git.cascardo.eti.br Git - cascardo/ovs.git/log

NEWS: Mention group support in version 2.1.

Someone asked about support and I realized that we forgot to mention it,
so do so belatedly.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

datapath: update exact match lookup hash value to avoid hash collision

Currently, the exact match cache lookup uses 'skb->hash' as an index.
In most cases, this value will be the same for pre and post
recirculation lookup, threshing the exact match cache. This patch
avoid this hash collision by using the rehashed value, by mixing in
in the 'recirc_id', as the lookup index.

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: Account for "netlink: make nlmsg_end() and genlmsg_end() void"

genlmsg_end() no longer returns an error value. Not a problem as it
never returned an error code anyway.

Upstream: 053c09 ("netlink: make nlmsg_end() and genlmsg_end() void")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: Account for "genetlink: pass only network namespace to genl_has_listeners()"

Upstream commit:
    genetlink: pass only network namespace to genl_has_listeners()

    There's no point to force the caller to know about the internal
    genl_sock to use inside struct net, just have them pass the network
    namespace. This doesn't really change code generation since it's
    an inline, but makes the caller less magic - there's never any
    reason to pass another socket.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: f8403a2 ("genetlink: pass only network namespace to genl_has_listeners()")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: Allow for any level of nesting in flow attributes

Upstream commit:
    openvswitch: Allow for any level of nesting in flow attributes

    nlattr_set() is currently hardcoded to two levels of nesting. This change
    introduces struct ovs_len_tbl to define minimal length requirements plus
    next level nesting tables to traverse the key attributes to arbitrary depth.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 81bfe3 ("openvswitch: Allow for any level of nesting in flow attributes")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: Rename GENEVE_TUN_OPTS() to TUN_METADATA_OPTS()

Backport of upstream commit:

    openvswitch: Rename GENEVE_TUN_OPTS() to TUN_METADATA_OPTS()

    Also factors out Geneve validation code into a new separate function
    validate_and_copy_geneve_opts().

    A subsequent patch will introduce VXLAN options. Rename the existing
    GENEVE_TUN_OPTS() to reflect its extended purpose of carrying generic
    tunnel metadata options.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: d91641d ("openvswitch: Rename GENEVE_TUN_OPTS() to TUN_METADATA_OPTS()")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: Account for "vxlan: add x-netns support"

Upstream commit:
    vxlan: add x-netns support

    This patch allows to switch the netns when packet is encapsulated or
    decapsulated.
    The vxlan socket is openned into the i/o netns, ie into the netns where
    encapsulated packets are received. The socket lookup is done into this netns to
    find the corresponding vxlan tunnel. After decapsulation, the packet is
    injecting into the corresponding interface which may stand to another netns.

    When one of the two netns is removed, the tunnel is destroyed.

    Configuration example:
    ip netns add netns1
    ip netns exec netns1 ip link set lo up
    ip link add vxlan10 type vxlan id 10 group 239.0.0.10 dev eth0 dstport 0
    ip link set vxlan10 netns netns1
    ip netns exec netns1 ip addr add 192.168.0.249/24 broadcast 192.168.0.255 dev vxlan10
    ip netns exec netns1 ip link set vxlan10 up

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: f01ec1c017de ("vxlan: add x-netns support")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: Account for "vxlan: Group Policy extension"

Upstream commit:
    vxlan: Group Policy extension

    Implements supports for the Group Policy VXLAN extension [0] to provide
    a lightweight and simple security label mechanism across network peers
    based on VXLAN. The security context and associated metadata is mapped
    to/from skb->mark. This allows further mapping to a SELinux context
    using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
    tc, etc.

    The group membership is defined by the lower 16 bits of skb->mark, the
    upper 16 bits are used for flags.

    SELinux allows to manage label to secure local resources. However,
    distributed applications require ACLs to implemented across hosts. This
    is typically achieved by matching on L2-L4 fields to identify the
    original sending host and process on the receiver. On top of that,
    netlabel and specifically CIPSO [1] allow to map security contexts to
    universal labels.  However, netlabel and CIPSO are relatively complex.
    This patch provides a lightweight alternative for overlay network
    environments with a trusted underlay. No additional control protocol
    is required.

               Host 1:                       Host 2:

          Group A        Group B        Group B     Group A
          +-----+   +-------------+    +-------+   +-----+
          | lxc |   | SELinux CTX |    | httpd |   | VM  |
          +--+--+   +--+----------+    +---+---+   +--+--+
          \---+---/                     \----+---/
              |                              |
          +---+---+                      +---+---+
          | vxlan |                      | vxlan |
          +---+---+                      +---+---+
              +------------------------------+

    Backwards compatibility:
    A VXLAN-GBP socket can receive standard VXLAN frames and will assign
    the default group 0x0000 to such frames. A Linux VXLAN socket will
    drop VXLAN-GBP  frames. The extension is therefore disabled by default
    and needs to be specifically enabled:

       ip link add [...] type vxlan [...] gbp

    In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
    must run on a separate port number.

    Examples:
     iptables:
      host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
      host2# iptables -I INPUT -m mark --mark 0x200 -j DROP

     OVS:
      # ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
      # ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'

    [0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
    [1] http://lwn.net/Articles/204905/

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 351149 ("vxlan: Group Policy extension")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: Account for now exposed VXLAN definitions

This brings the compat version of vxlan_udp_encap_recv() and
vxlan_xmit_skb() in line with upstream commit:

commit 3bf3947526c1053ddf2523f261395d682718f56c
Author: Tom Herbert <therbert@google.com>
Date:   Thu Jan 8 12:31:18 2015 -0800

    vxlan: Improve support for header flags

    This patch cleans up the header flags of VXLAN in anticipation of
    defining some new ones:

    - Move header related definitions from vxlan.c to vxlan.h
    - Change VXLAN_FLAGS to be VXLAN_HF_VNI (only currently defined flag)
    - Move check for unknown flags to after we find vxlan_sock, this
      assumes that some flags may be processed based on tunnel
      configuration
    - Add a comment about why the stack treating unknown set flags as an
      error instead of ignoring them

Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 3bf394 ("vxlan: Improve support for header flags")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: Account for "rename vlan_tx_* helpers since "tx" is misleading there"

Upstream commit:
net: rename vlan_tx_* helpers since "tx" is misleading there

The same macros are used for rx as well. So rename it.

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: df8a39d ("net: rename vlan_tx_* helpers since "tx" is misleading there")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

ofproto-dpif: Revalidate when sFlow probability changes.

Until now, when the sFlow selection probability changed, OVS failed to
immediately revalidate the flow table, delaying the new probability taking
effect. This commit fixes the problem.

Reported-by: K 華 <k940545@hotmail.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>

vlog: Fix "/dev/log" test

commit 7905aae3fc1633c2c44c8fdb9e9d3a3d6e63439b
("vlog: Don't fail syslog initialization in chroot.")
uses os.path.isfile("/dev/log"), which tests if the given path
is a regular file, to see if syslog can be usable.

However, /dev/log is not a regular file for platforms I looked at.
* On Ubuntu 14.04 and CentOS 6.5, /dev/log is a socket
* On NetBSD-6, /dev/log is a symlink to a socket

Replace the test with os.path.exists() so that it can work
as intended for these platforms.

Signed-off-by: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>

miniflow: Fix miniflow push of L4 port numbers.

Replace a 64 bit copy of L4 src/dst ports that was also
including additional packet params (e.g. TCP Seq Num). This
was later resulting in all packets from the flow missing in
the EMC.

Signed-off-by: Kevin Traynor <kevin.traynor@intel.com>
Reported-by: Ciara Loftus <ciara.loftus@intel.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>

ovs-command-completion: Avoid using negative subscript.

Negative subscript causes error in bash version 4.1.2(1)-release
(x86_64-redhat-linux-gnu). This commit fixes it.

Signed-off-by: Alex Wang <alexw@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovs-command-completion: Autotest integration.

This commit integrates the unit tests defined in
utilities/ovs-command-compgen-test.bash into 'make check'.
The tests will be skipped if the current shell is not bash.

Signed-off-by: Alex Wang <alexw@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovs-vsctl.at: Fix intermittent failure.

This commit fixes the intermittent test failure caused by the
race between the test thread and logging thread.

Signed-off-by: Alex Wang <alexw@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovs-dpctl: Mention use of ovs-appctl instead for netdev datapath.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>

datapath-windows: Solved BSOD when loading an activated extension

If the OVS extension was previously enabled and the driver unloaded,
when the driver is loaded again a BSOD is triggered.

This happens because the OVS extension registers its FilterXxx routines
to NDIS, by calling NdisFRegisterFilterDriver, before performing all
the necessary initialization. Because drivers that call
NdisFRegisterFilterDriver must be prepared for an immediate call to any
of their FilterXxx functions.

The BSOD is triggered because the FilterAttach routine, OvsExtAttach,
tries to acquire the control lock, when the lock is not yet initialized.
This happens because the FilterAttach is called before the driver
finishes initialization, in OvsInit().

The solution is to perform all necessary initialization before
registering OVS FilterXxx routines.

If device object creation fails, all allocated resources during init
phase are released by calling OvsCleanup and NdisFDeregisterFilterDriver
functions.

Signed-off-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Reported-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Reported-at: https://github.com/openvswitch/ovs-issues/issues/67
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-bugtool: Add --help message.

Seemed a little embarrassing when I realized that ovs-bugtool has no usage
message on a customer call this morning.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>

autotest: Use modprobe for kernel module unloading

rmmod fails if the module is not loaded; thus, Vagrant aborts provisioning
when started from a clean slate. Use modprobe, which does not fail, instead.
Unloading unused modules the to-be-unloaded module depends on may also be
desirable.

Signed-off-by: Christoph Jaeger <cj@linux.com>
Signed-off-by: Andy Zhou <azhou@nicira.com>

vlog: Don't fail syslog initialization in chroot.

When OVS unit tests are run inside chroot environment,
there is no syslog infrastructure available. In a
situation like that, don't fail or log additional messages
to syslog by increasing the severity level of syslog very high
(log messages would continue to be logged to console and file).

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

INSTALL.DPDK: Update documentation to indicate VFIO support

Since DPDK 1.7, VFIO is supported in place of UIO. This allows
a user to avoid having to insert a non-standard kernel module.

This patch updates the documentation with instructions for
setting up OVS with VFIO. As part of this work, VFIO was also
successfully tested with OVS and the DPDK netdev.

[tgraf: Added some more markdown formatting]

Signed-off-by: Mark D. Gray <mark.d.gray@intel.com>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>

autotest: Fix kernel module unit test teardown

Due to a misnaming, the macro calls

  OVS_SWITCHD_STOP([$1])
  AT_CHECK([modprobe -r openvswitch])

in OVS_KMOD_VSWITCHD_STOP make up a syntactically correct function definition
(OVS_SWITCHD_STOP does not exist, and therefore the call does not expand):

  OVS_SWITCHD_STOP()
  { set +x
  $as_echo "$at_srcdir/kmod-traffic.at:15: modprobe -r openvswitch"
  ...
  $at_traceon; }

Consequently, neither of the calls has the intended effect, i.e., stopping
ovs-vswitchd and ovsdb-server, checking their log files, and unloading the
datapath kernel module. Fix the misnaming, so all calls expand properly.

Fixes: 69c2bdfef9 ("autotest: add autotest framework for adding kernel module unit tests")
Signed-off-by: Christoph Jaeger <cj@linux.com>
Signed-off-by: Andy Zhou <azhou@nicira.com>
Author: add Christoph Jaeger

vlog: Ability to override the default log facility.

When Open vSwitch is run in hundreds of hypervisors, it is
useful to collect log messages through log collectors. To
collect log messages like this, it is useful to log them
in a particular RFC5424 facility in the local system. The
log collectors can then be used to collect logs anytime
desired.

This commit provides a sysadmin the ability to specify the
facility through which the log messages are logged.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ofp-util: constify buckets parameter of ofputil_append*_group_desc_reply()

This parameter is not modified so it may be marked as const.

Signed-off-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>

INSTALL.DPDK.md: Provide a little a more consistency to documentation.

A few users (based on the reports in discuss@openvswitch.org) have been
literally following the instructions in INSTALL.DPDK.md and mixing up
pre-installed utilities and daemons with freshly compiled utilities
because the current documentation does not consistently call out
using utilities from the compiled sources.

This commit updates DPDK documentation to ask users to do a 'make install'
and then use the utilities and daemons directly from Linux PATH.
It also adds github markup where applicable.

Reported-by: Arkajit Ghosh <arkajit.ghosh@tcs.com>
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

vlog: Logging option '--syslog-target' needs one argument.

Without this commit, starting a daemon with just '--syslog-target'
causes a segmentation fault.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

test-sflow: Fix error message when a socket cannot be opened.

The error message should name the socket, which is 'target', not argv[1],
which might be anything.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

ofp-errors: Use OFPERR_OFPBRC_IS_SLAVE to reject slave controllers.

This error code was just overlooked before.

Reported-by: Anup Khadka <khadka.py@gmail.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

ofp-errors: Explain the whole "expected duplications" thing.

That way I won't have to figure it out again the next time.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

setup n_upcall_pids for vport_request when destroy all channels

Setup the n_upcall_pids to 1, otherwise the
OVS_VPORT_ATTR_UPCALL_PID nlattr will be incorrect.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>

ofproto-dpif: Fix memory leak of mirrors in bundle_destroy().

The mirrors are added in bundle_set() with 'bundle' as aux so they must
be removed with the same aux, but the call used 'bundle->aux' instead.

Reported-by: Sabyasachi Sengupta <Sabyasachi.Sengupta@alcatel-lucent.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

upcall: Simplify enable_ufid debug option.

We previously tracked the debug enable/disable of UFID in each udpif,
and allowed the ovs-appctl debug option to turn on UFID features even if
the datapath doesn't support it.

This commit shifts the enable_ufid debug flag to a single flag, and
provides a helper to determine whether UFID features should be used on a
per-udpif basis.

Suggested-by: Andy Zhou <azhou@nicira.com>
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

vconn: Move struct definitions back to provider interface.

Commit 4a1f523f2d760 (lib: Move vconn.h to <openvswitch/vconn.h>) moved
the definitions of struct vconn and struct pvconn into the public vconn.h
header. This is unnecessary because the size and content of these structs
is not part of the ABI. This commit moves them back.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

stream-fd: Fix log message.

The log message for a send operation should refer to "send", not "recv".
Looks like an old cut-and-paste error.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

rconn: Remove dead code and data.

These functions had no callers, so remove them and the data maintained
just to implement them.

Found by inspection.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

pktbuf: Always initialize '*bufferp' even when 'pb == NULL'.

Otherwise if a service connection (which does not have buffers) attempts
to use buffers, '*bufferp' will be uninitialized, which can cause a
segfault in the caller.

Found using OFtest configured to use service (active rather than passive)
connections.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

Fix typo in NEWS

Signed-off-by: Lorand Jakab <lojakab@cisco.com>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>

Add tests/kmod-testsuite to .gitignore

Signed-off-by: Lorand Jakab <lojakab@cisco.com>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>

Vagrantfile: add test_ovs_kmod provision

Add 'test_ovs_kmod' provision.  Command:
   # vagrant provision --provision-with=test_ovs_kmod

will run "make check-kmod" in the vagrant launched VM.

It turns out to be more convenient to test within as root. Switch
Vagrantfile provisions to run as root user.  However, vagrant can
still be launched as normal user.

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

autotest: add autotest framework for adding kernel module unit tests

This patch adds a basic infrastructure for developing and running
kernel module unit tests. Currently OVS contains thousands
of useful unit tests for user space programs. It is desirable to
have corresponding kernel module unit tests.

This commit adds basic framework for adding kernel module tests. Like
user space unit tests, Kmod tests are based autotest framework, thus
are similar to existing unit tests. For references, kmod-traffic.at
contains a simple ping test.

"make check-kmod" can be invoked on any build machine as a root
user. Since kernel testing can potentially crash the kernel, it is
not recommended to run those tests directly on a development machine,
but rather a testing VM, such as ones can be launched by vagrant.

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

autotest: refactor OVS_VSWITCHD_START MACRO

Refactor in preparation for the next patch.

Signed-off-by: Andy Zhou <azhou@nicira.com>

packets: Do not use zero sized array in icmp header.

Visual studio supports zero-size array within a struct or union,
but has to be the last element. GCC does not have this restriction.

icmp headers got included inside 'struct ovs_nd_msg' through
commit e60e935b1f (Implement set-field for IPv6 ND fields (nd_target,
nd_sll,and nd_tll). This causes compilation error while using MSVC.

Since icmp[6]_data in the icmp[6]_header is not used anywhere, just remove
them.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

AUTHORS: Stephen Finucane is now a code contributor.

Signed-off-by: Ben Pfaff <blp@nicira.com>

configure.ac: Enable 'tar-pax' by default

Automake defaults to the 'v7' legacy tar format in GNU tar, through
passing of the '-o' parameter to GNU tar. Enabling this option results
in errors for users with 32 bit UIDs:

    $ make dist
    ...
    tardir=openvswitch-2.3.90 && ${TAR-tar} chof - "$tardir" | GZIP=--best gzip -c >openvswitch-2.3.90.tar.gz
    tar: value 12345678 out of uid_t range 0..2097151
    tar: Exiting with failure status due to previous errors
    make[1]: Leaving directory `/development/ovs'
    ...

The 'tar-pax' format is a 2001 POSIX standard that allow longer file
names and other niceties. Its use is a configuration option in Automake
1.9+. Enable this option.

Signed-off-by: Stephen Finucane <stephen.finucane@intel.com>
Reviewed-by: Mark D. Gray <mark.d.gray@intel.com>
Cc: Panu Matilainen <pmatilai@laiskiainen.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-numa.h: Add a missing OVS_UNUSED

Suppress the following warning:

> cc1: warnings being treated as errors
> In file included from ../lib/dpif.h:394:0,
> from ../lib/netdev.c:28:
> ../lib/ovs-numa.h: In function 'ovs_numa_dump_cores_on_numa':
> ../lib/ovs-numa.h:150:33: error: unused parameter 'numa_id'

The problem was introduced by
commit 9da2564e2bfa4ffc5a05552630ce2aca00a521c9.
("ovs-numa: Refine the module.")

Signed-off-by: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Acked-by: Ben Pfaff <blp@nicira.com>

dpif: Use separate OVS_PACKET_ATTR_PROBE for packet messges

User space is currently sending a OVS_FLOW_ATTR_PROBE for both flow
and packet messages. This leads to an out-of-bounds access in
ovs_packet_cmd_execute() because OVS_FLOW_ATTR_PROBE >
OVS_PACKET_ATTR_MAX.

Introduce a new OVS_PACKET_ATTR_PROBE with the same numeric value
as OVS_FLOW_ATTR_PROBE to grow the range of accepted packet attributes
while maintaining binary compatibility with existing OVS binaries.

Fixes: 9233ce ("datapath: Add support for OVS_FLOW_ATTR_PROBE.")
Reported-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Jesse Gross <jesse@nicira.com>

ofproto-dpif-xlate: Log if an OFPACT_CONJUNCTION action is executed.

Conjunction actions shouldn't normally get executed, so it's worth
logging if it happens.

Suggested-by: Jarno Rajahalme <jrajahalme@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>

route-table-bsd: Retry logic

Retry routing requests as the routing socket is unreliable.

Also, add some error checks and logs.

Signed-off-by: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Acked-by: Ben Pfaff <blp@nicira.com>

test-atomic: Stop testing when running slow.

When the test suite is run on an OS with 1 core (e.g., a VM with one
core assigned to it), some of the atomic memory model tests take a
long time, with the effect that the test seems stuck.

This patch stops these tests after one second and only fails the test
if there has not been any significant progress, allowing the test to
pass also when running only with one core.

Reported-by: Motonori Shindo <motonori@shin.do>
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>

Implement set-field for IPv6 ND fields (nd_target, nd_sll, and nd_tll).

This patch adds set-field operations for nd_target, nd_sll, and nd_tll
fields, with and without masks, using Nicira extensions and OpenFlow 1.2
protocol.

Signed-off-by: Randall A Sharo <randall.sharo at navy.mil>
Signed-off-by: Ben Pfaff <blp@nicira.com>

FAQ: Explain how to quickly add many ports.

This comes up from time to time.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

ipv6: Add support for setting ipv6 flow label.

IPv6 Flow Label is currently read only. This patch adds support
to allow actions like actions=set_field:0x12345->ipv6_label.

The change to mf_set_flow_value() is a bug fix, but the bug was
not visible before the flow label was modifiable.

Signed-off-by: Pritesh Kothari <pritesh.kothari@cisco.com>
[blp@nicira.com added an item to NEWS]
Signed-off-by: Ben Pfaff <blp@nicira.com>

SECURITY.md: Update.

Add bit about reporting vulns with GPG.
Add generalised rules for vulnerabilties.

Signed-off-by: Andrew Kampjes <a.kampjes@gmail.com>
[blp@nicira.com edited and removed text about not using public lists]
Signed-off-by: Ben Pfaff <blp@nicira.com>

vconn: Avoid using C++ keyword 'class' as variable name in headers

Signed-off-by: Amit Bose <bose@noironetworks.com>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>

datapath: Bug setting vlan tci in compat function

This patch fixes a bug when pushing vlans. It causes vlans to be transmitted with
the TPID instead of the tci on the inner vlan.

Signed-off-by: Thomas F Herbert <thomasfherbert@entpnt.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

configure: Omit -O2 from CFLAGS when configuring with --enable-coverage.

CFLAGS follows OVS_CFLAGS in the compiler command line, and should, so that
the user can override any automatically determined compiler options. That
means that the -O0 that the code here added to OVS_CFLAGS didn't really
have any effect since CFLAGS by default includes "-O2". However, we do
really want to disable optimizations (because the coverage reports are hard
to interpret with optimizations), so this commit changes the configure
script to edit out -O2 from CFLAGS, leaving any other default or
user-specified options.

Reported-by: Mijo Safradin <mijo@linux.vnet.ibm.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

pkg-config: Fix Cflags in package-config files

Cflags in pkg-config files sets the include path to $PREFIX/openflow,
$PREFIX/openvswitch. This makes the including source files use the files
like
include <util.h>
instead of
include <openvswitch/util.h>

Signed-off-by: Amit Bose <bose@noironetworks.com>

dpif-netlink: Drop oversized packets instead of assert-failing.

A packet sent to a Netlink datapath has to fit within a Netlink attribute.
Until now, this was only checked in an assertion inside the Netlink code,
which meant that trying to send a too-large packet (approximate 64 kB or
larger) would assert-fail. It's better to just drop those packets, which
this commit does.

Reported-by: Shuping Cui <scui@redhat.com>
Reported-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

netlink: Refine calculation of maximum-length attributes.

Until now the Netlink code has considered an attribute to exceed the
maximum length if the *padded* size of the attribute exceeds 65535 bytes.
For example, an attribute with a 65529-byte payload, together with 4-byte
header and 3 bytes of padding, takes up 65536 bytes and therefore the
existing code rejected it.

However, the restriction on Netlink attribute sizes is to ensure that the
length fits in the 16-bit nla_len field. This field includes the 4-byte
header but not the padding, so a 65529-byte payload is acceptable because,
with the header but not the padding, it comes to only 65533 bytes.

Thus, this commit relaxes the restriction on Netlink attribute sizes by
omitting padding from size checks. It also changes one piece of code that
inlined a size check to use the central function nl_attr_oversized().

This change should fix an assertion failure when OVS userspace passes a
maximum-size (65529+ byte) packet back to the kernel.

Reported-by: Shuping Cui <scui@redhat.com>
Reported-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

classifier: Add support for conjunctive matches.

A "conjunctive match" allows higher-level matches in the flow table, such
as set membership matches, without causing a cross-product explosion for
multidimensional matches. Please refer to the documentation that this
commit adds to ovs-ofctl(8) for a better explanation, including an example.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>

classifier: Make classifier_lookup() 'flow' parameter non-const.

An upcoming commit will make classifier_lookup() sometimes modify its
'flow' argument temporarily during the lookup.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
---
v2: New patch.
v2.1: Rebase.
v3: Rebase.

FAQ.md: Describe OpenFlow packet buffering.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>

vagrant: Build kernel module RPM

Installs the kernel-devel package of the currently running kernel and
builds the kmod RPM in the "install_rpm" phase.

Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Andy Zhou <azhou@nicira.com>

vagrant: make sure to bootstrap before configure_ovs.

The order of execution in Vagrantfile is "outside-in" meaning that
all commands in outer scope are executed first and then the commands
in inner scope. Because of this ordering, "configure_ovs" is executed
before "bootstrap_fedora", resulting in "configure_ovs" to fail as
it is not bootsrapped yet. This change fixes this problem by removing
the nested scope in Vagrant.configure block. Multi-machine is not used
so we don't need config.vm.define block.

Signed-off-by: Motonori Shindo <motonori@shin.do>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>

vagrant: switch to use out of tree build

Vagrant shared folder, at least on the default virtual box, does not
support the creation of the socket files. If one were to build OVS
under /vagrant, 'make check' would not work.

Out of tree builds can be used to work around this issue.
See Install.md for instructions.

Since out of tree builds requires a clean source tree, Vagrantfile can
not be a generated file. This commit removes Vagrantfile.in, commit
Vagrantfile instead.

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

vlog: Rename the currently used term 'facility' as 'destination'.

In OVS, we currently use the term 'facility' to mean the place
where we log (syslog, console or file). In Linux's syslog() and
rfc5424, the term 'facility' is used to specify what type of program
is logging the message (e.g: LOG_DAEMON). This causes confusion
while reading vlog's code. This commit changes the term 'facility'
to 'destination'.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

dpif-netdev: Fix rare flow add race condition.

Before this patch, dp_netdev_flow_add() inserted newly minted flows in
the "flow_table" cmap before inserting them into the per core "dpcls"
classifier. Since dpcls_insert() initializes 'flow->cr.mask', there's
a brief window where the flow is accessible from the cmap, but has a
bogus mask value.

In my testing, under rare instances (i.e. once every 20 minutes with a
very specific flow table and traffic pattern), revalidators core dump
when they call dpif_netdev_flow_dump_next(), which accesses this bogus
mask value from dp_netdev_flow_to_dpif_flow().

By inserting into the per core classifier before the cmap, all the
values are guaranteed to be initialized during flow dumps. With this
patch, I can no longer reproduce the crash.

Signed-off-by: Ethan Jackson <ethan@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>

tests: Make test independent of the hash function.

Otherwise compiling with -msse4.2 (or -march=native on a SSE4.2
capable CPU) will produce a test failure due to the CRC32-based hash
function being different from mhash.

Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovs-dpctl: Minor manpages fixes.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

odp-util: Reuse standard delimiters.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

SECURITY.md: LTS branches triggers version release

The release cycle is in order of months currently, so when a
security fix is applied to LTS (long-term support) branches,
it is recommended to release a new version.

The idea is to keep the latest LTS tarball less vulnerable.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

SECURITY.md: disclosure date can be negotiated

Stakeholders might need extra time to provide the update,
so let's leave it open to negotiate case by case with the
final word on the Open vSwitch security team's hands. A
default policy is provided as a reference.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

SECURITY.md: contributors must agree to confidentiality

There is no point in having the special process if a
contributor refuses or doesn't agree with the
confidentiality terms.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

INSTALL.md: Split building steps to allow refs

There are other parts of the document that needs to
reference some building steps. Instead of copying
and explaining again, this patch splits the building
section in three sections that can be referenced.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>

travis: Update build matrix to include latest stable kernels

Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: Account for new flags args of vxlan_sock_add()

The upstream commit 359a0ea
("vxlan: Add support for UDP checksums (v4 sending, v6 zero csums)")
has introduced a new flags argument to vxlan_sock_add().

OVS does not pass any flags at this point, thus specyfing 0 will be
compatible with both the old ipv6 bool and the new u32 flags argument.

Upstream: 359a0ea ("vxlan: Add support for UDP checksums (v4 sending, v6 zero csums)")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: replace remaining users of arch_fast_hash with jhash

This patch effectively reverts commit 500f80872645 ("net: ovs: use CRC32
accelerated flow hash if available"), and other remaining arch_fast_hash()
users such as from nfsd via commit 6282cd565553 ("NFSD: Don't hand out
delegations for 30 seconds after recalling them.") where it has been used
as a hash function for bloom filtering.

While we think that these users are actually not much of concern, it has
been requested to remove the arch_fast_hash() library bits that arose
from [1] entirely as per recent discussion [2]. The main argument is that
using it as a hash may introduce bias due to its linearity (see avalanche
criterion) and thus makes it less clear (though we tried to document that)
when this security/performance trade-off is actually acceptable for a
general purpose library function.

Lets therefore avoid any further confusion on this matter and remove it to
prevent any future accidental misuse of it. For the time being, this is
going to make hashing of flow keys a bit more expensive in the ovs case,
but future work could reevaluate a different hashing discipline.

[1] https://patchwork.ozlabs.org/patch/299369/
[2] https://patchwork.ozlabs.org/patch/418756/

Upstream: 8754589 ("net: replace remaining users of arch_fast_hash with jhash")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: introduce rtnl ops stub

This stub now allows userspace to see IFLA_INFO_KIND for ovs master and
IFLA_INFO_SLAVE_KIND for slave.

Upstream: 5b9e7e16 ("openvswitch: introduce rtnl ops stub")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: move vlan pop/push functions into common code

So it can be used from out of openvswitch code.
Did couple of cosmetic changes on the way, namely variable naming and
adding support for 8021AD proto.

Note on backwards compatability:
Unlike the upstream version, the backport of skb_vlan_push() does not
support translating a hardware accelerated 8021AD tag to software.
This is not a problem though as it preserves existing behaviour.

Upstream: 93515d53 ("net: move vlan pop/push functions into common code")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: move make_writable helper into common code

note that skb_make_writable already exists in net/netfilter/core.c
but does something slightly different.

Upstream: e219512 ("net: move make_writable helper into common code")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: Add __vlan_insert_tag() compat helper if not available

Since older kernels do not have skb->vlan_proto, it is assumed that
kernels which don't provide their own __vlan_insert_tag() will also
not have skb->vlan_proto. The backwards compat function therefore
only supports ETH_P_8021Q as the protocol type.

Upstream: 15255a43 ("vlan: introduce __vlan_insert_tag helper which does not free skb")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: Account for rename to vlan_insert_tag_set_proto()

__vlan_put_tag() was renamed to vlan_insert_tag_set_proto() with
the argument list kept intact.

Upstream: 62749e ("vlan: rename __vlan_put_tag to vlan_insert_tag_set_proto")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

SECURITY: New document describing proposed security process for OVS.

Open vSwitch needs some kind of process for handling vulnerabilities. So
far, we've been pretty lucky that way, but it can't last forever, and I
think we'll be better off if we have at least the outline of an established
process whenever a significant vulnerability comes along. Here's my draft
of a process based on the documentation of the OpenStack process at
https://wiki.openstack.org/wiki/Vulnerability_Management.

I don't have a lot of experience with this kind of thing myself, so I'd
appreciate critical review from anyone who does.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Reviewed-by: Flavio Leitner <fbl@redhat.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

miniflow: Use 64-bit data.

So far the compressed flow data in struct miniflow has been in 32-bit
words with a 63-bit map, allowing for a maximum size of struct flow of
252 bytes.  With the forthcoming Geneve options this is not sufficient
any more.

This patch solves the problem by changing the miniflow data to 64-bit
words, doubling the flow max size to 504 bytes.  Since the word size
is doubled, there is some loss in compression efficiency.  To counter
this some of the flow fields have been reordered to keep related
fields together (e.g., the source and destination IP addresses share
the same 64-bit word).

This change should speed up flow data processing on 64-bit CPUs, which
may help counterbalance the impact of making the struct flow bigger in
the future.

Classifier lookup stage boundaries are also changed to 64-bit
alignment, as the current algorithm depends on each miniflow word to
not be split between ranges.  This has resulted in new padding (part
of the 'mpls_lse' field).

The 'dp_hash' field is also moved to packet metadata to eliminate
otherwise needed padding there.  This allows the L4 to fit into one
64-bit word, and also makes matches on 'dp_hash' more efficient as
misses can be found already on stage 1.

Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

hash: Add hash_add64().

Add support for adding 64-bit words to hashes. This will be used by
subsequent patches.

Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

hash: Make basis of hash_words64() 32 bits.

The basis of hash_words64() was 64 bits, even when the hash value is
32 bits, thus confusing the domain and the range of the function.
This patch fixes this by making the basis an uint32_t.

Suggested-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>

ofproto-dpif: Do not allow recirc_id freed by non-owning ofproto.

This commit changes the VLOG_ERR (for warning unmatched ofproto)
in ofproto_dpif_free_recirc_id() to an assert statement, so that
recirc_id is never allowed to be freed by non-owning ofproto.

Suggested-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Alex Wang <alexw@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ofproto: Don't count hidden rules in table stats.

The hidden rules created by in-band control and fail-open should not be
included in the table stats reported via OpenFlow. I seem to recall that
this was done correctly in some previous version but it has broken since
then. This commit fixes the problem and adds a test that should make it
harder to break again in the future.

Reported-by: Ashok Chippa <a.n.chippa@gmail.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>

datapath: Consistently include VLAN header in flow and port stats.

Until now, when VLAN acceleration was in use, the bytes of the VLAN header
were not included in port or flow byte counters. They were however
included when VLAN acceleration was not used. This commit corrects the
inconsistency, by always including the VLAN header in byte counters.

Previous discussion at
http://openvswitch.org/pipermail/dev/2014-December/049521.html

Already committed to upstream Linux netdev tree as
24cc59d1ebaac54d933dc0b30abcd8bd86193eef.

Reported-by: Motonori Shindo <mshindo@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Reviewed-by: Flavio Leitner <fbl@sysclose.org>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath-windows: set the nlBuf tail properly

Move the the tail of the netlink buffer accordingly to the input data.
Currently _MapFlowStatsToNlStats overrides the netlink header information.

Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath-windows: Add a WFP system provider

This patch was enforced by the WHCK logo testing. In order to pass the
Windows Filtering Platform tests we need to add a persistent system
provider.

Signed-off-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Reported-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Reported-at: https://github.com/openvswitch/ovs-issues/issues/65
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-command-compgen: Avoid using GNU sed extensions.

This commit changes '\?' to '\{0,1\}' to avoid using GNU
sed extension.

Found by using the script in FreeBSD.

Signed-off-by: Alex Wang <alexw@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

vagrant: Provide basic Vagrantfile

This is a basic Vagrantfile which compiles and provisions the local OVS
source tree in a Fedora 20 VM. The Vagrantfile.in can be extended to
support additional distributions.

To use this Vagrantfile:
1. Install Vagrant plus a compatible hypervisor
2. Run configure to translate Vagrantfile.in to Vagrantfile
3. Run `vagrant up` to create & provision the VM
4. Run `vagrant ssh` to log into the VM

Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Kyle Mestery <mestery@mestery.com>

travis: support versioning of DPDK and options to specify git repo and tag

Use DPDK_VER to specify the version of DPDK, and DPDK_GIT to specify
the URL of the DPDK git repository.

Both flags require "DPDK=1" and "--with-dpdk" shall no longer be
specified as part of "OPTS" environment.

Example uses:

- skip both flags to use v1.7.1 tarball from dpdk.org as before:
    KERNEL=3.17.4 DPDK=1

- specify DPDK_VER only to use a version of tarball from dpdk.org:
    KERNEL=3.17.4 DPDK=1 DPDK_VER=1.7.1

- specify both DPDK_VER and DPDK_GIT to check out the tag "v$DPDK_VER"
  from the git repository "$DPDK_GIT":
    KERNEL=3.18 DPDK=1 DPDK_VER=1.7.1sp1 DPDK_GIT=https://github.com/shushen/dpdk

Signed-off-by: Shu Shen <shu.shen@radisys.com>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>

FreeBSD: Fix build failure.

This commit fixes an include dependency for header ip6.h, on
FreeBSD. Without this commit, the gmake of ovs master on
FreeBSD will result in the following error.

/usr/include/netinet/ip6.h:82: error: field 'ip6_src' has incomplete type
/usr/include/netinet/ip6.h:83: error: field 'ip6_dst' has incomplete type

Signed-off-by: Alex Wang <alexw@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ofproto: Omit hidden tables from "next tables".

Hidden tables are intended to be concealed from OpenFlow, but their
presence leaked through the "next tables" and "instructions" in the OF1.3+
table features reply. This fixes the problem.

Reported-by: "Ronaldo A. Ferreira" <ronaldof@CS.Princeton.EDU>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>

gitignore: Ignore coverage data files.

Add coverage specific data files to gitignore.

Signed-off-by: Mijo Safradin <mijo@linux.vnet.ibm.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

sflow: Export OVS datapath performance counters via sFlow.

The OVS cache hit/miss counters and memory/CPU usage statistics have been
identified as important metrics when managing large deployments. This patch
allows them to be pushed periodically as part of the sFlow feed, and
represents a more efficient and scalable alternative to polling via
ovs-dpctl(1).

Signed-off-by: Neil McKee <neil.mckee@inmon.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

vtep: Document rationale for the 'switches' column in the Global table.

At first glance it wasn't obvious why there was the possibility for more
than one switch.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>