Fix typos in comments.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Alex Wang <ee07b291@gmail.com>

tunnel: Validate IP header for userspace tunneling.

Currently, when doing userspace tunneling we don't perform much in
the way of integrity checks on the incoming IP header. The case of
tunneling is different from the usual case of switching since we are
acting as the endpoint here and should not allow invalid packets to
pass.

This adds checks for IP checksum, version, total length, and options and
drops packets that don't pass.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

expr: Properly handle several cases involving string variables.

The expr test cases covered string variables poorly and thus a number of
bugs and omissions slipped through.  This fixes them and generalizes the
test cases to better cover string variables.

Reported-by: Justin Pettit <jpettit@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

expr: Fix crossproduct example.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn-northd: Document logical flow table structure.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ipfix: Fix SIGFPE in bridge exporter sampling.

A divide-by-zero exception like the below could occur when IPFIX
configuration is cleared while handling sampled packets from the
datapath. While it's not valid to configure the sampling probability of
IPFIX to zero via explicitly setting it in OVSDB, it is possible to
clear the configuration, which results in a probability of zero. In this
case, there is a window during which it is possible for upcalls to find
the cleared IPFIX object and attempt to perform sampling using it. Fix
the issue by ensuring that the probability is nonzero before using it.

"Program terminated with signal SIGFPE, Arithmetic exception."

dpif_ipfix_bridge_sample (...) at ../ofproto/ofproto-dpif-ipfix.c:1701
process_upcall (...) at ../ofproto/ofproto-dpif-upcall.c:1145
recv_upcalls (...) at ../ofproto/ofproto-dpif-upcall.c:705
udpif_upcall_handler (...) at ../ofproto/ofproto-dpif-upcall.c:631
ovsthread_wrapper (...) at ../lib/ovs-thread.c:340
start_thread (...) at pthread_create.c:312
clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Romain Lenglet <romain.lenglet@oracle.com>

ipfix: Add bridge_exporter_enabled().

Rather than describing this intention after the fact, encode this
meaning in the name of a function.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Romain Lenglet <romain.lenglet@oracle.com>

tests: Add basic IPFIX test.

Previously, we had no IPFIX tests in the testsuite. Now we have one.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Romain Lenglet <romain.lenglet@oracle.com>

ovn-northd: Minor logical flow table optimizations.

There's no need to add a priority-0 "drop" flow, because OVN logical flow
tables always drop non-matching packets.

There's no need to add a "drop" flow for ingress port security on disabled
logical ports, because no other flow would allow those packets; it's
more efficient to omit the logical flow entirely.

Finally, there's no need to add disabled logical ports to the MC_UNKNOWN
multicast group, since packets won't be delivered to a disabled logical
port anyway.  (This is just an optimization; the packets were dropped in
the egress pipeline anyway.)

Found by inspection.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ovn-northd: Don't deliver even broadcast packets to disabled logical ports.

Until now, the priority-100 flow for broadcast and multicast packets caused
such packets to be delivered to disabled logical ports.  This commit makes
ovn-northd add a priority-150 flow for each disabled logical port to
override that behavior.

Found by inspection.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

ofp-actions: Allow special handling for nested actions.

The next patch will introduce nested actions with special restrictions.
Refactor the action verification to allow ofpacts_verify() to identify
nesting so that these restrictions may be applied.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif-xlate: Introduce xlate_commit_actions().

This combines a common set of operations into a single command.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

dpif-netdev: Check for PKT_RX_RSS_HASH flag.

DPDK mbufs contain a valid RSS hash only if PKT_RX_RSS_HASH is
set in 'ol_flags'.  Otherwise the hash is garbage and doesn't
relate to the packet.

This fixes an issue with vhost, which, being a virtual NIC, doesn't
compute the hash.

Reported-by: Dongjun <dongj@dtdream.com>
Suggested-by: Flavio Leitner <fbl@sysclose.org>
Acked-by: Kevin Traynor <kevin.traynor@intel.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>

ovn-nbctl: Add ACL commands.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn-nb: Add direction and reduce max priority for ACLs.

Introduce a new "direction" column to the ACL table that accepts the
values "to-lport" and "from-lport".  Also reserve the ACL priority 65535
for return traffic associated with the "allow-related" action.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ofproto: Implement OF1.4 Group & Meter change notification messages

This patch adds support for Openflow1.4 Group & meter change notification
messages. In a multi controller environment, when a controller modifies the
state of group and meter table, the request that successfully modifies this
state is forwarded to other controllers. Other controllers are informed with
the OFPT_REQUESTFORWARD message. Request forwarding is enabled on a per
controller channel basis using the Set Asynchronous Configuration Message.

Signed-off-by: Niti Rohilla <niti.rohilla@tcs.com>
Co-authored-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

tnl-arp-cache: Add a command to add or modify an ARP cache entry.

This allows the ARP cache to be prepopulated for testing purposes, so
that tests don't lose the first packet to each destination.  (I guess
this feature could have other uses too.)

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>

CONTRIBUTING: New "Tested-at" tag.

This seems somewhat useful.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

pcap-file: Flush packets to operating system immediately.

This makes the pcap files written by netdev-dummy up-to-date even if one
kills the process with a signal.  This could be a performance hit if
the pcap file writer were to be used in some kind of performance critical
situation, but so far it's only used in netdev-dummy, which is just for
testing.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>

tests: Replace ON_EXIT m4 macro by on_exit() shell function.

A shell function doesn't need quoted and unquoted variants and it
integrates naturally with other shell code.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>

tests: Automatically initialize OVS_*DIR vars when tests begin.

A lot of tests need to initialize the OVS_RUNDIR, OVS_LOGDIR, etc.
variables to point to the directory in which the tests run.  Until now,
each of them has had to do this individually, which is redundant.  This
commit starts to do this automatically.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>

ofproto-dpif-xlate: Lower missing netdev_max_backlog from WARN to INFO.

In a network namespace, /proc/sys/net/core/netdev_max_backlog is not
present, so people running OVS inside Docker will always get a log message
here.  That's not important enough to rise to a WARN level that causes
tests to fail, especially since the default value is rarely changed (and
wouldn't normally be lowered), so reduce the log leve for this to INFO.

Reported-by: qcorba <qcorba@gmail.com>
Reported-at: http://openvswitch.org/pipermail/discuss/2015-August/018581.html
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>

travis: Fix build with --enable-shared and DPDK 2.1.

When building OVS with --enable-shared, -fPIC should be used in DPDK
CFLAGS.  We used to add a custom option for this (CONFIG_RTE_BUILD_FPIC)
to the DPDK configuration, right after CONFIG_RTE_LIBNAME.

Since CONFIG_RTE_LIBNAME has been removed, it seems simpler to add our
custom option at the end of the file.

Furthermore, since vhost support is enabled by default in DPDK 2.1 and
vhost-user is OVS primary target, there's no need to customize the vhost
related option anymore.

Tested-at: https://travis-ci.org/ddiproietto/ovs/builds/79451461

Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>
Acked-by: Ben Pfaff <blp@nicira.com>

tun-metadata: Provide error messages during auto-allocation.

In cases where we don't have a map of tunnel metadata options (such
as with ovs-ofctl) we dynamically allocate them as part of the match.
However, dynamic allocation brings the possibility of errors such as
duplicate entries or running out of space. Up until now, anything that
would cause an error was silently ignored. Since that is not very user
friendly, this adds a mechanism for reporting these types of errors.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ofp-parse: Allow ofctl flow monitor filtering on field existence.

It is supposed to be possible to allow ovs-ofctl to filter flows
it is monitoring based on a match string. However, the parser will
reject expressions that match only on a field's existence (such as
Geneve options). This relaxes the restriction to bring it in line
with matches supported by other commands.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ofp-parse: Separate fields properly.

Currently, each token in an OpenFlow match field is treated separately -
whether this is a name, a value, or a single identifier. However, this
means that attempting to get a value may result in grabbing the next
token if no value exists. This avoids that problem by breaking the match
string down into its components and then individually separating it into
name/value pairs if appropriate.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

netdev-dpdk: Add some missing statistics.

New stats for vhost ports are rx_bytes, tx_bytes, multicast, rx_errors and
rx_length_errors. New stats for PMD ports are rx_dropped, rx_length_errors,
rx_crc_errors and rx_missed_errors. DPDK imissed packets are now classified
as dropped instead of errors.

Signed-off-by: Timo Puha <timox.puha@intel.com>
Tested-by: Daniele Di Proietto <diproiettod@vmware.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

rhel: s/OVN_DB/OVS_DB/ in ovn-controller unit.

I added a variable called OVN_DB, but had mixed up what this parameter
to ovn-controller was for.  This parameter is the location of the db
for the local ovs-vswitchd.  It then gets the OVN database location
from *that* db.  It seems fine to keep the env var in case someone
needs to override it for some reason, but correct the name and
description of what it is.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovn-sbctl: Adjust width for priority in lflow-list.

The format string for the output of lflow-list included a width of 3
characters for the priority.  ACLs use priorities up to 5 digits, so
change the width from 3 to 5.  This restores alignment of the next
field, "match".

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

smap: New macro SMAP_CONST1 for initializing immutable 1-member smaps.

Reviewing the ovn-controller code I started to notice a common pattern:

    struct smap ext_ids = SMAP_INITIALIZER(&ext_ids);
    smap_add(&ext_ids, "ovn-patch-port", network);
    ovsrec_port_set_external_ids(port, &ext_ids);
    smap_destroy(&ext_ids);

This seemed like a bit too much code for something as simple as
initializing an smap with a single key-value pair.  This commit allows the
code to be reduced to just:

    const struct smap ids = SMAP_CONST1(&ids, "ovn-patch-port", network);
    ovsrec_port_set_external_ids(port, &ids);

This new form also eliminates multiple memory allocation and free
operations, but I doubt that has any real effect on performance;
the primary goal here is code readability.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Russell Bryant <rbryant@redhat.com>

tnl-ports: Add destination IP and MAC address to the match.

Currently tnl-port table wildcard destination ip and mac addresses
for given tunnel packet.  That could result accepting tunnel
packets destined for other hosts.  Following patch adds
support for matching for ip and mac address.
IP address upates to tnl-port table are piggybacked on
ovs-router updates.

Reported-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn: Add "localnet" logical port type.

Introduce a new logical port type called "localnet".  A logical port
with this type also has an option called "network_name".  A "localnet"
logical port represents a connection to a network that is locally
accessible from each chassis running ovn-controller.  ovn-controller
will use the ovn-bridge-mappings configuration to figure out which
patch port on br-int should be used for this port.

OpenStack Neutron has an API extension called "provider networks" which
allows an administrator to specify that it would like ports directly
attached to some pre-existing network in their environment.  There was a
previous thread where we got into the details of this here:

  http://openvswitch.org/pipermail/dev/2015-June/056765.html

The case where this would be used is an environment that isn't actually
interested in virtual networks and just wants all of their compute
resources connected up to externally managed networks.  Even in this
environment, OVN still has a lot of value to add.  OVN implements port
security and ACLs for all ports connected to these networks.  OVN also
provides the configuration interface and control plane to manage this
across many hypervisors.

As a specific example, consider an environment with two hypvervisors
(A and B) with two VMs on each hypervisor (A1, A2, B1, B2).  Now imagine
that the desired setup from an OpenStack perspective is to have all of
these VMs attached to the same provider network, which is a physical
network we'll refer to as "physnet1".

The first step here is to configure each hypervisor with bridge mappings
that tell ovn-controller that a local bridge called "br-eth1" is used to
reach the network called "physnet1".  We can simulate the inital setup
of this environment in ovs-sandbox with the following commands:

  # Setup the local hypervisor (A)
  ovs-vsctl add-br br-eth1
  ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth1

  # Create a fake remote hypervisor (B)
  ovn-sbctl chassis-add fakechassis geneve 127.0.0.1

To get the behavior we want, we model every Neutron port connected to a
Neutron provider network as an OVN logical switch with 2 ports.  The
first port is a normal logical port to be used by the VM.  The second
logical port is a special port with its type set to "localnet".

To simulate the creation of the OVN logical switches and OVN logical
ports for A1, A2, B1, and B2, you can run the following commands:

  # Create 4 OVN logical switches.  Each logical switch has 2 ports,
  # port1 for a VM and physnet1 for the existing network we are
  # connecting to.
  for n in 1 2 3 4; do
      ovn-nbctl lswitch-add provnet1-$n

      ovn-nbctl lport-add provnet1-$n provnet1-$n-port1
      ovn-nbctl lport-set-macs provnet1-$n-port1 00:00:00:00:00:0$n
      ovn-nbctl lport-set-port-security provnet1-$n-port1 00:00:00:00:00:0$n

      ovn-nbctl lport-add provnet1-$n provnet1-$n-physnet1
      ovn-nbctl lport-set-macs provnet1-$n-physnet1 unknown
      ovn-nbctl lport-set-type provnet1-$n-physnet1 localnet
      ovn-nbctl lport-set-options provnet1-$n-physnet1 network_name=physnet1
  done

  # Bind lport1 (A1) and lport2 (A2) to the local hypervisor.
  ovs-vsctl add-port br-int lport1 -- set Interface lport1 external_ids:iface-id=provnet1-1-port1
  ovs-vsctl add-port br-int lport2 -- set Interface lport2 external_ids:iface-id=provnet1-2-port1

  # Bind the other 2 ports to the fake remote hypervisor.
  ovn-sbctl lport-bind provnet1-3-port1 fakechassis
  ovn-sbctl lport-bind provnet1-4-port1 fakechassis

After running these commands, we have the following logical
configuration:

  $ ovn-nbctl show
    lswitch 035645fc-b2ff-4e26-b953-69addba80a9a (provnet1-4)
        lport provnet1-4-physnet1
            macs: unknown
        lport provnet1-4-port1
            macs: 00:00:00:00:00:04
    lswitch 66212a85-b3b6-4688-bcf6-8062941a2d96 (provnet1-2)
        lport provnet1-2-physnet1
            macs: unknown
        lport provnet1-2-port1
            macs: 00:00:00:00:00:02
    lswitch fc5b1141-0216-4fa7-86f3-461811c1fc9b (provnet1-3)
        lport provnet1-3-physnet1
            macs: unknown
        lport provnet1-3-port1
            macs: 00:00:00:00:00:03
    lswitch 9b1d2636-e654-4d43-84e8-a921af611b33 (provnet1-1)
        lport provnet1-1-physnet1
            macs: unknown
        lport provnet1-1-port1
            macs: 00:00:00:00:00:01

We can also look at OVN_Southbound to see that 2 logical ports are bound
to each hypervisor:

  $ ovn-sbctl show
  Chassis "56b18105-5706-46ef-80c4-ff20979ab068"
      Encap geneve
          ip: "127.0.0.1"
      Port_Binding "provnet1-1-port1"
      Port_Binding "provnet1-2-port1"
  Chassis fakechassis
      Encap geneve
          ip: "127.0.0.1"
      Port_Binding "provnet1-3-port1"
      Port_Binding "provnet1-4-port1"

Now we can generate several packets to test how a packet would be
processed on hypervisor A.  The OpenFlow port numbers in this demo are:

  1 - patch port to br-eth1 (physnet1)
  2 - tunnel to fakechassis
  3 - lport1 (A1)
  4 - lport2 (A2)

Packet test #1: A1 to A2 - This will be output to ofport 1.  Despite
both VMs being local to this hypervisor, all packets betwen the VMs go
through physnet1.  In practice, this will get optimized at br-eth1.

  ovs-appctl ofproto/trace br-int \
    in_port=3,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02 -generate

Packet test #2: physnet1 to A2 - Consider this a continuation of test
is attached to will be considered.  The end result should be that the
only output is to ofport 4 (A2).

  ovs-appctl ofproto/trace br-int \
    in_port=1,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02 -generate

Packet test #3: A1 to B1 - This will be output to ofport 1, as physnet1
is to be used to reach any other port.  When it arrives at hypervisor B,
processing would look just like test #2.

  ovs-appctl ofproto/trace br-int \
    in_port=3,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:03 -generate

Packet test #4: A1 broadcast. - Again, the packet will only be sent to
physnet1.

  ovs-appctl ofproto/trace br-int \
    in_port=3,dl_src=00:00:00:00:00:01,dl_dst=ff:ff:ff:ff:ff:ff -generate

Packet test #5: B1 broadcast arriving at hypervisor A.  This is somewhat
a continuation of test #4.  When a broadcast packet arrives from
physnet1 on hypervisor A, we should see it output to both A1 and A2
(ofports 3 and 4).

  ovs-appctl ofproto/trace br-int \
    in_port=1,dl_src=00:00:00:00:00:03,dl_dst=ff:ff:ff:ff:ff:ff -generate

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovn: Automatically create br-int in ovn-controller.

ovn-controller previously required the integration bridge to be
created before running ovn-controller.  This patch makes
ovn-controller automatically create it if it doesn't already exist.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

dpdk: add support for v2.1.0

Update relevant artifacts to add support for DPDK v2.1.0
 - INSTALL.DPDK.md
 - acinclude.m4: Change DPDK library name
 - netdev-dpdk: Limit minimum mbuf size to to adapt to DPDK bug fix that
   changes the treatment of the requested mbuf size
 - build.sh: Change DPDK version number

Note that this breaks compatibility with DPDK v2.0.0 although only
for the library name change.

Note that throughput for vhost ports with mergeable buffers is reduced
about 10% due to a necessary bug fix in DPDK vhost code.

Signed-off-by: Mark Kavanagh <mark.b.kavanagh@intel.com>
Signed-off-by: Michal Weglicki <michalx.weglicki@intel.com>
Signed-off-by: Timo Puha <timox.puha@intel.com>
Acked-by: Daniele Di Proietto <diproiettod@vmware.com>

netdev-dpdk: Fix build failure due to new struct eth_addr.

The netdev-dpdk uses the struct ether_addr rather than struct eth_addr
internal ovs datatype.

To facilitate using either the .ea OR the struct ether_addr.addr_bytes
argument for printing/logging, add a new ETH_ADDR_BYTES_ARG() define.

Signed-off-by: Aaron Conole <aconole@redhat.com>
[blp@nicira.com made stylistic changes]
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovsdb: Update _version more accurately in transaction commit.

The _version column in each OVSDB row is supposed to be updated whenever
any other column in the row changes.  However, the transaction code was
not careful to do this only when a row actually changed--there were other
cases where a row was considered at transaction commit time and _version
updated even though the row did not actually change.  For example,
ovsdb_txn_adjust_atom_refs() calls find_or_make_txn_row(), which calls
ovsdb_txn_row_modify(), which updates _version, but
ovsdb_txn_adjust_atom_refs() doesn't actually update any data.

One way to fix this would be to carefully consider and adjust all the code
that looks at transaction rows.  However, this seems somewhat error prone
and thus difficult to test.  This commit takes a different approach: it
drops the code that adjusts _version on the fly, instead replacing it by
a final pass over the database at the end of the commit process that checks
for each row whether any columns changed and updates _version at that point
if any did.  That seems pretty foolproof to me.

Reported-by: RishiRaj Maulick <rishi.raj2509@gmail.com>
Reported-at: http://openvswitch.org/pipermail/dev/2015-August/059439.html
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>
Tested-by: RishiRaj Maulick <rishi.raj2509@gmail.com>

datapath-windows: Tunnel filter initialization check

Verify if the tunnel filter is initialized before submitting requests.

Signed-off-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Reported-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Reported-at: https://github.com/openvswitch/ovs-issues/issues/100
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath-windows: Add corresponding tag for tunnel context allocations

Signed-off-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath-windows: New tag for tunnel filter pool allocations

All memory allocations within tunnel filter code have 'WSVO' pool tag.

Signed-off-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

.travis.yml: Direct email notifications to ovs-build without encryption.

Maybe it'll work, this way.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

packets: Avoid compile errors.

Commit 74ff3298c880 (userspace: Define and use struct eth_addr.) introduced
a compilation issue due to a bad unsigned 64-bit constant, as well as an
implicit narrow.

This commit uses the C99 ULL suffix to tell the compiler to treat the
constant as 64-bits, and also masks portions of the uint64_t argument to
the htons() calls to avoid compiler errors.

Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

Very pleased to make this change request.

Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

tests: Add unit tests for ovn-nbctl.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovn-nbctl: Sort output of most commands.

This will be helpful for unit tests.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

tests: Group the OVN tests together.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

tests: Fix banner name for ovn-sbctl.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

sandbox: Include vtep dir into the sandbox path

Otherwise the built vtep-ctl is not available from the
sandbox command line.

Signed-off-by: Miguel Angel Ajo <mangelajo@redhat.com>
Acked-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

FAQ: Mention plotnetcfg tool.

The plotnetcfg is an open source tool to visualy represent
relationship between network interfaces on a single host.

It helps to understand the path of a packet on a host.

Signed-off-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath-windows: check vport attribute before access

OVS_VPORT_ATTR_OPTIONS being an optional attribute should be
preceded by a check for valid value before access.

Signed-off-by: Nithin Raju <nithin@vmware.com>
Acked-by: Sairam Venugopal <vsairam@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovn: Document supported predicates.

ovn-sb(5) discussed that predicates are supported and described what
they were.  It did not list the predicates that are defined for OVN
matches.  This patch lists the supported predicates and what they
expand to.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

INSTALL.DPDK: Fix a typo.

I started by just fixing s/expect/expects/ and made a couple more
tweaks to the short paragraph while I was in there.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Acked-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

netdev-linux: Don't set ethtool flags if flag is already set on netdev

Check if ethtool flags is already set on a netdev, before trying to set it.

This patch works around issues with some older verison of ethernet drivers,
which tend to reset the NIC when call to disable LRO is made, even if LRO is
already disable on that NIC. NIC reset is not desirable in OVS upgrade scenario
as it causes extended downtime.

Signed-off-by: Anoob Soman <anoob.soman@citrix.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

datapath: Add net/ip6_checksum.h to stt.c

`csum_ipv6_magic` is an asm inline on most platforms. However if it is
not defined (like on ppc64le) including <net/ip6_checksum.h> will fall
back to the c implementation by wrapping it in an
`#ifndef _HAVE_ARCH_IPV6_CSUM`.

Signed-off-by: Jason Kölker <jason@koelker.net>
Signed-off-by: Jesse Gross <jesse@nicira.com>

dpif-netdev: Purge all ukeys when reconfigure pmd.

When dpdk configuration changes, all pmd threads are recreated
and rx queues of each port are reloaded.  After this process,
rx queue could be mapped to a different pmd thread other than
the one before reconfiguration.  However, this is totally
transparent to ofproto layer modules.  So, if the ofproto-dpif-upcall
module still holds ukeys generated before pmd thread recreation,
this old ukey will collide with the ukey for the new upcalls
from same traffic flow, causing flow installation failure.

To fix the bug, this commit adds a new call-back function
in dpif layer for notifying upper layer the purging of datapath
(e.g. pmd thread deletion in dpif-netdev).  So, the
ofproto-dpif-upcall module can react properly with deleting
the ukeys and with collecting flows' last stats.

Reported-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Alex Wang <ee07b291@gmail.com>
Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
Tested-by: Daniele Di Proietto <diproiettod@vmware.com>
Acked-by: Joe Stringer <joestringer@nicira.com>

ofproto-dpif-upcall: Allow main thread to pause all revalidators.

This commit adds logic using ovs barrier to allow main thread pause
all revalidators.  This new feature will be used in a later patch.

Signed-off-by: Alex Wang <ee07b291@gmail.com>
Acked-by: Joe Stringer <joestringer@nicira.com>

ovn-sb: Describe the pipeline stages generated by ovn-northd.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Russell Bryant <rbryant@redhat.com>

ovn-sb: Clarify ovn-northd's responsibilities.

The old documentation incorrectly attributed logical flow generation to
the CMS instead of ovn-northd.  This also corrects how a database is
referenced in the documentation.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Russell Bryant <rbryant@redhat.com>

ovn-architecture: Fix capitalization of a title.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Russell Bryant <rbryant@redhat.com>

lib/ofpbuf: make ofpbuf_use() static

There is no external users for ofpbuf_use() directly.

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

lib/jsonrpc: make use of ofpbuf_use_ds()

Make use of ofpbuf_use_ds() to simplify code.

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

jsonrpc: use json_to_ds to speed up jsonrpc_send

This change reuses the string length that available from 'ds', saving
a strlen() call.

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

lib/ofpbuf: add ofpbuf_use_ds() API

Add an API to convert a dynamic string object into ofpbuf.

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

lib/ofpbuf: refactor ofpbuf_use__() API

Add the size to its parameter list.

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

lib/dynamic-string: coding style fix

Remove tabs per coding style

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovs-ctl: Add option to delete transient ports.

When using virtualization, new ports are created and removed all the time. These
ports do not persist after a system reboot, for example. They may be created
again by the virtualization manager, but that will happen after the vswitch is
already running, and the virtualization manager will add them again to the
bridge.

If a reboot happens without properly deleting such ports, all kinds of errors
will happen. The absence of the ports will be logged as errors, and adding those
ports again to the database will fail.

Deleting all bridges may not be an option, if the system cannot persist other
information outside of OVSDB.

This patch introduces the notion of transient ports. Ports may be added as
transient, as a boolean in other_config smap. When openvswitch is started by
using --delete-transient-ports ovs-ctl option, all transient ports will be
removed.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovn: Add bridge mappings to ovn-controller.

Add a new OVN configuration entry in the Open_vSwitch database called
"ovn-bridge-mappings".  This allows the configuration of mappings
between a physical network name and an OVS bridge that provides
connectivity to that network.

For example, if you wanted to configure "physnet1" to map to "br-eth0"
and "physnet2" to map to "br-eth1", the configuration would be:

  $ ovs-vsctl set open . \
  > external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1

Patch ports between these bridges and the integration bridge are
automatically created and also removed if necessary when the
configuration changes.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

authors: Update authors list with my new email.

Signed-off-by: Ethan J. Jackson <ejj@eecs.berkeley.edu>
Acked-by: Justin Pettit <jpettit@nicira.com>

datapath-windows: Clean up properly in case of driver init failure.

Signed-off-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Acked-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovsdb: Remove misleading OVS_UNUSED from ovsdb_monitor_change_cb().

This function does use this parameter.

(This does not change any behavior.)

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>

datapath-windows: Support for IRP cancelling mechanism

Under certain circumstances, we might need to cancel a pending IRP
that has been submitted and not yet responded. This might occur when
the request takes too long to complete or when the process which
initiated the request terminated, leaving the request outstanding.

This patch provides this missing piece by adding support for IRP
cancelling mechanism.

Signed-off-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Reported-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Reported-at: https://github.com/openvswitch/ovs-issues/issues/95
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath-windows: Process tunnel filter requests iteratively

In order to support IRP cancelling mechanism for pending IRPs, all
tunnel filter requests, VXLAN create/delete tunnel, need to be
processed iteratively.

Signed-off-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

netdev-windows: Fix typo in call to memcpy().

This fixes a build error introduced by commit 74ff3298c (userspace:
Define and use struct eth_addr.)

Signed-off-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

flow: Fix MSVC compile errors.

This fixes some MSVC build errors introduced by commit 74ff3298c
(userspace: Define and use struct eth_addr.)

MSVC doesn't like the change in 'const' between function declaration and
definition: it reports "formal parameter 2 different from declaration" for
each of the functions in flow.h corrected by this (commit.  I think it's
technically wrong about that, standards-wise.)

MSVC doesn't like an empty-brace initializer.  (I think it's technically
right about that, standards-wise.)

This commit attempts to fix both problems, but I have not tested it with
MSVC.

CC: Jarno Rajahalme <jrajahalme@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Nithin Raju <nithin@vmware.com>
Tested-by: Nithin Raju <nithin@vmware.com>

datapath: check for rx handler register

Red Hat Enterprise Linux 6 has backported the netdev RX
handler facility so use the netdev_rx_handler_register as
an indicator.

The handler prototype changed between 2.6.36 and 2.6.39
since there could be backports in any stage, don't look
at the kernel version, but at the prototype.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

tunnel: Support matching on the presence of Geneve options.

Sometimes it is useful to match only on whether a Geneve option
is present even if the specific value is unimportant. A special
case of this is zero length options where there is no value at all
and the only information conveyed is whether the option was included
in the packet.

This operation was partially supported before but it was not consistent -
in particular, options were never serialized through NXM/OXM unless
they had a non-zero mask. Furthermore, zero length options were rejected
altogether when they were installed through the Geneve map OpenFlow
command.

This adds support for these types of matches by making any NXM/OXM for
tunnel metadata force a match on that field. In the case of a zero length
option, both the value and mask of the NXM are ignored.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>

bridge: Relax the whitelist format for punix path.

This commit relaxes the whitelist format for punix path of
service controller.  Instead of only allowing
punix:<ovs_rundir>/<bridge_name>.controller, the new format
allows any suffix, like punix:<ovs_rundir>/<bridge_name>.*.
(except one containing '/').

Signed-off-by: Alex Wang <ee07b291@gmail.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif-upcall: Do not attribute stats when flow_del returns error.

In the push_ukey_ops__(), when flow_del operation returns error, the 'struct
stats' passed to the operation function will be set to all zero.  And we
should not use it to calculate the delta (i.e. minus the zero stats by the
cached stats causes overflow).

Even though this should rarely happen, it is still good to make
push_ukey_ops__() just ignore the operation when it fails.

Signed-off-by: Alex Wang <ee07b291@gmail.com>
Acked-by: Daniele Di Proietto <diproiettod@vmware.com>

datapath-windows: Fix broken build.

Change variable name from nlAttrs to flowAttrs.

Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

userspace: Define and use struct eth_addr.

Define struct eth_addr and use it instead of a uint8_t array for all
ethernet addresses in OVS userspace.  The struct is always the right
size, and it can be assigned without an explicit memcpy, which makes
code more readable.

"struct eth_addr" is a good type name for this as many utility
functions are already named accordingly.

struct eth_addr can be accessed as bytes as well as ovs_be16's, which
makes the struct 16-bit aligned.  All use seems to be 16-bit aligned,
so some algorithms on the ethernet addresses can be made a bit more
efficient making use of this fact.

As the struct fits into a register (in 64-bit systems) we pass it by
value when possible.

This patch also changes the few uses of Linux specific ETH_ALEN to
OVS's own ETH_ADDR_LEN, and removes the OFP_ETH_ALEN, as it is no
longer needed.

This work stemmed from a desire to make all struct flow members
assignable for unrelated exploration purposes.  However, I think this
might be a nice code readability improvement by itself.

Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>

appveyor: Renew SSL link.

1_0_2a version not available for download.

Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>

rhel: Add variables for OVN and VTEP db locations.

Most real deployments will need to customize the database locations
for ovn-controller and ovn-controller-vtep.  Instead of making them
override the entire command used to start the daemons, provide and
document some environment variables that can be overridden in a custom
config file.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

rhel: Add systemd suport for ovn-controller-vtep.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

rhel: Use same rundir for ovs and ovn.

The previous systemd units for OVN had systemd create a rundir for
each daemon (ovn-northd and ovn-controller).  This "worked", in that
the services did start successfully.  However, they didn't actually
work.  In practice, both services make use of files in the main ovs
rundir, so just run everything from there.  It keeps things simple and
makes the services actually work.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ofp-actions: Don't encode variable length fields using NXAST_REG_LOAD.

Currently, when using an OpenFlow 1.0 connection to encode a
tunnel metadata set field action, a series of NXAST_REG_LOADs
are emitted. The result is something like this:

actions=load:0xa->NXM_NX_TUN_METADATA0[0..63],load:0->
NXM_NX_TUN_METADATA0[64..127],load:0->NXM_NX_TUN_METADATA0[128..191],
load:0->NXM_NX_TUN_METADATA0[192..255],load:0->NXM_NX_TUN_METADATA0
[256..319],load:0->NXM_NX_TUN_METADATA0[320..383],load:0->
NXM_NX_TUN_METADATA0[384..447],load:0->NXM_NX_TUN_METADATA0[448..511],
load:0->NXM_NX_TUN_METADATA0[512..575],load:0->NXM_NX_TUN_METADATA0
[576..639],load:0->NXM_NX_TUN_METADATA0[640..703],load:0->
NXM_NX_TUN_METADATA0[704..767],load:0->NXM_NX_TUN_METADATA0[768..831],
load:0->NXM_NX_TUN_METADATA0[832..895],load:0->NXM_NX_TUN_METADATA0
[896..959],load:0->NXM_NX_TUN_METADATA0[960..991]

This happens because tunnel metadata is seen as a maximum size field
and so many loads need to be emitted to cover the entire thing. Besides
being ugly (this shows up when using ovs-ofctl in the default
configuration), it exposes the internal size of the field. While this
shouldn't be an issue since specific protocol fields (such as Geneve
options) have fixed max sizes even if the OVS implementation is extended,
it's still not a great idea.

If we instead use NXAST_REG_LOAD2 in cases where there isn't a suitable
OpenFlow alternative, both problems are avoided:

actions=set_field:0xa->tun_metadata0

This prefers NXAST_REG_LOAD2 for variable length fields since they would
all generally have the same problems. In addition, since the concept of
this type of field is fairly new, there are no backwards compatibility
issues.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

datapath-windows: Suppress flow attribute probe.

This patch surpresses flow attribute probing in the windows datapath.

Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

tests: Avoid nonportable "sed -i".

"sed -i" isn't entirely portable, and we can avoid it by using the
argument to check_logs as intended.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>

datapath-windows: Enable failure after restarting extension

If the extension was previously enabled and running, after issuing a
restart, stop+start, the extension fails to be enabled. This happens
because the extension's DeviceObject is not yet initialized before the
FilterAttach routine is called.

This patch addresses this issue.

Signed-off-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Reported-by: Sorin Vinturis <svinturis@cloudbasesolutions.com>
Reported-at: https://github.com/openvswitch/ovs-issues/issues/96
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: check for el6 kernels for per_cpu

The OVS hook has been backported so it doesn't work to
decide per_cpu work arounds.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

datapath: check for backported ip_is_fragment

Red Hat Enterprise Linux 6 has backported it from upstream,
so check for ip_is_fragment instead of kernel version.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

datapath: check for backported proto_ports_offset

Red Hat Enterprise Linux 6 has backported it from upstream,
so check for proto_ports_offset instead of kernel version.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

datapath: improve l4_rxhash regex

Red Hat Enterprise Linux 6 has a comment saying
that it doesn't support l4_rxhash which matches
the current grep regex.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

AUTHORS: Add Sairam Venugopal

Signed-off-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Russell Bryant <rbryant@redhat.com>

Update my email address.

Signed-off-by: Alex Wang <ee07b291@gmail.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

flow: Workaround for GCC false-positive compilation error.

Without an explicit bounds check GCC 4.9 issues an array out of bounds
error.  This patch adds explicit checks which will however be
optimized away as the relevant parameters are compile-time constants.

Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

meta-flow: Initialize the whole exact_match_mask.

Initialize the whole 'exact_match_mask' in global scope and use it in
mf_mask_field_and_prereqs() and mf_mask_field().

Requested-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

ovs-ctl: Fix indentation when deleting bridges.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Acked-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

expr: Add and clarify a few comments and assertions.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>

sset: New function sset_intersect().

This will acquire its first user in an upcoming commit.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>

datapath-windows: Fix iterator in NlAttrParse()

Signed-off-by: Sairam Venugopal <vsairam@vmware.com>
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

meta-flow: Minor refactoring.

Change mf_mask_field_and_prereqs() to take a struct flow_wildcards
pointer instead of a struct flow pointer so that we can use
WC_MASK_FIELD() and WC_MASK_FIELD_MASK() macros to wildcard fields.

Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>