The test fails on Windows because of:
<--cut-->
ovn-nbctl: sw0: invalid network address: 2001;1\64
ovn-nbctl: sw1: invalid network address: 2002;1\64
<--cut-->
This is due to the fact msys converts '::1' into ';1'.
Use IPv6 long form instead of its short variant.
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Acked-by: Numan Siddique <nusiddiq@redhat.com>
Acked-by: Ben Pfaff <blp@ovn.org>
Add a new structure in l2 header to accomodate vlan header,
based of commit "d7efce7beff25052bd9083419200e1a47f0d6066
datapath: 802.1AD Flow handling, actions, vlan parsing, netlink attributes"
Also reset vlan header in flow key, after deleting vlan tag from nbl
With this change a sample vlan flow would look like,
eth(src=0a:ea:8a:24:03:86,dst=0a💿fa:4d:15:5c),in_port(3),eth_type(0x8100),
vlan(vid=2239,pcp=0),encap(eth_type(0x0800),ipv4(src=13.12.11.149,dst=13.12.11.107,
proto=1,tos=0,ttl=128,frag=no),icmp(type=8,code=0))
Signed-off-by: Anand Kumar <kumaranand@vmware.com>
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
This reverts commit 7521e0cf9e88a62f2feff4e7253654557f94877e.
This patch introduced a regression in OSP environments using internal
ports in other netns. Their networking configuration is lost when
the service is restarted because the ports are recreated now.
Before the patch it checked using netlink if the port with a specific
"name" was already there. The check is a lookup in all ports attached
to the DP regardless of the port's netns.
After the patch it relies on the kernel to identify that situation.
Unfortunately the only protection there is register_netdevice() which
fails only if the port with that name exists in the current netns.
If the port is in another netns, it will get a new dp_port and because
of that userspace will delete the old port. At this point the original
port is gone from the other netns and there a fresh port in the current
netns.
Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This reverts commit c65259a9b6e5380ac963944b69949ceb71ae623a.
The original commit 7521e0cf9e88 ("ofproto-dpif: Let the dpif report
when a port is a duplicate.") relies on the kernel to check if the
port exists or not. However, the current kernel code doesn't handle
when the port is moved to another network namespace.
Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This reverts commit a38dccb3ee80a1d0b8973191c9e94f045441f8cc.
The original commit 7521e0cf9e88 ("ofproto-dpif: Let the dpif report
when a port is a duplicate.") relies on the kernel to check if the
port exists or not. However, the current kernel code doesn't handle
when the port is moved to another network namespace.
Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
As per RFC 768, if the calculated UDP checksum is 0, it should be
instead set as 0xFFFF in the frame. A value of 0 in the checksum
field indicates to the receiver that no checksum was calculated
and hence it should not verify the checksum.
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This commit adds lib/hash-aarch64.h to implement hash for aarch64.
It is based on aarch64 built-in CRC32c intrinsics, which accelerates
hash function for datapath performance.
test:
1. "test-hash" case passed in aarch64 platform.
2. OVS-DPDK datapth performance test was run(NIC to NIC).
Test bed: aarch64(Centriq 2400) platform.
Test case: DPCLS forwarding(disable EMC + avg 10 subtable lookups)
Test result: improve around 10%.
Signed-off-by: Yanqin Wei <yanqin.wei@arm.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
There is some issue with parsing of redirection options
on some shells. For example:
$ (exec -a name true) 2>&1 >/dev/null || echo "failed"
sh: 10: exec: -a: not found
failed
$ (exec -a name true) >/dev/null 2>&1 || echo "failed"
failed
So, the order of redirections matters for some reason.
Let's replace our current version with simple redirection of stderr.
This version seems to work in most of shells except [t]csh. But it's
really tricky to write portable redirections that works with csh and
this shell will not be used by the testsuite on most of the systems.
With the new version:
# cat test.sh
((exec -a myname true 2>/dev/null) && echo "OK") || echo "fail"
# sh ./test.sh
fail
# bash ./test.sh
OK
# tcsh ./test.sh
-a: Command not found.
fail
Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
In the case of an error, return the error code as opposed to
NETDEV_TX_OK.
Caught by compiler warning:
/home/travis/build/ovsrobot/ovs/datapath/linux/stt.c: In function =E2=80=
=98ovs_stt_xmit=E2=80=99:
/home/travis/build/ovsrobot/ovs/datapath/linux/stt.c:1005:6: warning: var=
iable =E2=80=98err=E2=80=99 set but not used [-Wunused-but-set-variable]
int err;
^
Signed-off-by: Aaron Conole <aconole@redhat.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Justin Pettit <jpettit@ovn.org>
This patch removes the "Conflicts" tag and adds "Obsoletes" tag.
With the conflicts tag, when a user attempts to install or upgrade with
the same version as already installed, the conflict kicks in. Otherwise,
such is allowed with --replacepkgs.
Obsoletes is needed for the upgrade path from kmod-openvswitch to
openvswitch-kmod.
Fixes: 22c33c3039 (rhel: support kmod build against mulitple kernel
versions, fedora)
VMware-BZ: #2249788
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com>
Signed-off-by: Greg Rose <gvrose8192@gmail.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>
CC: Yi-Hung Wei <yihung.wei@gmail.com>
CC: Yifeng Sun <pkusunyifeng@gmail.com>
CC: Zak Whittington <zwhitt.vmware@gmail.com>
CC: Ben Pfaff <blp@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Our code to determine whether receive functionality will work with
ip6 gre depends on the return of -EEXIST but inet6_add_protocol()
returns a -1 on failure to grab the pointer via a cmpxchg op. Just
set the error return to -EEXIST to help out the vport init function.
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2019-January/048090.html
Reported-by: Ken Ajiro <ken-ajiro@xr.jp.nec.com>
Signed-off-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Upstream commit 648700f76b03 ("inet: frags: use rhashtables...") changed
how ipv6 fragmentation is implemented. This patch was backported to
the upstream stable 4.9.x kernel starting at 4.9.135.
This patch creates the compatibility layer changes required to both
compile and also operate correctly with ipv6 fragmentation on these
kernels. Check if the inet_frags 'rnd' field is present to key on
whether the upstream patch is present. Also update Travis to the
latest 4.9 kernel release so that this patch is compile tested.
Passes Travis:
https://travis-ci.org/gvrose8192/ovs-experimental/builds/478033409
Cc: William Tu <u9012063@gmail.com>
Cc: Yi-Hung Wei <yihung.wei@gmail.com>
Cc: Yifeng Sun <pkusunyifeng@gmail.com>
Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
Signed-off-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
During slow path packet processing, if the action is to output to a
tunnel port, the slow path processing of the encapsulated packet
continues on the underlay bridge and additional actions (e.g. optional
VLAN encapsulation, bond link selection and finally output to port) are
collected there.
To prepare for a continuation of the processing of the original packet
(e.g. output to other tunnel ports in a flooding scenario), the
“tunnel_push” action and the actions of the underlay bridge are
encapsulated in a clone() action to preserve the original packet.
If the underlay bridge decides to drop the tunnel packet (for example if
both bonded ports are down simultaneously), the clone(tunnel_push))
actions previously generated as part of translation of the output to
tunnel port are discarded and a stand-alone tunnel_push action is added
instead. Thus the tunnel header is pushed on to the original packet.
This is the bug.
Consequences: If packet processing continues with sending to further
tunnel ports, multiple tunnel header pushes will happen on the original
packet as typically the tunnels all traverse the same underlay bond
which is down. The packet may not have enough headroom to accommodate
all the tunnel headers. OVS crashes if it runs out of space while trying
to push the tunnel headers.
Even in case there is enough headroom, the packet will not be freed
since the accumulated action list contains only the tunnel header push
action without any output port action. Thus, we either have a crash or a
packet buffer leak.
Signed-off-by: Anju Thomas <anju.thomas@ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
The CLANG version of the builds have not honored the TESTSUITE variable.
This dates to at least 2015, and the reason for the restriction isn't
clear.
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
The testsuite flag isn't currently being passed for DPDK. Let's pass it
and when a future DPDK supports running the check-dpdk suite, we can
turn that on then, too.
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
It was deceptive for the example to imply that a seq can be declared
directly, because the API only allows for creating a new one on the heap.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Ilya Maximets <i.maximets@samsung.com>
At the same time, splice out a function and also rely on the compiler
for overflow/underflow handling.
Found by inspection.
Fixes: bd5e81a0e596 ("Userspace Datapath: Add ALG infra and FTP.")
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
When configuring the nat part of an expectation, care must be taken to
look at the master nat action and direction to properly reproduce it.
DNAT tests have been added to both active and passive modes, all
ftp/tftp tests titles have been updated to reflect they are dealing with
SNAT.
Fixes: bd5e81a0e596 ("Userspace Datapath: Add ALG infra and FTP.")
Co-authored-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: David Marchand <david.marchand@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
The ftp alg deals with packets in two ways for the command connection:
either they are inspected and can be mangled when nat is enabled
(CT_FTP_CTL_INTEREST) or they just go through without being modified
(CT_FTP_CTL_OTHER).
For CT_FTP_CTL_INTEREST packets, we must both adjust the packet tcp seq
number by the connection current offset, then prepare for the next
packets by setting an accumulated offset in the ct object. However,
this was not done for multiple CT_FTP_CTL_INTEREST packets for the same
connection.
This is relevant for handling multiple child data connections that also
need natting.
The tests are updated so that some ftp+NAT tests send multiple port
commands or other similar commands for a single control connection.
Wget is not able to do this, so switch to lftp.
Fixes: bd5e81a0e596 ("Userspace Datapath: Add ALG infra and FTP.")
Co-authored-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: David Marchand <david.marchand@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
A masked NSH set action has mdtype 0 because the mdtype is not being
changed, but odp_nsh_key_from_attr() rejects this because mdtype 0 does
not match up with the OVS_NSH_KEY_ATTR_MD1 attribute being present. This
fixes the problem.
The kernel datapath in flow_netlink function nsh_key_put_from_nlattr() has
a similar exception.
Acked-by: Justin Pettit <jpettit@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Test 854 "tunnel_push_pop - action" showed problems in revalidation for
L3 protocol support in its L3 GRE test. L3 packets (that is, packets
without an Ethernet header but only some L3 protocol such as IPv4 or IPv6)
have an Ethernet type that is kept in the dl_type member of the flow, and
the flows that they pass through can cause L3 and L4 fields to be matched.
However, the translation process incorrectly forced the dl_type to be
wildcarded, which caused a contradiction since it's not possible to match
on L3 and L4 fields if the dl_type is not known, and the code in
odp_flow_key_to_flow() and related functions therefore rejected these flows
at revalidation time.
This commit fixes the problem by treating dl_type the same for L2 and L3
flows in translation. It also makes odp_flow_key_to_flow__() copy the
Ethernet type that comes from a packet_type field into dl_type, which is
the expected behavior.
The actual error that this fixes is only visible after applying an upcoming
commit that improves logging for bad datapath flows.
Acked-by: Justin Pettit <jpettit@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Starting from OVS 2.10, ovs-vswitchd may fail to run after system reboot
since it fails to load ovs kernel module. It is because the conntrack
zone limit feature introduced in OVS 2.10 now depends on
nf_conntrack_ipv4/6 kernel module, and the SELinux prevents it to load the
two kernel modules.
Example log of the AVC violations:
type=AVC msg=audit(1546903594.735:29): avc: denied { execute_no_trans }
for pid=820 comm="modprobe" path="/usr/bin/bash" dev="dm-0" ino=50337111
scontext=system_u:system_r:openvswitch_load_module_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1546903594.791:30): avc: denied { module_request } for
pid=819 comm="modprobe" kmod="nf_conntrack-2"
scontext=system_u:system_r:openvswitch_load_module_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=system
This patch adds the missing permissions for modprobe command in ovs-kmod-ctl
so that the aforementioned issue is resolved.
VMWare-BZ: #2257534
Acked-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
There are corner cases in which an rconn might not have a defined OpenFlow
protocol or version. These happen at connection startup, before the
protocol version has been negotiated, and can also happen when a connection
is being shut down. It's desirable to avoid these situations entirely,
but so far we haven't managed to do this. This commit avoids trying to
send messages to such connection, which is what really tends to get OVS in
trouble since there's no way to construct an OpenFlow message without
knowing what version of OpenFlow to use (with a few exceptions that don't
matter here).
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-December/047876.html
Reported-by: Josh Bailey <joshb@google.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
A problem the userspace datapath failed to create a new datapath flow
when dealing with QinQ packets(the flow includeing ip,udp,etc). L2-L5
header should be considered before parsing the second 802.1Q header.
Fixes: f0fb825a3785 ("Add support for 802.1ad (QinQ tunneling)")
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
memmove byte count was calculated incorrectly as ofpbuf_put_uninit
is increasing b->size by n.
This patch fixes it by reducing byte count by n.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12296
Signed-off-by: Toms Atteka <cpp.code.lv@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Most of checkpatch tests uses equal patch headers that could
be moved to a variable to reduce duplications and code size.
Acked-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Conditional EMC insert helps a lot in scenarios with high numbers
of parallel flows, but in current implementation this option affects
all the threads and ports at once. There are scenarios where we have
different number of flows on different ports. For example, if one
of the VMs encapsulates traffic using additional headers, it will
receive large number of flows but only few flows will come out of
this VM. In this scenario it's much faster to use EMC instead of
classifier for traffic from the VM, but it's better to disable EMC
for the traffic which flows to VM.
To handle above issue introduced 'emc-enable' configurable to
enable/disable EMC on a per-port basis. Ex.:
ovs-vsctl set interface dpdk0 other_config:emc-enable=false
EMC probability kept as is and it works for all the ports with
'emc-enable=true'.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
This assertion was removed as part of a commit that was intended to
just be a cleanup.
Fixes: 6fd6ed71cb9f ("ofpbuf: Simplify ofpbuf API.")
Acked-by: Justin Pettit <jpettit@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This is consistent with the re-initialization value that poll_block() uses.
It is better than 0 because the monotonic clock can have a negative value,
even though that is rare and pathological.
Found by inspection.
Acked-by: Justin Pettit <jpettit@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
In this piece of code, 'struct ofpbuf b' should always point to
metadata so that metadata can be filled with values through ofpbuf
operations, like ofpbuf_put_hex and ofpbuf_push_zeros. However,
ofpbuf_push_zeros may change the data pointer of 'struct ofpbuf b'
and therefore, metadata will not contain the expected values.
This patch fixes it by changing ofpbuf_push_zeros to
ofpbuf_put_zeros.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10863
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Until now, OVS has accounted packets to mirrors even if the VLAN selection
criteria did not match. This fixes the problem.
Acked-by: Justin Pettit <jpettit@ovn.org>
Tested-by: Shweta Seth <shwseth@cisco.com>
Reported-by: Shweta Seth <shwseth@cisco.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-December/047931.html
Signed-off-by: Ben Pfaff <blp@ovn.org>
Dpdk port representors were introduced in dpdk versions 18.xx.
Prior to port representors there was a one-to-one relationship
between an rte device (e.g. PCI bus) and an eth device (referenced as
dpdk port id in OVS). With port representors the relationship becomes
one-to-many rte device to eth devices.
For example in [3] there are two devices (representors) using the same
PCI physical address 0000:08:00.0: "0000:08:00.0,representor=[3]" and
"0000:08:00.0,representor=[5]".
This commit handles the new one-to-many relationship. For example,
when one of the device port representors in [3] is closed - the PCI bus
cannot be detached until the other device port representor is closed as
well. OVS remains backward compatible by supporting dpdk legacy PCI
ports which do not include port representors.
Dpdk port representors related commits are listed in [1]. Dpdk port
representors documentation appears in [2]. A sample configuration
which uses two representors ports (the output of "ovs-vsctl show"
command) is shown in [3].
[1]
e0cb96204b71 ("net/i40e: add support for representor ports")
cf80ba6e2038 ("net/ixgbe: add support for representor ports")
26c08b979d26 ("net/mlx5: add port representor awareness")
[2]
https://doc.dpdk.org/guides-18.11/prog_guide/switch_representation.html
[3]
Bridge "ovs_br0"
Port "ovs_br0"
Interface "ovs_br0"
type: internal
Port "port-rep3"
Interface "port-rep3"
type: dpdk
options: {dpdk-devargs="0000:08:00.0,representor=[3]"}
Port "port-rep5"
Interface "port-rep5"
type: dpdk
options: {dpdk-devargs="0000:08:00.0,representor=[5]"}
ovs_version: "2.10.90"
Signed-off-by: Ophir Munk <ophirmu@mellanox.com>
Co-authored-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
ofpact_learn_spec->n_bits is the size of immediate data that is
following ofpact_learn_spec. Now it is defined as 'uint8_t'.
In many places, it gets its value directly from mf_subfield->n_bits,
whose type is 'unsigned int'. If input is large enough, there will
be uint8_t overflow.
For example, the following command will make ovs-ofctl crash:
ovs-ofctl add-flow br0 "table=0, priority=0, action=learn(limit=20 tun_metadata15=0x60ff00000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002fffffffffffffff0ffffffffffffffffffffffffffff)"
This patch fixies this issue by changing type of ofpact_learn_spec->n_bits
from uint8_t to uint32_t.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11870
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Up until now, OVN rpms were generated as sub packages of OpenvSwitch.
This patch now splits it and makes OVN rpms independent.
A new spec file - ovn-fedora.spec.in is added for this.
The openvswitch-fedora.spec.in has been modified to create only
OpenvSwitch packages.
Since we are not splitting the OVN code, the spec files run the
same build procedure. Only the required binaries/files are copied
into the rpms.
The new package names will be ovn, ovn-common, ovn-central, ovn-host,
ovn-vtep and ovn-docker.
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Acked-by: Timothy Redaelli <tredaelli@redhat.com>
Tested-By: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
When ovn clustered mode is specified, the environment veriables
OVN_NB_DB/OVN_SB_DB are wrong. It should be something like
unix:nb1,unix:nb2,unix:nb3 but it turns out to be unix:nb1,unix:nb1,unix:nb2.
So when nb3 becomes leader, the connection will always fail.
It is caused by using an undefined variable $n resulting in the
unexpected result of `seq 2 $n`. This patch fixed it by using the
correct variable $servers.
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
ipam_add_port_adresses() needs to be called after the peer field is set
on the ovn_port structures. This way, addresses taken by peered router
ports will be added to the logical switch's IPAM and therefore will be
barred from assignment to other ports.
Reported-by: Girish Moodalbail <gmoodalbail@nvidia.com>
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
When a logical switch port changes to no longer use "dynamic" addresses,
then the dynamic_addresses should be cleared.
Reported-by: Girish Moodalbail <gmoodalbail@nvidia.com>
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Add travis builds for DPDK as a shared library.
Currently the DPDK builds in travis only compile DPDK as a static library.
With static builds in DPDK there is a risk that if a function is not
exported then it will not be supported when DPDK is used as a shared library.
This commit adds the option to build DPDK as a shared library. Also two
build jobs are added to the travis.yml whereby a shared DPDK is built
with both static and shared OVS libraries.
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Acked-by: Tiago Lam <tiago.lam@intel.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
