Co-authored-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
commit f6fabcc624 (ofproto-dpif: Mark packets as "untracked"
after call to ct().) changed the behavior after a call to ct().
The +trk bit would automatically be unset if packet is sent to
ct() and not forked. This caused a bug in the OVN gateway
pipeline when there is SNAT rule as well as load-balancing rule.
In the OVN gateway pipeline for the gateway router, we had an
optimization where the packets sent to unSNAT need not go through
a recirculation. But since doing this now means that the +trk bit
gets unset, the DNAT rules for load-balancing a new packet in the next
table won't get hit.
This commit removes the optimization for unSNAT packets so that
there is always a recirculation.
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
This patch enables using port group names in ACL match conditions.
Users can create a port group in northbound DB Port_Group table,
and then use the name of the port group in ACL match conditions
for "inport" or "outport". It can help reduce the number of ACLs
for CMS clients such as OpenStack Neutron, for the use cases
where a group of logical ports share same ACL rules except the
"inport"/"outport" part. Without this patch, the clients have to
create N (N = number of lports) ACLs, and this patch helps achieve
the same goal with only one ACL. E.g.:
to-lport 1000 "outport == @port_group1 && ip4.src == {IP1, IP2, ...}" allow-related
There was a similar attempt by Zong Kai Li in 2016 [1]. This patch
takes a slightly different approach by using weak refs instead of
strings, which requires a new table instead of reusing the address
set table. This way it will also benefit for a follow up patch that
enables generating address sets automatically from port groups to
avoid a lot a trouble from client perspective [2].
An extra benefit of this patch is that it could enable conjunctive
match effectively. As reported at [3], this patch was tested together
with the conjunctive match enhancement patch [4], and huge performance
improvement (more than 10x faster) was seen because of this.
[1] https://mail.openvswitch.org/pipermail/ovs-dev/2016-August/077118.html
[2] https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046260.html
[3] https://mail.openvswitch.org/pipermail/ovs-dev/2018-March/344873.html
[4] https://patchwork.ozlabs.org/patch/874433/
Reported-by: Daniel Alvarez Sanchez <dalvarez@redhat.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046166.html
Tested-by: Mark Michelson <mmichels@redhat.com>
Reviewed-by: Mark Michelson <mmichels@redhat.com>
Reviewed-by: Daniel Alvarez <dalvarez@redhat.com>
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Create a document to describe the how it works and known
limitations and update the NEWS accordingly.
Signed-off-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Nothing was clearing the latch, so the loop was busy. This makes it so
the loop only runs on new calls to latch_set() by a separate thread.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
When a Logical_Switch_Port P's options is set with 'requested-chassis=hv1'
and if the user has bound this logical port to two OVS interfaces each in
different host (eg. hv1 and hv2), then ovn-controller in hv1 sets the
P's Port_Binding.chassis to hv1 which is as expected. But on hv2, ovn-controller
is adding OF flows in table 0 and table 65 for the OVS interface instead of
considering 'P' as a remote port. When another logical port bound on hv2,
pings to the logical port 'P', the packet gets delivered to hv2 OVS interface
instead of hv1 OVS interface, which is wrong.
This scenario is most likely to happen when requested-chassis option is used
by CMS during migration of a VM from one chassis to another.
This patch fixes this issue by checking the Port_Binding's "requested-chassis"
option in physical.c before adding the flows in table 0 an 65.
Reported-by: Marcin Mirecki <mmirecki@redhat.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-March/345266.html
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Tested-by: Marcin Mirecki <mmirecki@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Currently, we support offloading of one output port. Remove that
limitation by use of mirred mirror action for all output ports,
except that the last one is mirred redirect action.
Signed-off-by: Chris Mi <chrism@mellanox.com>
Reviewed-by: Paul Blakey <paulb@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
When OVS DP passes the actions to TC library, we save all the
actions in data structure tc_flower and each action type has its
own field in tc_flower. So when TC library passes the actions to
kernel, actually the actions order is lost.
We add an actions array in tc_flower to keep the actions order
in this patch.
Signed-off-by: Chris Mi <chrism@mellanox.com>
Reviewed-by: Paul Blakey <paulb@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
The commit 9afc6f14ee added a new author
which name was too long that broke the column size. Runinng "make
docs-checks" was failing because of that.
All this patch does is to enlarge the "Name" column to fit the new
author's name.
Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Daniel Alvarez <dalvarez@redhat.com>
Also update the message to be more correct.
Before this commit if there were tc rules that are not of type
flower the log was getting filled quickyl with errors about it
and always appeared to the user when dumping flows from user space.
This commit moves the error to debug and logs it only once.
Signed-off-by: Roi Dayan <roid@mellanox.com>
Reviewed-by: Paul Blakey <paulb@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Whenever the acl reject rule is hit by an IPv6 packet send back
an ICMPv6 destination unreachable packet using the icmp6 action
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
icmp6 action is used to replace the IPv6 packet been processed with
an ICMPv6 packet initialized based on incoming IPv6 one.
Ethernet and IPv6 fields not listed are not changed:
- ip.proto = 58 (ICMPv6)
- ip.ttl = 255
- icmp6.type = 1 (destination unreachable)
- icmp6.code = 1 (communication administratively prohibited)
Prerequisite: ip6
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Problem:
========
In user-space tunneling implementation, tnl_arp_snoop() snoops only ARP
*reply* packets to resolve tunnel nexthop IP addresses to MAC addresses.
Normally the ARP requests are periodically sent by the local host IP stack,
so that the ARP cache in OVS is refreshed and entries do not time out.
However, if the remote tunnel nexthop is a VRRP IP, and the gateway
periodically sends gratuitous ARP *requests* to announce itself,
tnl_arp_snoop() treats them as INVALID. Consequently, the ARP cache in OVS
expires after 10 minutes, which results in dropping of the next packet(s)
until a new ARP request is responded to.
Fix:
====
Enhance the tunnel neighbor resolution logic in OVS to not only snoop on
ARP replies but also on gratuitous ARP requests.
Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com>
From: Manohar K C <manohar.krishnappa.chidambaraswamy@ericsson.com>
CC: Jan Scheurich <jan.scheurich@ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Stopwatch was implemented using a Unix-only pipe structure. This commit
changes to using a guarded list and latch in order to pass data between
threads.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This commit is needed since autotest tries to run AT_XFAIL_IF when
AT_SKIP_IF condition is true too.
Currently HAVE_PYTHON is required, but this may change in the future
since many distributions are migrating to python3 as default python
(like Arch Linux or Fedora) and so it can be a good idea to permit to
build OVS using python3.
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
In some environments, builds would fail with the following error:
lib/stopwatch.c: In function ‘stopwatch_exit’:
lib/stopwatch.c:448:5: error: ignoring return value of ‘write’, declared
with attribute warn_unused_result [-Werror=unused-result]
write(stopwatch_pipe[1], &pkt, sizeof pkt);
This patch explicitly ignores the return value of write().
Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
The added test verifies that OVS correctly encapsulates an Ethernet
packet with two NSH (MD1) headers, sends it with an Ethernet header
over a patch port and decaps the Ethernet and the two NSH headers on
the receiving bridge to reveal the original packet.
The test case performs the encap() operations in a sequence of three
chained groups to test the correct handling of encap() actions in
group buckets recently fixed in commit ce4a16ac0.
Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
When the same encap() header was pushed twice onto a packet (e.g in the
case of NSH in NSH), the translation logic only generated a datapath push
action for the first encap() action. The second encap() did not emit a
push action because the packet type was unchanged.
commit_encap_decap_action() (renamed from commit_packet_type_change) must
solely rely on ctx->pending_encap to generate an datapath push action.
Similarly, the first decap() action on a double header packet does not
change the packet_type either. Add a corresponding ctx->pending_decap
flag and use that to trigger emitting a datapath pop action.
Fixes: f839892a2 ("OF support and translation of generic encap and decap")
Fixes: 1fc11c594 ("Generic encap and decap support for NSH")
Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This allows testing ovn-northd behavior when it is run in an HA
configuration.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: aginwala <aginwala@asu.edu>
For a clustered database instance, we want ovn-northd to connect to the
entire cluster, not just the first server.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: aginwala <aginwala@asu.edu>
The ipv6 header len might have extension header, but current
code simply returns fixed ipv6 header length 40-byte.
Signed-off-by: William Tu <u9012063@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This patch fixes timing related failures in some test cases when run with
-j option. It uses OVS_WAIT_* whereever appropriate. It also fixes the
test case "ovn -- IPv6 periodic RA" wherein the logical port - sw-p1 is
bound on 2 chassis and this causes both the chassis to fight for the port.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
With commit f6fabcc6 ("ofproto-dpif: Mark packets as "untracked" after
call to ct()", after the ct() action, the packet conntrack state is set
to an untracked state, and all the conntrack fields are cleared.
This patch updates ofproto/trace report to reflect this change, so that
it would be easier to debug OpenFlow pipeline with conntrack.
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Pull out the NORMAL flow add and deletion. It will be useful for
a follow up patch.
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
make flake8-check fails due to missing whitespaces around
arithmetic operator.
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
