git.cascardo.eti.br Git - cascardo/ovs.git/log

ovs-ofctl: Fix replace-flows.

The replace-flows test cases tested for incorrect
behavior due to the missing initialization of the out_group member of
struct ofputil_flow_stats_request. This patch fixes this by properly
initializing out_group to OFPG_ANY.

Note that replace-flows still does not support multiple tables, but
that will be fixed in a later patch in the series.

Reported-by: YAMAMOTO Takashi <yamamoto@midokura.com>
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: YAMAMOTO Takashi <yamamoto@midokura.com>

ovn: Support multiple router ports per logical switch.

This allows multiple subnets to be routed directly to a logical switch.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn: Add test for logical router ARP replies.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

physical: Fix implementation of logical patch ports.

Logical patch ports do not have a physical location and effectively reside
on every hypervisor.  This is fine for unicast output to logical patch
ports.  However, when a logical patch port is part of a logical multicast
group, lumping them together with the other "local" ports in a multicast
group yields packet duplication, because every hypervisor to which the
packet is tunneled re-outputs it to the logical patch port.

This commit fixes the problem, by treating logical patch ports as remote
rather than local when they are part of a logical multicast group.  This
yields exactly-once semantics.

Found while testing implementation of ARP in OVN logical router.  The
following commit adds a test that fails without this fix.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn: Implement the ability to send a packet back out its input port.

Otherwise logical router ARP replies won't work as implemented.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

logical-fields: New header for logical field assignments.

The original concept for "expr" and "actions" was that they should not need
to know anything about the mapping between physical and logical fields,
that instead everything should be provided via the symbol table.  In
practice this has proven difficult because a couple of actions need to know
about logical fields.  For now, it seems reasonable to put the logical
field mapping into a header of its own.  Later, maybe we'll figure out
whether there's value in a less leaky abstraction.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

packets: Make ip_parse_masked() pickier about formatting.

It's happened a couple of times now that I've entered a typoed IP address,
e.g. "192.168.0.0$x", and ip_parse_masked() or its predecessor has accepted
it anyway, and it's been hard to track down the real problem. This change
makes the parser pickier, by disallowing trailing garbage.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn: Implement basic logical L3 routing.

This implements basic logical L3 routing.  It has a lot of caveats,
including the following regarding testing:

   * Only single-router hops have been tested.  Chains or trees of
     logical routers may work but definitely need testing and may
     need a little extra code.

   * No testing of logical router ARP replies.

   * Not enough testing in general.

ovn/TODO describes a lot of other caveats in terms of the work needed
to fix them.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-northd: Add stages for logical routers.

Until now, ovn-northd has only set up flows for logical switches. With the
arrival of logical routers, it needs to set up flows for them too. The
stages within logical routers are completely different from those for
logical switches, so this prepares for that by adding logic for identifying
those stages.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

packets: New function ip_parse_masked().

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-nb: Add "enabled" column to Logical_Router_Port.

This is just for symmetry with Logical_Port, since it seems that if users
want to be able to disable switch ports they might want to disable router
ports as well.

There is no "up" column because a logical router port doesn't have the same
concept.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-nb: Change how router ports work.

This is for two reasons.  First, a router port is not really much of a
special case from a logical switch's point of view.  For switching
purposes, it works exactly the same as any other port.  Having a special
column for it just adds artificial special cases.

Second, the previous form of router ports specified that all of them use
the logical port name "ROUTER".  This seemed to make sense at the time but
now it is just adding more special cases.  Instead just giving them names
like any other port makes life easier.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-nb.xml: Reorganize documentation for Logical_Port table.

This uses the column grouping feature and the ability to document an
individual key within a column to better, in my opinion, organize the
documentation for the Logical_Port table.

This will make it easier to document a new port type that a future commit
will add.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-nb: Add support for IP+MAC binding pairs in Port_Binding 'address'.

When a logical router can statically obtain the IP+MAC pairs for its
attached logical switches, it can avoid expensive ARP resolution.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-nb: Rename Port_Bindings 'macs' column to 'addresses'.

In an upcoming commit this column will also support IP+MAC pairs.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-nb: Extend schema to support networks of routers.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn: Add new predicates for matching broadcast and multicast packets.

In my opinion, "eth.mcast" is a bit more readable than "eth.dst[40]", and
so on.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn: Implement logical patch ports.

This implementation is suboptimal for several reasons.  First, it
creates an OVS port for every OVN logical patch port, not just for the
ones that are actually useful on this hypervisor.  Second, it's
wasteful to create an OVS patch port per OVN logical patch port, when
really there's no benefit to them beyond a way to identify how a
packet ingressed into a logical datapath.

There are two obvious ways to improve the situation here, by modifying
OVS:

    1. Add a way to configure in OVS which fields are preserved on a
       hop across an OVS patch port.  If MFF_LOG_DATAPATH and
       MFF_LOG_INPORT were preserved, then only a single pair of OVS
       patch ports would be required regardless of the number of OVN
       logical patch ports.

    2. Add a new OpenFlow extension action modeled on "resubmit" that
       also saves and restores the packet data and metadata (the
       inability to do this is the only reason that "resubmit" can't
       be used already).  Or add OpenFlow extension actions to
       otherwise save and restore packet data and metadata.

We should probably choose one of those in the medium to long term, but
I don't know which one.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-controller: Rename "ovn-patch-port" to "ovn-localnet-port".

An upcoming patch will introduce a different use for patch ports, so
ovn-patch-port would become an ambiguous name.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

patch: Allow client to determine port names.

Calculating the patch port names from the bridge names makes sense when
there's only one pair of patch ports between a pair of bridges, but that
won't be the case for an upcoming use of patch ports.

This changes makes it easy to check for existing patch ports in
create_patch_port(), instead of in its caller, and since that seems like a
more sensible place this change also moves it there.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

patch: Refactor to better support new kinds of patches.

Until now, the code here lumped together what was necessary to create and
destroy patch ports, with what was necessary to identify the patch ports
that were needed. An upcoming patch will add new reasons to create patch
ports, so this commit more cleanly separates those two functions.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

patch: Bail out earlier if OVS IDL transactions cannot be executed.

The whole point of this module is side effects on the Open vSwitch
database, so the whole thing can be skipped if those are impossible.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-controller: Factor patch port management into new "patch" module.

Upcoming patches will introduce new extensive use of patch ports and it
seems reasonable to put it into its own file.

This is mostly code motion. Code changes are limited to those necessary
to make the separated code compile, except for renaming
init_bridge_mappings() to patch_run().

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn: Update TODO, ovn-northd flow table design, ovn-architecture for L3.

This is a proposed plan for logical L3 in OVN. It is not entirely
complete but it includes many important details and I believe that it moves
planning forward.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-sb: Document "ip.ttl--;" action.

This was implemented by commits a while back, but the documentation was
accidentally omitted.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ofp-actions: Fix build on earlier GCC.

GCC4.4 gets confused by anonymous fields + flexible fields, complains:
lib/ofp-actions.h:510: error: flexible array member in otherwise empty
struct
lib/ofp-actions.h:512: error: bit-field ‘build_assert_failed’ width not
an integer constant
lib/ofp-actions.h:514: error: bit-field ‘build_assert_failed’ width not
an integer constant

Fix the problem by specifying the actions length as zero.

Reported-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

atlocal.in: Hide a harmless error on Windows.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Joe Stringer <joestringer@nicira.com>

windefs: Redefine INET6_ADDRSTRLEN for Windows.

Windows has INET6_ADDRSTRLEN defined as 65 whereas
POSIX has it as 46. This difference causes a unit test
failure as the test 'tunnel_push_pop' was looking at o/p
format based on the length of INET6_ADDRSTRLEN.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Joe Stringer <joestringer@nicira.com>

ofproto: Correct encoding and decoding of group desc properties.

* encode: if properties are present include their length in
          value of the length field of the group desc
* decode: use the value of the length field to calculate the length of
          properties rather than assuming that the rest of the message
          is properties. This assumption is not correct as a message
          may contain multiple group descs.

Fixes: 18ac06d3546e ("ofp-util: Encoding and decoding of (draft) OpenFlow 1.5 group messages.")
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovn.at: Add test for gateway.

This test exposed a problem that ovn-controller-vtep doesn't properly
set up the "Mcast_Macs_Remote" table, which prevents broadcasts from
being sourced from the physical side of the VTEP. That issue needs to
be resolved, and then the full set of gateway traffic patterns can run.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn-controller: Support multiple encaps simultaneously.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn-controller: Support VXLAN enapsulation.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn-sbctl: Add multiple encaps with "chassis-add".

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn-controller.8: Correct reference to "ovn-encap-type".

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn: Add stateful ACL support.

Add support for the "allow-related" ACL action.  This is dependent on
the OVS conntrack functionality, which is not available on all platforms
or kernel versions.

Here is a sample policy that will allow all tenants in logical switch
"ls0" to SSH to each other.  Anyone can make an HTTP request to "lp0".
All other IP traffic is dropped:

  ovn-nbctl acl-add ls0 from-lport 100 ip allow-related
  ovn-nbctl acl-add ls0 to-lport 100 tcp.dst==22 allow-related
  ovn-nbctl acl-add ls0 to-lport 100 "outport == \"lp0\" \
            && tcp.dst==80" allow-related
  ovn-nbctl acl-add ls0 to-lport 1 ip drop

Note: Kernel conntrack support is checked into the mainline Linux
kernel, but hasn't been backported to the main OVS repo yet.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn-controller: Un-inline get_chassis_by_name().

I don't know of any reason to inline this.

Also rename for consistency with get_bridge().

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

nx-match: Serialize match on IP TTL even when outputting OXM.

The 'oxm' parameter to nxm_put_ip() indicates whether NXM or OXM code
points should be used in cases where both exist. It shouldn't cause
matches to be dropped entirely, since that changes the meaning, but that's
what was done here for matches on the IP (v4 or v6) TTL. This commit
fixes the problem.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-nbctl: Remove external-ids commands.

Users are served just as well through the general-purpose "set" and "get"
database commands, so avoid the additional code and documentation.

(ovs-vsctl does have special external-ids commands for bridges, but those
exist because of special handling for "fake bridges".)

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn: Change h1 titles to title case in documentation.

Manpage section titles are traditionally all-uppercase, but OVS's
XML-to-nroff translator takes care of that and there's no need to actually
provide them in all-caps (and it looks ugly).

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn: Implement logical action to decrement IPv4 TTL.

This is necessary for IPv4 routing.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn: Extend logical "next" action to jump to arbitrary flow tables.

This makes it easier to route a "destination unreachable" message
generated because of an IP routing failure, because the destination
unreachable message must itself be routed the same way.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

vswitch.xml: Add caveat to flow-limit.

This option should only be tweaked by developers investigating the
behaviour of flow caching, so recommend that this option is not used.

Signed-off-by: Joe Stringer <joestringer@nicira.com>

vswitch.xml: Update docs for max-idle.

When this configuration parameter was initially introduced into the
database, the documentation was not updated to describe where it
resides. Add the documentation, with the caveat that in most situations,
there is no need to tweak this option and it is primarily present for
the benefit of developers working on flow caching.

Fixes: 72310b041cfa ("upcall: Configure datapath max-idle through ovs-vsctl.")
Reported-by: Hadar Hen Zion <hadarh@dev.mellanox.co.il>
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn.at: Fix tab/space issues.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn-sbctl.8: Fix bridge modification references.

Likely copy and paste errors from the "ovs-vsctl" man page.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

vtep: Make stats and status columns ephemeral.

These fields don't need to be stored, and it causes a lot of unnecessary
writes to the database log.

This commit also fixes a couple of trivial indentation issues with
previous ephemeral declarations.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

expr: Document error handling for expr_annotate().

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn: Fix space/tab issues from man pages.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovs-sim.1.xml: Fix tab/space issue.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

vswitch.xml: Untabify and reindent.

This is a large patch but it is entirely whitespace changes.

Suggested-by: Justin Pettit <jpettit@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovsdb-idl: Test script for Python register_columns function

Add test scripts to exercise the register_columns() function of the
Python IDL. Add ability to specify columns in the "idl" command of
test-ovsdb.py. All columns of all tables are monitored by default.
The new "?" option can be used to monitor specific Table:Column(s).
The table and their columns are listed as a string of the form starting
with "?":
      ?<table-name>:<column-name>,<column-name>,...
  e.g.:
      ?simple:b - Monitor column "b" in table "simple"
  Entries for multiple tables are seperated by "?":
      ?<table-name>:<column-name>,...?<table-name>:<column-name>,...
  e.g.:
      ?simple:b?link1:i,k - Monitor column "b" in table "simple",
                            and column "i", "k" in table "link1"

Signed-off-by: Shad Ansari <shad.ansari@hp.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

system-traffic: Add ct tests using local stack.

When interacting with the local stack, the kernel may provide packets
with existing ct state as they ingress OVS. These tests check that we
are able to connection-track such packets successfully in non-zero
zones, using slightly more realistic pipelines.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Daniele Di Proietto <diproiettod@vmware.com>

dpif-netlink: Allow MRU packet attribute.

User space now may receive re-assembled IP fragments. The user space
netlink handler can now accept packets with the new OVS_PACKET_ATTR_MRU
attribute. This allows the kernel to assemble fragmented packets for the
duration of OpenFlow processing, then re-fragment at output time. Most
notably this occurs for packets that are sent through the connection
tracker.

Note that the MRU attribute is not exported at the OpenFlow layer. As
such, if packets are reassembled by conntrack and subsequently sent to
the controller, then OVS has no way to re-serialize the packets to their
original size.

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

Add support for connection tracking helper/ALGs.

This patch adds support for specifying a "helper" or ALG to assist
connection tracking for protocols that consist of multiple streams.
Initially, only support for FTP is included.

Below is an example set of flows to allow FTP control connections from
port 1->2 to establish active data connections in the reverse direction:

    table=0,priority=1,action=drop
    table=0,arp,action=normal
    table=0,in_port=1,tcp,action=ct(alg=ftp,commit),2
    table=0,in_port=2,tcp,ct_state=-trk,action=ct(table=1)
    table=1,in_port=2,tcp,ct_state=+trk+est,action=1
    table=1,in_port=2,tcp,ct_state=+trk+rel,action=ct(commit),1

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

Add connection tracking label support.

This patch adds a new 128-bit metadata field to the connection tracking
interface. When a label is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_label" field in the flow.

For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a label with
those connections:

    table=0,priority=1,action=drop
    table=0,arp,action=normal
    table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_label)),2
    table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
    table=1,in_port=2,ct_state=+trk,ct_label=1,tcp,action=1

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

Add connection tracking mark support.

This patch adds a new 32-bit metadata field to the connection tracking
interface. When a mark is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_mark" field in the flow.

For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a mark with those
connections:

    table=0,priority=1,action=drop
    table=0,arp,action=normal
    table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
    table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
    table=1,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

Add support for connection tracking.

This patch adds a new action and fields to OVS that allow connection
tracking to be performed. This support works in conjunction with the
Linux kernel support merged into the Linux-4.3 development cycle.

Packets have two possible states with respect to connection tracking:
Untracked packets have not previously passed through the connection
tracker, while tracked packets have previously been through the
connection tracker. For OpenFlow pipeline processing, untracked packets
can become tracked, and they will remain tracked until the end of the
pipeline. Tracked packets cannot become untracked.

Connections can be unknown, uncommitted, or committed. Packets which are
untracked have unknown connection state. To know the connection state,
the packet must become tracked. Uncommitted connections have no
connection state stored about them, so it is only possible for the
connection tracker to identify whether they are a new connection or
whether they are invalid. Committed connections have connection state
stored beyond the lifetime of the packet, which allows later packets in
the same connection to be identified as part of the same established
connection, or related to an existing connection - for instance ICMP
error responses.

The new 'ct' action transitions the packet from "untracked" to
"tracked" by sending this flow through the connection tracker.
The following parameters are supported initally:

- "commit": When commit is executed, the connection moves from
  uncommitted state to committed state. This signals that information
  about the connection should be stored beyond the lifetime of the
  packet within the pipeline. This allows future packets in the same
  connection to be recognized as part of the same "established" (est)
  connection, as well as identifying packets in the reply (rpl)
  direction, or packets related to an existing connection (rel).
- "zone=[u16|NXM]": Perform connection tracking in the zone specified.
  Each zone is an independent connection tracking context. When the
  "commit" parameter is used, the connection will only be committed in
  the specified zone, and not in other zones. This is 0 by default.
- "table=NUMBER": Fork pipeline processing in two. The original instance
  of the packet will continue processing the current actions list as an
  untracked packet. An additional instance of the packet will be sent to
  the connection tracker, which will be re-injected into the OpenFlow
  pipeline to resume processing in the specified table, with the
  ct_state and other ct match fields set. If the table is not specified,
  then the packet is submitted to the connection tracker, but the
  pipeline does not fork and the ct match fields are not populated. It
  is strongly recommended to specify a table later than the current
  table to prevent loops.

When the "table" option is used, the packet that continues processing in
the specified table will have the ct_state populated. The ct_state may
have any of the following flags set:

- Tracked (trk): Connection tracking has occurred.
- Reply (rpl): The flow is in the reply direction.
- Invalid (inv): The connection tracker couldn't identify the connection.
- New (new): This is the beginning of a new connection.
- Established (est): This is part of an already existing connection.
- Related (rel): This connection is related to an existing connection.

For more information, consult the ovs-ofctl(8) man pages.

Below is a simple example flow table to allow outbound TCP traffic from
port 1 and drop traffic from port 2 that was not initiated by port 1:

    table=0,priority=1,action=drop
    table=0,arp,action=normal
    table=0,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=9),2
    table=0,in_port=2,tcp,ct_state=-trk,action=ct(zone=9,table=1)
    table=1,in_port=2,ct_state=+trk+est,tcp,action=1
    table=1,in_port=2,ct_state=+trk+new,tcp,action=drop

Based on original design by Justin Pettit, contributions from Thomas
Graf and Daniele Di Proietto.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ofp-actions: Pass ofp_version to decode functions.

A future patch will make use of this version parameter to pass nested
attributes. Prepare for that by adding the parameter as an unused
variable for the existing functions.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

meta-flow: Rename IPv6 type to be128.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

types: Add big-endian 128-bit types and helpers.

These types will be used by the following patches to ensure a consistent
wire format for 128-bit connection tracking labels. Common functions for
comparison, endian translation, etc. are provided.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ofp-actions: Extend reg_load parsing to >64bits.

Previously, reg_load would only understand 64-bit values passed to it.
This patch extends the parsing to handle larger fields, if they are
specified in hexadecimal. Internally they are stored as a single action,
but they are converted into multiple 64-bit modifications when
re-serialised.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ofp-actions: Refactor set_field tokenization.

Combine the codepaths for splitting "set_field" and "reg_load" string
arguments into the value, key, and delimiter component. The only
user-visible change is that reg_load will now provide a more meaningful
error message when parsing input such as "reg_load:1".

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

tnl-ports: add IPv6 support

Retrieve interfaces IPv6 addresses, and store IPv4 addresses as IPv4-mapped IPv6
addresses.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

tnl-arp-cache: add IPv6 Neighbor Discovery support

Uses IPv4-mapped IPv6 addresses to store IPv4 addresses, and add support for
Neighbor Discovery snooping.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

route: support IPv6 and use IPv4-mapped addresses

This adds support for IPv6 in ovs-router and route-table. IPv4 is stored in
ovs-router using IPv4-mapped addresses.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

appveyor.yml: Remove from docs.

It's not documentation.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ovn-tutorial: Add more links.

Add links to several man pages. Also fix a minor typo.

Note that openvswitch.org needs to be updated as it's missing the
ovn-northd man page.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

FAQ: Describe why OVS can't prepopulate the kernel flow table.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

bridge: Coding style fix.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>

rstp: Properly disable an RSTP port before deleting it.

RSTP may end up referencing stale memory if a port is removed without
disabling it first.

This patch, together with the previous patch by Daniele Venturino, was
tested to resolve a crach by Daniel Swahn.

Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Tested-by: Daniel Swahn <daniel.swahn@clavister.com>

ofproto-dpif: Add check in rstp_run.

Check if old_root_aux and new_root_aux are null before invoking
bundle_move() on them.

Signed-off-by: Daniele Venturino <daniele.venturino@m3s.it>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>

AUTHORS: Add John Reumann.

Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>

meta-flow: Remove circular dependency on enum ofputil_protocol.

enum ofputil_protocol is defined in lib/ofp-util.h, which also
includes lib/meta-flow.h. We have already replaced the sets of usable
protocols in struct mf_field with uint32_t for this reason. Do the
same for the return value of mf_set().

Suggested-by: John Reumann <nofutznetworks@gmail.com>
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>

datapath: Fix compilation on kernel 2.6.32

Fixes following compilation error:

CC [M] /home/travis/build/openvswitch/ovs/datapath/linux/actions.o

In file included from
/home/travis/build/openvswitch/ovs/datapath/linux/actions.c:21:0:

/home/travis/build/openvswitch/ovs/datapath/linux/compat/include/linux/skbuff.h:
In function ‘rpl_skb_postpull_rcsum’:

/home/travis/build/openvswitch/ovs/datapath/linux/compat/include/linux/skbuff.h:384:4:
error: implicit declaration of function ‘skb_checksum_start_offset’
[-Werror=implicit-function-declaration]

cc1: some warnings being treated as errors

Reported-by: Joe Stringer <joestringer@nicira.com>
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Joe Stringer <joestringer@nicira.com>

RHEL: create /etc/openvswitch directory

This directory needs to be created by the package manager
because ovs-ctl is being invoked from SElinux openvswitch
domain that does not have enough privileges to create
directories under /etc on its own.

Without this patch Open vSwitch is not able to start under
SElinux enforcing mode (which is default on CentOS by the way).

Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Ackedy-by: Kyle Mestery <mestery@mestery.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>

poll-loop: Fix a bug while finding a poll node.

When a poll_node is created, it gets either a 'fd' or
a 'wevent' (can't get both). When the poll_node is
searched for previous creations on that 'fd' or 'wevent',
the search criteria was wrong for Windows. In Windows,
when a 'fd' is received in poll_create_node, we create a
corresponding 'wevent'. So while searching for that 'fd',
we should not look for 'wevent' in the hmap_node.

Reported-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn-controller: Add test for setting up and tearing down patch ports.

The initial plan for OVN logical routers will make more extensive use of
patch ports, so it seems like a good idea to add some tests to avoid
regressions before messing with them.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-sbctl: Use environment var OVN_SB_DB to find the database by default.

This makes it possible to use ovn-sbctl without always typing the --db
option (outside of trivial single-machine OVN deployments).

Also modifies the testsuite to use this.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

tests: Refactor macros so OVN databases can be initialized individually.

I want to write a test for ovn-controller without ovn-northd getting
involved.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn: Implement action to exchange two fields.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn: Implement action to copy one field into another.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

physical: Preserve output port across multicast group output.

Otherwise actions like this would not output to the same set of ports
for each output action (the second output would only forward to the
last port from the first output action):

outport = "_MC_FLOOD"; output; output;

Obviously it's a corner case but it still seems worth implementing
correctly.

Found by inspection.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-sb.xml: Reorganize Port_Binding documentation.

This takes advantage of column grouping and the ability to document a key
within a column.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ovn-controller: Document database keys used by ovn-controller.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-controller: Improve formatting of manpage.

First, the structure here was funny, with one <p> nested inside another,
plus a <ul> nested inside a <p>. I'm surprised that the formatter didn't
complain but at any rate it's better to avoid this structure.

Second, this <ul> seemed better off as a <dl>, so I changed it to use that
structure.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-nbctl: Split parent and tag in "show" output.

As of 779e72cc57a106251cc9e6696e8c9aabb56d30b5, localnet ports may have
the tag column set. This case does not make use of the parent column,
so output these fields independently of each other.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

netlink: helper functions for ipv6 address in netlink attrs

[cascardo: add NL_A_IPV6, used in next patch]

Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

lib: Add ipv6 helper functions.

ipv6_addr_is_set is going to be used by next patches.

[cascardo: compare with in6addr_any in ipv6_addr_is_set]
[cascardo: keep only ipv6_addr_is_* functions]

Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

packets: Provide functions to work with IPv4-mapped IPv6 addresses.

Move in6_addr_set_mapped_ipv4 out of mcast-snooping code to packets.h and
provide an in6_addr_get_mapped_ipv4 function that gets the corresponding IPv4
address or the ANY address if it's not IPv4 mapped.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

automake: Consolidate schema checksum check.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn-ctl: Ability to upgrade databases.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn-ctl, ovs-ctl: Move common code to ovs-lib.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn: Add schema versions and checksum to schema files.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn-nbctl: Avoid minor code duplication.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-nbctl: Minor fix for manpage.

There's no -d option, you have to use --db.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn: Add an ovs-sandbox based OVN tutorial.

While working on OVN and OVN integration, I've collected a set of
scripts for quickly setting up simple test environments using
ovs-sandbox with OVN enabled. It seemed like they could be useful to
others for learning about OVN or doing quick testing.

This patch introduces an ovs-sandbox based tutorial for exploring OVN
features in a simulated environment.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovn: Add VLAN support for localnet ports.

This patch makes it possible use a localnet port for connecting to a
specific VLAN on a locally accessible network.  The only logical
modeling change is that it is now valid to set the "tag" field on
logical ports with a type of "localnet".  Previously, the "tag" field
was only use for child ports.

We still use a single automatically created patch port between br-int
and the bridge configured to provide connectivity to a given network
(the ovn-controller bridge-mappings configuration).  We use flows when
necessary to either match on VLAN ID or to add the VLAN ID before
sending the packet out.

Matching for a localnet port with a VLAN ID is done at priority 150 in
table 0, and is similar to how we match traffic from container child
ports.  These cases are conceptually similar in that they're separate
logical ports on the same physical port.

Most of the code changes are due to a change in data structures.  We
have to keep track of all of the localnet ports and then add flows for
them at the end.  Previously this code tracked them as:

    hash of localnet bindings, hased on network name

    localnet bindings:
        openflow port number
        list of port bindings

Now we have:

    hash of localnet bindings, hased on network name

    localnet bindings:
        openflow port number
        hash of localnet vlans

    localnet vlans:
        VLAN ID (0 for untagged traffic)
        list of port bindings

A detailed example of using localnet ports with a VLAN ID is provided in
a later patch as a part of a larger OVN tutorial.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

rhel: Add optional BuildRequires to libcap-ng

Commit e91b927d8 (lib/daemon: support --user option for all OVS daemon)
added optional usage of the libcap-ng library. It's packaged in Fedora,
so go ahead and added it by default to the Fedora spec file.

Our default systemd unit files don't make use of the --user option that
requires this library, but conceivably someone may want to customize
them and use this option.

For those that don't want to use --user option, the Fedora package
offers an option (--without libcapng) to build the RPMs without it.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
Acked-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath-windows: Compute checksums for VXLAN inner packets.

Windows does not support VXLAN hardware offloading.

Currently we do not compute IP/TCP/UDP checksums for the inner packet. This
patch computes the checksums mentioned above in regards with the enabled
settings.

i.e. if IP checksum offloading is enabled for the inner packet we compute it.
The same applies for TCP and UDP packets.

This patch also revizes the computation of ones' complement over different
memory blocks, in the case the lengths are odd.

Also per documentation:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff568840%28v=vs.85%29.aspx
set the TCP flags FIN and PSH only for the last segment in the case LSO is
enabled.

Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Acked-by: Sairam Venugopal <vsairam@vmware.com>
Acked-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath-windows: Add file to solution.

This patch adds the file DpInternal.h to the ovsetx.sln.

Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Acked-by: Nithin Raju <nithin@vmware.com>
Acked-by: Sairam Venugopal <vsairam@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>