The tunnel ttl key is not masked when provided to the tc lib, hence we
wrongly attempted to match on it, when we got non zero ttl key with a zero
mask. Fix it by applying the mask. Use the same practice for the tunnel tos.
Fixes: dd83253e11 ('lib/tc: Support matching on ip tunnel tos and ttl')
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reported-by: Eli Britstein <elibr@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Move the tunnel match fields to be part of the tc/flower key structure.
This is pre-step for being able to apply masked match where needed.
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
'add_managers ()' is filtering add-remote if vswitchd is not started.
However, if we actually filter here we end up with a bricked system,
blackholing all traffic. Allowing add_manager() to proceed may mean
extra churn in controllers in some cases, but this is far better than
the alternative of a bricked system.
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Commit 3f1087c added a per zone limit test which relied on the
CHECK_CT_DPIF_FLUSH_BY_CT_TUPLE m4 macro to skip the test when executing
in a userspace datapath (since the per zone limit feature is not yet
implemented in userspace). That macro, however, has been removed in
commit 271e48a ("conntrack: Support conntrack flush by ct 5-tuple")
which was causing the test to fail when executing in userspace.
Instead, a new m4 macro, CHECK_CT_DPIF_PER_ZONE_LIMIT, is introduced to
make the same differentiation, until userspace doesn't support the per
zone limit.
CC: Yi-Hung Wei <yihung.wei@gmail.com>
Fixes: 3f1087c ("system-traffic: Add conntrack per zone limit test case")
Signed-off-by: Tiago Lam <tiago.lam@intel.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
This patch alters the 'ovn-nbctl lsp-set-addresses' command to check if
the IP addresses being added are duplicates of already-set IP addresses.
Test cases have been added for this detection.
This patch also adds a warning message to ovn-northd if duplicate IPv4
addresses are detected on a switch.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Upstream commit:
commit 84581bdae9587023cea1d139523f0ef0f28bd88d
Author: Xin Long <lucien.xin@gmail.com>
Date: Mon Aug 27 18:41:32 2018 +0800
erspan: set erspan_ver to 1 by default when adding an erspan dev
After erspan_ver is introudced, if erspan_ver is not set in iproute, its
value will be left 0 by default. Since Commit 02f99df1875c ("erspan: fix
invalid erspan version."), it has broken the traffic due to the version
check in erspan_xmit if users are not aware of 'erspan_ver' param, like
using an old version of iproute.
To fix this compatibility problem, it sets erspan_ver to 1 by default
when adding an erspan dev in erspan_setup. Note that we can't do it in
ipgre_netlink_parms, as this function is also used by ipgre_changelink.
Fixes: 02f99df1875c ("erspan: fix invalid erspan version.")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fixes: 5e720da59d ("erspan: fix invalid erspan version.")
Cc: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
In ACL rate-limiting test, we send three sets of 100 packets. One of
the sets drops packets at a rate of 10 per second, one at a rate of 5
per second, and one not at all. On my setup, it takes roughly 0.67
seconds to send those 300 packets, but we have reports of it taking over
15 seconds on others. The test was intended to allow some flexibility
in run-time, but it's very difficult to design a mechanism that can all
possibilities.
To prevent false test failures, this patch changes the test to check
the duration count of the meter, and if it's greater than nine seconds,
just skip the test.
Signed-off-by: Justin Pettit <jpettit@ovn.org>
Reported-by: Thomas Goirand <zigo@debian.org>
Linux has an idea of process name that is visible in /proc/$pid/comm. This
is "ovs-vswitchd" for a freshly started ovs-vswitchd process. When the
monitor code restarted a crash child, it changed it to the empty string.
This confused the daemon_is_running check in ovs-lib.in, which checks
comm. This commit fixes the problem by setting the program name as comm
in newly restarted children.
VMware-BZ: #2191724
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Gurucharan Shetty <guru@ovn.org>
Many OVS tests wait up for 10 seconds for a condition to become true.
Usually these conditions are ones that should take only a second or so to
actually become true in practice, but on a busy and slow machine it's
possible that some tests might fail or come close to failing because 10
seconds is simply not enough there.
This commit adds logging for the case where a condition actually succeeds
to indicate the amount of time that was waited. This should make it easier
to identify whether we need to increase the maximum wait time from 10
seconds to something longer, by allowing us to see whether some of the
successful waits came close to timing out.
Reported-by: Thomas Goirand <zigo@debian.org>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-September/047340.html
Signed-off-by: Ben Pfaff <blp@ovn.org>
Tested-by: Thomas Goirand <zigo@debian.org>
Define a variable _ovs_config_extra_flags to allow passing more flags to
configure when building OVS kmod RPM. For example, to build with a
non-standard openssl and add an RPATH, use the following command
make rpm-fedora-kmod RPMBUILD_OPT='-D "_ovs_config_extra_flags
--with-openssl=<path to your openssl header> LDFLAGS=\"\${LDFLAGS} -Xlinker
-rpath=<path to your openssl lib>\""'
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com>
CC: Greg Rose <gvrose8192@gmail.com>
CC: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Reviewed-by: Markos Chandras <mchandras@suse.de>
Patch 22c33c3039 used /usr/src/linux/<kernel version> as path of the
linux headers, which does not work for SLES. Use /lib/modules/<kernel
version>/build instead.
Fixes 22c33c3039 (rhel: support kmod build against mulitple kernel versions,
fedora)
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com>
CC: Greg Rose <gvrose8192@gmail.com>
CC: Markos Chandras <mchandras@suse.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Reviewed-by: Markos Chandras <mchandras@suse.de>
This commit improves test coverage of the ossfuzz flow extract test harness
by extending the harness with additional API calls from lib/flow.c
An additional minor change is adding a config option to
flow_extract_target.options file in `tests/ossfuzz/config` to suppress
debug output while fuzzing.
A cursory evaluation shows that the patch covers 8 additional files and
improves line coverage of lib/flow.c from 23% to 37%.
Signed-off-by: Bhargava Shastry <bshastry at sect.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
dpif_netdev_meter_get() retrieved a pointer to a meter entry without
holding a lock. It's possible that another thread could have deleted
that entry between retrieving the pointer and dereferencing the pointer.
This makes the function hold the lock the entire time the meter entry is
needed.
Found by inspection.
Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Flavio Leitner <fbl@sysclose.org>
This fixes the following warning when building Open vSwitch on the
openSUSE Build Service:
W: non-executable-script /usr/share/bash-completion/completions/ovs-appctl-bashcomp.bash
This text file contains a shebang or is located in a path dedicated
for executables, but lacks the executable bits and cannot thus be
executed. If the file is meant to be an executable script, add the
executable bits, otherwise remove the shebang or move the file
elsewhere.
The file is meant to be sourced instead of executed, so we can simply
drop the shebang.
Signed-off-by: Markos Chandras <mchandras@suse.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
On older kernels, for example 3.19, the function rt6_get_cookie() is
not available and used with ipv6 config enabled; it was introduced in
4.2. Put back the replacement function if it does not exist.
Add a 3.19 version to travis.
CC: Yifeng Sun <pkusunyifeng@gmail.com>
Fixes: bf61b8b1c1 ("datapath: Add support for kernel 4.16.x & 4.17.x.")
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Tested-by: Yifeng Sun <pkusunyifeng@gmail.com>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
A previous commit attempted to fix the error path when the actions nested
within clone provoked an error. However, this commit just introduced a new
problem in another case, since it made ofpacts_pull_openflow_actions__()
restore a previously valid pointer to data that might have been
reallocated.
This commit takes another approach. Instead of trying to restore anything
at all, it just defines ofpacts_pull_openflow_actions__() to clear the
output buffer when there's an error. It seems that this is less error
prone. Most of the callers don't care; this commit fixes up the ones that
do.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9975
Fixes: 20cdd1dbd5 ("ofp-actions: Avoid assertion failure for clone(ct(...bad actions...)).")
Signed-off-by: Ben Pfaff <blp@ovn.org>
Tested-by: Yifeng Sun <pkusunyifeng@gmail.com>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
The set of supported values specified.
Style fixed to look good in man page. Fixed indents.
CC: Paul Blakey <paulb@mellanox.com>
Fixes: 691d20cbdc ("other-config: Add tc-policy switch to
control tc flower flag")
Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Since we are packaging OVN and OVS components separately, libovn
shouldn't belong to OVS, so move it to ovn-common. Also, remove
it from libopenvswitch-dev.
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Tested-by: aginwala <aginwala@ebay.com>
OVS reads packets in batches from a given port and packets in the
batch are subjected to potentially 3 levels of lookups to identify
the datapath megaflow entry (or flow) associated with the packet.
Each megaflow entry has a dedicated buffer in which packets that match
the flow classification criteria are collected. This buffer helps OVS
perform batch processing for all packets associated with a given flow.
Each packet in the received batch is first subjected to lookup in the
Exact Match Cache (EMC). Each EMC entry will point to a flow. If the
EMC lookup is successful, the packet is moved from the rx batch to the
per-flow buffer.
Packets that did not match any EMC entry are rearranged in the rx batch
at the beginning and are now subjected to a lookup in the megaflow cache.
Packets that match a megaflow cache entry are *appended* to the per-flow
buffer.
Packets that do not match any megaflow entry are subjected to slow-path
processing through the upcall mechanism. This cannot change the order of
packets as by definition upcall processing is only done for packets
without matching megaflow entry.
The EMC entry match fields encompass all potentially significant header
fields, typically more than specified in the associated flow's match
criteria. Hence, multiple EMC entries can point to the same flow. Given
that per-flow batching happens at each lookup stage, packets belonging
to the same megaflow can get re-ordered because some packets match EMC
entries while others do not.
The following example can illustrate the issue better. Consider
following batch of packets (labelled P1 to P8) associated with a single
TCP connection and associated with a single flow. Let us assume that
packets with just the ACK bit set in TCP flags have been received in a
prior batch also and a corresponding EMC entry exists.
1. P1 (TCP Flag: ACK)
2. P2 (TCP Flag: ACK)
3. P3 (TCP Flag: ACK)
4. P4 (TCP Flag: ACK, PSH)
5. P5 (TCP Flag: ACK)
6. P6 (TCP Flag: ACK)
7. P7 (TCP Flag: ACK)
8. P8 (TCP Flag: ACK)
The megaflow classification criteria does not include TCP flags while
the EMC match criteria does. Thus, all packets other than P4 match
the existing EMC entry and are moved to the per-flow packet batch.
Subsequently, packet P4 is moved to the same per-flow packet batch as
a result of the megaflow lookup. Though the packets have all been
correctly classified as being associated with the same flow, the
packet order has not been preserved because of the per-flow batching
performed during the EMC lookup stage. This packet re-ordering has
performance implications for TCP applications.
This patch preserves the packet ordering by performing the per-flow
batching after both the EMC and megaflow lookups are complete. As an
optimization, packets are flow-batched in emc processing till any
packet in the batch has an EMC miss.
A new flow map is maintained to keep the original order of packet
along with flow information. Post fastpath processing, packets from
flow map are *appended* to per-flow buffer.
Signed-off-by: Vishal Deep Ajmera <vishal.deep.ajmera@ericsson.com>
Co-authored-by: Venkatesan Pradeep <venkatesan.pradeep@ericsson.com>
Signed-off-by: Venkatesan Pradeep <venkatesan.pradeep@ericsson.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
The macros are hard to read. This makes it a little more readable.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
In the scenario of XL710, the link speed which stored in the table
of Interface is not 40G. Because the implementation of query of link
speed only support to 10G, the parameter 'current' will be a random
value in the scenario of higher link speed. In this case, incorrect
link speed of XL710 nic will be stored in the database.
Signed-off-by: Xu Binbin <xu.binbin1@zte.com.cn>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Prior to the OVS 2.9 development cycle, any flow that sent a packet to a
controller required that the flow be slow-pathed. In some cases this led
to poor performance, so OVS 2.9 made controller actions fast-pathable. As
a side effect of the change, "ovs-appctl ofproto/trace -generate" no longer
sent packets to the controller. This usually didn't matter but it broke
the Faucet tutorial, which relied on this behavior. This commit
reintroduces the original behavior and thus should fix the tutorial.
CC: Justin Pettit <jpettit@ovn.org>
Fixes: d39ec23de3 ("ofproto-dpif: Don't slow-path controller actions.")
Reported-by: macman31 <https://github.com/macman31>
Reported-at: https://github.com/openvswitch/ovs-issues/issues/145
Reported-by: Brad Cowie <brad@cowie.nz>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-August/047234.html
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
Commit [1] added a new action 'nd_na_router' to set the router bit
in the 'flags' field of the Neighbour Adv packet for router IPs.
This action was used in the router pipeline. But the logical switch
pipeline also adds the Neighbour Adv flows for router IPs but with
'nd_na' action (which the commit [1] didn't handle).
This patch fixes this by changing the action to 'nd_na_router' for
router IPs.
Without this patch, the IPv6 functionality is broken.
[1] - "c9756229ed: ovn: Set proper Neighbour Adv flag when replying
for NS request for router IP"
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Han Zhou <hzhou8@ebay.com>
Add support for kernel version up to 4.17.x. On Travis, build passed
for all kernel versions. And no new test fails are introduced by this
patch.
Cleaned up file datapath/linux/compat/include/net/ip6_fib.h which
has no effect to kernel module but brings complexity to porting.
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Tested-by: Greg Rose <gvrose8192@gmail.com>
This test only worked if each OpenFlow port was assigned a particular
datapath port number: p1 to port 3, p2 to port 2, p3 and p4 to port 1.
This happened consistently on little-endian architectures because of the
use of a particular hash function, but on big-endian architectures it
failed because the hash function was different.
This commit fixes the problem by adding the non-dummy ports separately.
(Dummy ports try to take the datapath port number corresponding to their
name, when it is available.) This does result in swapping a couple of
datapaths port numbers, so that p1 has port 1, p2 has port 2, and the
erspan ports have port 3, hence the size of the patch.
Reported-by: James Page <james.page@canonical.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-August/351382.html
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: William Tu <u9012063@gmail.com>
Add two options, one for controlling the ovs daemon user/group, and the
other for controlling the ovn daemon user/group. This allows a fine-grained
split between OVN and OVS daemons, and keeps the syntax and user/group
separation from ovs-ctl when running ovn-ctl.
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This patch ports changes from kmod rhel6 spec file to fedora spec file,
to support packaging kernel modules built against multiple versions of
kernel sources.
RHEL 7.4 introduced backward incompatible changes in the kernel. As
a result, prebuilt PRM packages against kernels newer than 693.17.1
will cannot be used on systems with older kernels, vice versa.
Intended to work only on RHEL 7.4 (kernel version 3.10.0-693.yy.zz).
This patch allows multiple kernel version numbers delimited by
whitespace to be passed as variable "kversion". The result RPM packages
the kernel module .ko files from all specified kernel versions. For
example,
make rpm-fedora-kmod \
RPMBUILD_OPT='-D "kversion 3.10.0-693.1.1.el7.x86_64 \
3.10.0-693.17.1.el7.x86_64"'
By default, make tries to build against the current running kernel.
This patch also includes a script to update the weak-update symlinks
if the system kernel version is upgraded or downgraded after
openvswitch-kmod is installed.
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com>
CC: Greg Rose <gvrose8192@gmail.com>
CC: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Flavio Leitner <fbl@redhat.com>
Current LR dynamic ARP learning support only ARP responses. If a
IP-MAC binding is learned, it will not get updated even if a host
send a GARP *request* to inform the new binding. This patch supports
learning neighbor changes from ARP requests, including GARP requests.
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Currently ovn LR datapath responds ARP requests even if the ARP
requestor's src IP doesn't belong to the LR port's subnets. This
may generate unnecessary ARP responses and there could also be
security concerns. This patch restricts the ARP response only if
the requestor's IP matches the LR port's subnets.
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This reduces the amount of logging when higher-level code retries binding
ports that are in use.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
If the kernel reported a value of 0 for the second value in
/proc/net/psched, it would cause a division-by-zero fault in
read_psched(). I don't know of a kernel that would actually do that, but
it's still better to be safe.
Found by clang static analyzer.
Reported-by: Bhargava Shastry <bshastry@sect.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
The "wait" command in ovsdb-client (which was introduced as part of the
clustering support) fairly often logs things that are normal for it but
in other circumstances might be cause for concern, for example messages
about being unable to connect to a remote. Until now, it has tried to
suppress some of those itself by raising log levels. Unfortunately, in
some cases this had the opposite effect because it overrode any settings on
the command line, such as an attempt in ovsdb-cluster.at to suppress all
logging related to the timeval module. This commit drops the special
log levels from the "wait" command and puts equivalents into the tests
themselves.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
decode_NXAST_RAW_CT() temporarily pulls data off the beginning of its
ofpacts output ofpbuf and, on its error path, fails to push it back on.
At a higher layer, decode_NXAST_RAW_CLONE() asserts, via
ofpact_finish_CLONE(), that the ofpact_clone that it put is still in the
place where it put it, which causes an assertion failure.
The root cause here is the failure to re-push the clone header. One could
fix that, but it would be pretty easy for that to go wrong again on some
other obscure error path. Instead, this commit just makes the problem go
away by always saving and restoring 'ofpact->data' if a decode fails.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9862
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
Commit 92d0d515d ("dpif-netlink: Probe for broken Linux meter
implementations.") introduced a deadlock on the 'once' structure
declared in probe_broken_meters() with the following callstack:
probe_broken_meters()
probe_broken_meters__()
dpif_netlink_meter_set()
probe_broken_meters()
This commit introduce a modified version of dpif_netlink_meter_set()
that sets a meter without calling the probe.
Reported-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
