git.cascardo.eti.br Git - cascardo/ovs.git/log

Set dates for 1.9.0 release.

This also sets the dates for 1.8.0, even though it was an internal-only
release.

Signed-off-by: Justin Pettit <jpettit@nicira.com>

datapath: fix the calculation of checksum for vlan header

In vlan_insert_tag(), we insert a 4-byte VLAN header _after_
mac header:

        memmove(skb->data, skb->data + VLAN_HLEN, 2 * ETH_ALEN);
        ...
        veth->h_vlan_proto = htons(ETH_P_8021Q);
        ...
        veth->h_vlan_TCI = htons(vlan_tci);

so after it, we should recompute the checksum to include these 4 bytes.
skb->data still points to the mac header, therefore VLAN header is at
(2 * ETH_ALEN = 12) bytes after it, not (ETH_HLEN = 14) bytes.

This can also be observed via tcpdump:

         0x0000:  ffff ffff ffff 5254 005d 6f6e 8100 000a
         0x0010:  0806 0001 0800 0604 0001 5254 005d 6f6e
         0x0020:  c0a8 026e 0000 0000 0000 c0a8 0282

Similar for __pop_vlan_tci(), the vlan header we remove is the one
overwritten in:

memmove(skb->data + VLAN_HLEN, skb->data, 2 * ETH_ALEN);

Therefore the VLAN_HLEN = 4 bytes after 2 * ETH_ALEN is the part
we want to sub from checksum.

Cc: David S. Miller <davem@davemloft.net>
Cc: Jesse Gross <jesse@nicira.com>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

ofp-msgs: ensure that l2 is set in ofpmp_reserve()

Ensure that the buffer returned by ofpmp_reserve() has buf->l2 set
as this may be required by nxm_reg_load_to_nxast() when generating
the reply to an stats request

This problem was observed when dumping a large number of flows
with set_field actions using ovs-ofctl dump-flows.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Co-authored-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Simon Horman <horms@verge.net.au>

datapath: Fix ovs_vport_cmd_del return value on success

If the pointer does not represent an error then the PTR_ERR macro may still
return a nonzero value. The fix is the same as in ovs_vport_cmd_set.

Signed-off-by: Rich Lane <rlane@bigswitch.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

NEWS: Rearrange announcements related to 1.9.

Suggested-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Justin Pettit <jpettit@nicira.com>

tunneling: Don't send ICMP messages if no tunnel port is found.

Some tunnel code in OVS (for example, CAPWAP) uses the skb->cb to
store information while processing packets.  However, if we don't
find an appropriate tunnel port on receive, then we send an ICMP
port unreachable message, which calls back into the IP stack.  The
stack assumes that skb->cb will still contain valid information
about from the IP layer, including any IP options.  As a result,
icmp_echo_options() can read the garbage values from OVS and
overwrite data on the stack, panicing the machine.

This simply stops sending ICMP messages when ports are not found.
Many people find them confusing and flow based tunneling will
never send them (since it always finds a port) so it solves both
problems at once.

Bug #14880

Reported-by: Deepesh Govindan <dgovindan@nicira.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>
Conflicts:

datapath/vport-vxlan.c

ofp-parse: Ignore "idle_age" and "hard_age" when parsing a flow string.

It should be possible to feed to output of "ovs-ofctl dump-flows" to
"ovs-ofctl add-flows".  However, some of the metadata needs to be
ignored.  "idle_age" and "hard_age" was recently added to the output of
"ovs-ofctl dump-flows", but they were not ignored like the other
metadata.  This commit ignores them.

Signed-off-by: Justin Pettit <jpettit@nicira.com>

ovsdb-tool: Fix memory leak on error path in "show-log" implementation.

Found by Coverity.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

ovsdb-idl: Fix memory leak on error path.

Found by Coverity.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

meta-flow: Add missing "break" to mf_set_wild().

Found by Coverity.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

meta-flow: Avoid null pointer dereference in mf_format_frag_string().

The 'maskp' parameter to this function can be NULL, but the function
always dereferenced it. This commit fixes the problem.

This commit also fixes the order in which the value and mask were adjusted
to correctly discard 1-bits outside of FLOW_NW_FRAG_MASK.

Found by Coverity.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

worker: Don't have worker abort when parent dies.

Depending on how forcefully the parent process is killed, the worker
could abort when trying to read or write on their shared socket. This
changes those errors from VLOG_ABORT to VLOG_FATAL so that a core isn't
generated.

Bug #14821

Reported-by: Amey Bhide <abhide@nicira.com>
Signed-off-by: Justin Pettit <jpettit@nicira.com>

ofproto: Properly refresh rule modified time when nothing else changes.

In Open vSwitch, a "modify" or "modify_strict" flow_mod is supposed to
refresh the flow's last-modified time even if nothing else changes, because
this interpretation makes the "learn" action more useful.  As commit
308881afb (ofproto: Reinterpret meaning of OpenFlow hard timeouts with
OFPFC_MODIFY.) notes:

    I finally found a good use for hard timeouts in OpenFlow, but they
    require a slight reinterpretation of the meaning of hard timeouts.
    Until now, a hard timeout meant that a flow would be removed the
    specified number of seconds after a flow was created.  Intervening
    modifications with OFPFC_MODIFY(_STRICT) had no effect on the hard
    timeout; the flow would still be deleted the specified number of
    seconds after its original creation.

    This commit changes the effect of OFPFC_MODIFY(_STRICT).  Now,
    modifying a flow resets its hard timeout counter.  A flow will time out
    the specified number of seconds after creation or after the last time
    it is modified, whichever comes later.

However, commit 080437614b (ofproto: Represent flow cookie changes as
operations too.) broke this behavior because it incorrectly optimized out
"modify" operations that didn't change the flow's actions or flow cookie.
This commit fixes the problem, and adds a test to prevent future
regression.

Thanks to Amar Padmanabhan <amar@nicira.com> for helping to track this
down.

Bug #14841.
Reported-by: Hiroshi Tanaka <htanaka@vmware.com>
CC: Amar Padmanabhan <amar@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: Clear struct ovs_key_ipv4_tunnel padding.

Following patch memset ovs_key_ipv4_tunnel padding area so that
packets from a flow would be mapped to same flow in kernel datapath
flow table.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Bug #14843

linux: Increase accuracy of ingress_policing_rate at low rates

The current method of calculating the ingress policer rate
can lead to inaccuracy if ingress_policing_rate is set to
a smallish values because the rate is divided by 8 first
which causes rounding errors.

Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

rhel: Add OVSREQUIRES to automatically bring up OpenFlow interface dependencies

The use of OpenFlow controllers may require for a subset of
the network (typically the management network intrerface) to be
brought up before the openvswitch service is started.

The newly introduced key "OVSREQUIRES" allows to specify a
list of interfaces that need the be brought up before the
openvswitch service is autostarted. It is also possible to
build a chain of bridge dependencies.

TYPE=OVSBridge
OVSREQURIES="em1"
[...]

A special UPPEDSTACK var that is passed along avoids getting
lost in dependency loops.

Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

rhel: Automatically start openvswitch service before bringing an ovs interface up or down

This patch modifies the ifup/ifdown scripts to automatically
start the openvswitch service before ovs-vsctl is invoked thus
not making it mandatory to auto-start openvswitch on boot.

Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

dpif-linux: Report dropped lost messages at WARN level.

Messages about packets being lost are logged at level WARN, but when
they were generated at a high rate, those consolidated messages were
logged at ERR. This changes to consolidated messages to be logged at
WARN, too.

Thanks to Ben Pfaff for quickly suggesting the culprit.

Bug #14783

Reported-by: James Schmidt <jschmidt@nicira.com>
Signed-off-by: Justin Pettit <jpettit@nicira.com>

ovsdb: Fix double-free in ovsdb_jsonrpc_session_close().

ovsdb_session_destroy() was called twice but it should only be called once.

This double-free is unlikely to cause problems in practice because it only
triggers if there were ever more than two outstanding requests in the
session at a time (because the only data being freed is an hmap, which
does not allocate any heap memory unless the hmap has more than two
elements).

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

hash: Correct implementation of mhash_finish().

With rotates instead of shifts, the upper and lower 16 bits of the returned
hash are always the same.

I noticed this while working on replacing Jenkins hash by murmurhash,
because some of the database unit tests started failing, e.g. "row
hashing (scalars)".

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

datapath: Return correct error code when dumping flow actions.

Currently, if there isn't enough space to store the actions in a
flow during a dump we return -ENOMEM. However, the standard error
in this situation is -EMSGSIZE so this changes the behavior to match.
This issue was introduced in 354d4c98a8cdaae3525848f564e58a9016bcd3af
(datapath: Fix nelink attribute size for flow.).

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

datapath: Don't dump partial action lists in flows.

After commit 9b405f1aa8d175dc63ad3ffe5d0fe05d5ee09162 (datapath: More
flexible kernel/userspace tunneling attribute.), it was possible for a
flow dump to return a partial action list. It's better to return no
action list at all in this situation since then userspace will know
that it should request the full thing if it wants rather than have
incorrect results. Therefore, this prevents those partial lists in
situations where we have a very large number of actions.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

Revert "datapath: Avoid null deref when GSO is for verifying header integrity only."

This reverts commit 00c7faf3e5b7d4020e995a1429cf94313f197171.

In general, it should not be possible have a NULL return value from
skb_gso_segment() since we're not actually trying to verify the
header integrity.  No other callers with similar needs have NULL
checks.  The actual cause of the problem was LRO packets, which
OVS isn't equipped to handle.  The commit
33e031e99cc630baf1b0cb9256710dee7d9ab66d (datapath: Move LRO check
from transmit to receive.) solves that problem by fixing the LRO
check.  In order to avoid possibly masking any other problems, this
reverts the GSO check which should no longer be needed.

Signed-off-by: Jesse Gross <jesse@nicira.com>

datapath: Move LRO check from transmit to receive.

Commit 24b019f808211a95078efd916064af0975ca5733 (datapath: Disable
LRO from userspace instead of the kernel.) accidentally moved the
check for LRO packets from the receive path to transmit.  Since
this check is supposed to protect OVS (and other parts of the system)
from packets that it cannot handle it is obviously not useful on
egress.  Therefore, this commit moves it back to the receive side.

The primary problem that this caused is upcalls to userspace tried
to segment the packet even though no segmentation information is
available.  This would later cause NULL pointer dereferences when
skb_gso_segment() did nothing.

Bug #14772

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

datapath: Avoid null deref when GSO is for verifying header integrity only.

skb_gso_segment() has the following comment:

*    It may return NULL if the skb requires no segmentation.  This is
*    only possible when GSO is used for verifying header integrity.

Somehow queue_gso_packets() has never hit this case before, but some
failures have suddenly been reported.  This commit should fix the problem.

Additional commentary by Jesse: We shouldn't normally be hitting this case
because we're actually trying to do GSO, not header validation.  However, I
guess the guest/backend must be generating a packet with an MSS, which
tricks us into thinking that it's GSO, but no GSO is actually requested.
In the case of the bridge, header validation does take place so the
situation is handled already.  It seems not ideal that the network backend
doesn't sanitize these packets but it's probably good that we handle
it in any case.

Bug #14772.
Reported-by: Deepesh Govindan <dgovindan@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Fix nelink attribute size for flow.

Following patch fixes flow buffer size calculation to allocate
sufficient memory for all nested attributes in new tunnel
attribute.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Bug #14767

datapath: Fix Flow dump operation.

Following patch adds null check while inserting new netlink attribute.
This was introduced by commit 9b405f1aa8d175d (datapath: More
flexible kernel/userspace tunneling attribute.)

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Bug #14767

datapath: More flexible kernel/userspace tunneling attribute.

Following patch breaks down single ipv4_tunnel netlink attribute into
individual member attributes. It will help when we extend tunneling
parameters in future.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Bug #14611

datapath: support Linux 3.8 kernel

Add Linux 3.8 kernel to the range of supported kernel versions.

Signed-off-by: James Page <james.page@ubuntu.com>
[jesse: Update NEWS and FAQ]
Signed-off-by: Jesse Gross <jesse@nicira.com>
Conflicts:

FAQ

linux/Makefile.main.in, acinclude: preparation for linux 3.7.0+

The version.h is moved from include/linux/version.h to
include/generated/uapi/linux/version.h.
So check both pathes.

Signed-off-by: Isaku Yamahata <yamahata@valinux.co.jp>
Signed-off-by: Jesse Gross <jesse@nicira.com>

worker: Do not use poll_block() in worker_send_iovec().

The following call stack was possible:

    poll_block()
        -> vlog
            -> worker_send_iovec()
                -> poll_block()

which caused corruption because poll_block() is not reentrant.

Bug #14616.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

vlog: Avoid calling worker_request() reentrantly.

The following call stack was possible:

    vlog
        -> worker_request()
            -> poll_block()
                -> vlog
                     -> worker_request()

which caused problems because worker_request() is not reentrant.  In a
little more detail, the second worker_request() shoves its RPC protocol
data into the middle of the first.  This means that, first, you get
some binary crud in the log (the header for the second RPC).  And,
second, text from the first RPC log message gets treated by the worker
as the subsequent RPC's header.  That, in turn, typically causes the
worker to try to xmalloc() a huge number of bytes (0x20000000 or more,
since "space" has ASCII value 0x20), which causes the worker to die
with "virtual memory exhausted".  The main process then dies because
the worker's death closes the socket it uses to communicate with it
("connection reset").

Bug #14616.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

ofproto-dpif-governor: Fix small memory leak.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

ofp-util: Fix uninitialized bytes in OF1.0 and OF1.1 table stats replies.

Also, use ovs_strlcpy() instead of strcpy() just to be a teensy bit safer.

Found by valgrind.

Bug #14357.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

meta-flow: Fix uninitialized data parsing tnl_flags in mf_parse().

Also, add an assertion that the field is the expected size.

This bug was introduced in commit 2fdf762a006f (vswitchd: Log all tunnel
parameters of given flow.)

Found by valgrind.

Bug #14357.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

rconn: Avoid memory leak in rconn_send_with_limit() on queue overflow.

Bug #14357.
Reported-by: Luca Giraudo <lgiraudo@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

Make OVS_TUNNEL_ATTR_DST_IPV4 optional to allow configuration of null_ports.

Signed-off-by: Jarno Rajahalme <jarno.rajahalme@nsn.com>
[jesse: correct return type of get_u32_or_zero()]
Signed-off-by: Jesse Gross <jesse@nicira.com>
Conflicts:

datapath/tunnel.c
include/openvswitch/tunnel.h
lib/netdev-vport.c

datapath: Initialize tunnel_key pad member.

When a packet is received on a tunnel the pad member is currently
left uninitialized.  This didn't previously cause problems because
userspace didn't interprete the IPV4_TUNNEL attribute and blindly
copied back the uninitialized data.  However, now that userspace
knows how to serialize this attribute it was zeroing it out, which
prevented flows that had been previously installed from being
deleted.  In addition to zeroing out the padding on packet reception,
it also does the same thing on flow setup since we should be ignoring
the value.

Reported-by: Anand Krishnamurthy <krishnamurt4@wisc.edu>
Reported-by: Saul St. John <sstjohn@cs.wisc.edu>
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Conflicts:

datapath/flow.c

brcompat: Mark ovs-brcompat as deprecated.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
bug #14341

ovs-ctl: Exit, instead of resuming, after handling fatal signals.

When I wrote the "trap" calls in ovs-ctl, I had the mistaken notion that
"trap $cmd $signal" would execute $cmd and then exit when $signal was
caught. This is incorrect. Instead, it executes $cmd and then resumes
executing the shell script.

On the other hand, "trap $cmd 0" does by itself what I wanted: it causes
the shell to execute $cmd and then exits due to the signal. So this commit
changes the offending traps to use this form.

Bug #14290.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>

datapath: linux2.7 s/pid/portid/g

the following up of 15e473046cb6e5d18a4d0057e61d76315230382b
This patch replaces pid with portid under datapath/linux/compat

Signed-off-by: Isaku Yamahata <yamahata@valinux.co.jp>
Signed-off-by: Jesse Gross <jesse@nicira.com>

datapath: support Linux 3.7

datapath: backport 15e473046cb6e5d18a4d0057e61d76315230382b

Signed-off-by: Isaku Yamahata <yamahata@valinux.co.jp>
[jesse: fix kernel version in error message]
Signed-off-by: Jesse Gross <jesse@nicira.com>

meta-flow: Correctly byteswap skb_priority/skb_mark for mf_value.

Fixes the following sparse warnings:

meta-flow.c:947:21: warning: incorrect type in assignment (different base types)
meta-flow.c:947:21:    expected restricted __be32 [usertype] be32
meta-flow.c:947:21:    got unsigned int const [unsigned] [usertype] skb_priority
meta-flow.c:951:21: warning: incorrect type in assignment (different base types)
meta-flow.c:951:21:    expected restricted __be32 [usertype] be32
meta-flow.c:951:21:    got unsigned int const [unsigned] [usertype] skb_mark

Signed-off-by: Ben Pfaff <blp@nicira.com>

vswitchd: log skb_mark and skb_priority

This patch adds logging support for skb_mark and skb_priority.

Acked-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Conflicts:

lib/ofp-util.c
tests/ofproto-dpif.at

meta-flow: Fix and simplify mf_get_mask().

This function can be implemented as a trivial wrapper around
mf_get_value(), which I hadn't noticed before, so it's better to do it
that way. Also, examining the code that is removed, it had some bugs in
it (for example, all MFF_TUN_* fields were treated as if they were
MFF_TUN_ID) which mf_get_value() does not have, so this fixes bugs too.

Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: Zero out key when looking up null ports.

When we are searching for a tunnel port to receive traffic on,
everything should be zeroed out by the time that we get to null
ports since they are wildcarded. However, if certain other ports
also exist (primarily multicast ports with keys) then this might
not be the case and the key can be set.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>

meta-flow: Don't allow negative port numbers.

If a negative number is supplied, the parsing code used to convert it
into a signed one.  We ran into an incident where a third-party script
was attempting to get the OpenFlow port number for an interface, but got
-1 from the database, since the number had not yet been assigned.  This
was converted to 65535, which maps to OFPP_NONE and all flows with
ingress port OFPP_NONE were modified.  This commit disallows negative
port numbers to help prevent broken integration scripts from disturbing
the flow table.

Issue #14036

Signed-off-by: Justin Pettit <jpettit@nicira.com>

ofp-util: Fix typo in invalid port range error message.

Signed-off-by: Justin Pettit <jpettit@nicira.com>

daemon: Start monitor process, not daemon process, in new session.

To keep control+C and other signals in the initiating session from killing
the monitor process, we need to put the monitor process into its own
session. However, until this point, we've only done that for the daemon
processes that the monitor started, which means that control+C would kill
the monitor but not the daemons that it launched.

I don't know of a benefit to putting the monitor and daemon processes in
different sessions, as opposed to one new session for both of them, so
this change does the latter.

daemonize_post_detach() is called from one additional context where we'd
want to be in a new session, the worker_start() function, but that function
is documented as to be called after daemonize_start(), in which case we
will (after this commit) already have called setsid(), so no additional
change is required there.

Bug #14280.
Reported-by: Gordon Good <ggood@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-ctl: Don't run "ovs-save save-flows" on fake bridges.

Previously, ovs-ctl would determine which bridges to run "ovs-save
save-flows" on by running "ovs-vsctl list-br".  In addition to real
bridges, that command also returns fake bridges.  An error is returned
when "ovs-save save-flows" is run on a fake bridge.  By using the newly
added "--real" flag to "ovs-vsctl list-br", we can get rid of that
unnecessary warning.

Signed-off-by: Justin Pettit <jpettit@nicira.com>

ovs-vsctl: Add "--real" and "--fake" options to "list-br".

By default, "ovs-vsctl list-br" returns all bridges, real or fake. This
commit adds "--real" and "--fake" options that limit the output to only
bridges of that type. This will be useful in a future commit that needs
to perform actions only on bridges of a particular type.

Signed-off-by: Justin Pettit <jpettit@nicira.com>

bond: Fix segfault sending learning packets with LACP disabled.

It is essentially an invalid configuration to disable LACP but request TCP
balancing: in this configuration, the bond drops all packets. But
may_send_learning_packets() would still indicate that learning packets
should be sent, so bond_compose_learning_packet() would try to choose an
output slave for those packets, which would be NULL (because all packets
are dropped), which would cause a segfault upon dereference.

This commit fixes the problem by making may_send_learning_packets() no
longer indicate that learning packets should be sent.

I tested this issue by modifying bond_should_send_learning_packets() to
always return true if may_send_learning_packets() returns true, and then
introducing the invalid configuration described above. Without this comit,
ovs-vswitchd segfaults quickly; with this commit, it does not.

Bug #14090.
Reported-by: Kiran Shanbhog <kiran@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: Use RCU callback when detaching netdevices.

Currently, each time a device is detached from an OVS datapath
we call synchronize RCU before freeing associated data structures.
However, if a bridge is deleted (which detaches all ports) when
many devices are connected then there can be a long delay. This
switches to use call_rcu() to group the cost together.

Reported-by: Justin Pettit <jpettit@nicira.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

flow: use rule priority in match_format() function

The flow_format() function was incorrectly passing skb_priority
to the match_format() function. match_format() function instead
expects rule priority.

This issue was introduced with aa6c9932f2937fa9a2140ec1737668eb9105b0b5
(Change logging format for flows to that accepted by ofproto/trace).

Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Conflicts:

tests/ofp-print.at
tests/ofproto-dpif.at
tests/ofproto.at

python/ovs/stream: Fix Stream.connect() retval for incomplete connection.

If the loop condition in Stream.connect() was false, which is especially
likely for TCP connections, then Stream.connect() would return None,
which violates its documented behavior. This commit fixes the problem.

Reported-by: Isaku Yamahata <yamahata@valinux.co.jp>
Tested-by: Isaku Yamahata <yamahata@valinux.co.jp>
Signed-off-by: Ben Pfaff <blp@nicira.com>

vswitchd: Log all tunnel parameters of given flow.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>

datapath: add skb mark matching and set action

This patch adds support for skb mark matching and set action.

Acked-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Conflicts:

datapath/flow.c
lib/dpif-netdev.c
lib/flow.h
lib/odp-util.c
ofproto/ofproto-dpif.c

ovs-appctl: fix help message for ofproto/trace command

The usage message for this command was wrong, because it did not
specify priority as one of its arguments.

Signed-off-by: Ansis Atteka <aatteka@nicira.com>

ovs-ctl.in: increase the limit of fd

We can't create more than 248 bridges with the current limit 5000,
so increase it to 6000 so that at least 256+ bridges could be created.

Cc: Ben Pfaff <blp@nicira.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

odp-utils: Print human readable ipv4-tunnel-key flags.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>

odp-utils: Refactor slow_path_reason parse and format functions.

These functions are used in next patch.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>

vswitchd: Fix function prototype of packet_set_ipv6()

Follwoing patch fixes sparse error:
lib/packets.c:643:1: error: symbol 'packet_set_ipv6' redeclared
with different type (originally declared at lib/packets.h:493)
- incompatible argument 6 (different base types)

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>

datapath: add ipv6 'set' action

This patch adds ipv6 set action functionality. It allows to change
traffic class, flow label, hop-limit, ipv6 source and destination
address fields.

Acked-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: Ansis Atteka <aatteka@nicira.com>

sparse: Add ip6_rthdr struct to the ip6.h

Acked-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Ansis Atteka <aatteka@nicira.com>

ofp-msgs: Accept all versions of OpenFlow "hello" messages.

Since the ofp-msgs code was introduced, only "hello" messages for versions
of OpenFlow actually understood (to some extent) by Open vSwitch could be
decoded correctly. This commit corrects that, by making every version of
OpenFlow immutable messages acceptable.

Signed-off-by: Ben Pfaff <blp@nicira.com>

tunnel: Zero keys if marked as not present.

If a key used to find a port then we mark it as being not present
(previously this was accomplished by setting it to zero). However,
we also still pass the key to userspace which could lead to an
inconsistent state. This also zeros out the key as before in order
to make our reported results consistent.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>

datapath: Allow GRE64 to use flow based tunneling.

There's no reason why GRE64 can't be configured using flow based
tunneling. Since that's the direction we are moving, everything
should support that. Once this special casing is removed, it's
possible to unify the tunnel parameter parsing code since both
GRE and CAPWAP are the same.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>

datapath: Shorten flow tunneling flags.

The names for the flags used by flow based tunneling are pretty long.
This shortens them a little by removing the word FLOW, which is a
distinction that won't be meaningful in the near future.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>

datapath: Don't allow flows installed with only TUN_ID.

Tunnel ports now always include full outer IP information, even if
userspace can't understand it. Since our flows our exact match this
information must also be provided when setting up flows. Since flows
with only OVS_KEY_ATTR_TUN_ID keys don't contain all of this information
they can never be hit and we should just reject them at setup time.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>

datapath: Don't write into IPV4_TUNNEL data when using TUN_ID.

When the IPV4_TUNNEL action is executed, a pointer in the skb is
directly assigned the address of the action, which is protected by
RCU. If a TUN_ID action is later executed it will write into the
action, which is not allowed by RCU. This avoids the problem by
making a copy of the data and writing into the copy.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>

datapath: Include OVS_KEY_ATTR_IPV4_TUNNEL in upstream range.

During development it was preferable to keep OVS_KEY_ATTR_IPV4_TUNNEL
in the non-upstream range of identifiers to avoid conflicts or
compatibility issues as it evolved. However, since the intention is
to get it upstream, it makes sense to move it down now to avoid issues
with compatibility when upgrading.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>

socket-util: Report fd of -1 on error in inet_open_active().

inet_open_active() is documented to report a fd of -1 when an error occurs.
All three of its callers rely on this, by checking only the fd to determine
whether there was an error. This means that if the call to
set_nonblocking() or set_dscp() or connect() failed, then the callers would
try to use a fd that had already been closed, wreaking havoc.

This fixes a bug introduced in commit a4efa3fc5d (socket-util: Close socket
on failed dscp modification.)

Bug #13750.
Reported-by: Scott Hendricks <shendricks@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

netdev-vport: Fix warning due to new GRE type.

This patch fixes the following warning caused by a switch case
which was not handled.

lib/netdev-vport.c:144:5: error: enumeration value
‘OVS_VPORT_TYPE_FT_GRE’ not handled in switch

Signed-off-by: Ethan Jackson <ethan@nicira.com>

datapath: Add missing bug.h file

Commit 51f4701be1 (datapath: Fix sparse warning for symbol
'BUILD_BUG_ON_NOT_POWER_OF_2') missed file bug.h. Commiting it now.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>

datapath: improve ipv6_find_hdr() function for IPv6 'set' action

This patch prepares ipv6_find_hdr() function so that it could be
able to skip routing headers, where segements_left is 0. This is
required for us to handle multiple routing header case correctly.

Signed-off-by: Ansis Atteka <aatteka@nicira.com>

datapath: Add ipv6_find_hdr() compatibility function.

Implementation of the IPv6 'set' action depends on ipv6_find_exthdr()
function to find routing header. By looking at the routing headers,
it is possible to tell, whether L4 checksums will need to be
recalculated, whenever the destination address is changed in
the main IPv6 header.

This function will need to be customized so that it would skip all
routing headers, where segements_left is equal to 0.

Signed-off-by: Ansis Atteka <aatteka@nicira.com>

datapath: Remove flow refcount functionality.

Header caching previously required the ability to maintain the lifetime
of flows across RCU boundaries. However, now that header caching is
gone we can simplfy the code and make it match the upstream version.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>

datapath: Add support for 3.6 kernel.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Remove tunnel header caching.

Tunnel caching was added to reduce CPU utilization on TX path
by caching packet header, So performance gain is directly proportional
to number of skbs transferred.  But with help of offloads skb are getting
larger. So there are less number of skbs.  Therefore header caching does
not shows similar gains we seen in past.  And now kernel 3.6 has removed
dst caching from networking which makes header caching even more tricky.
So this commit removes header caching from OVS tunnelling.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Fix sparse warning for symbol 'BUILD_BUG_ON_NOT_POWER_OF_2'

BUILD_BUG_ON_NOT_POWER_OF_2 symbol is moved from kernel.h to
bug.h in 3.4. Therefore sparse is giving warning:

include/linux/bug.h:15:9: warning: preprocessor token
BUILD_BUG_ON_NOT_POWER_OF_2 redefined
ovs/datapath/linux/compat/include/linux/kernel.h:44:9:
this was the original definition

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

netdev: Deprecate CAPWAP support.

The CAPWAP implementation is just the encapsulation format and
therefore really not the full protocol.  While there were some
uses of it (primarily hardware support and UDP transport).  But
these are most likely better provided by VXLAN.  As a result,
CAPWAP will be removed no earlier than February 2013.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>

datapath: enable encap for capwap.

kernel 3.5 added a switch to turn on UDP encap, capwap needs
to enable it.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Add Upstream id for GRE type.

Once GRE is upstream it will have new type to have continuous sequence
of ids for vport type. Following patch adds this ID to have
compatibility with it.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

Process RARP packets with ethertype 0x8035 similar to ARP packets.

With this commit, OVS will match the data in the RARP packets having
ethertype 0x8035, in the same way as the data in the ARP packets.

Signed-off-by: Mehak Mahajan <mmahajan@nicira.com>

odp: Enable parsing ipv4_tunnel key.

We can format ipv4_tunnel keys from the kernel but can't currently
parse them. Userspace doesn't know how to do anything with this
information but this support enables utilities like ovs-dpctl and
ovs-appctl ofproto/trace to show useful information.

Bug #13785

Signed-off-by: Jesse Gross <jesse@nicira.com>

Makefile: Allow "make modules_install" to work from top-level directory.

INSTALL recommends running "make modules_install" but it didn't mention
that this has to be done from datapath/linux. This commit makes this work
from the top-level build directory.

(Another solution would be to update INSTALL, but this approach seems a
little easier for the user.)

Signed-off-by: Ben Pfaff <blp@nicira.com>

netdev-vport: Warn users that pmtud is deprecated

This is a complementary patch to the other one I sent out previously.
The purpose of it is to make it more obvious that tunnel pmtud is
deprecated and will be removed soon.

Requested-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: Ansis Atteka <aatteka@nicira.com>

netdev-vport: Disable Path MTU Discovery by default

In near future we will switch to the flow-based tunneling and drop path
MTU discovery support. This patch prepares for that by changing the default
PMTUD value from 'enabled' to 'disabled'.

Signed-off-by: Ansis Atteka <aatteka@nicira.com>

Prepare for 1.9.0.

Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: Fix zero key tunnels.

Datapath tunneling check for flag OVS_FLOW_TNL_F_KEY is failing,
causing it to drop packet. This only happens on tunnels with
zero key as vswitchd does not generate set-tunnel action. Set
tunnel action sets this flags for given action. To fix this issue
the check is dropped.

Bug #13666

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>
Acked-by: Jesse Gross <jesse@nicira.com>

Allow processing of RARP packets.

With this commit, the datapath will process the ARP header for
RARP packets. It also fixes a bug whereby if the ARP opcode is
something other than ARP request or reply, the key_len is not
adjusted to include ARP info.

Signed-off-by: Mehak Mahajan <mmahajan@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

ovs-ctl.in: Ability to save flows and kernel datapath config.

Add a new command - "restart" to ovs-ctl. Calling this command
will save and restore the Openflow flows on each bridge while
stopping and starting the userspace daemons respectively.

Also, during a force-reload-kmod, save the flows and kernel datapath
configuration. Use the saved datapath configuration while readding
the kernel module and the flows while starting the userspace daemons.

Feature #13555.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>

Update INSTALL.Fedora to mention Fedora 17 instead of Fedora 15

Reflect the fact Fedora RPM support was recently implemented
on Fedora 17 instead of Fedora 15.

Signed-off-by: Kyle Mestery <kmestery@cisco.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

lib: Accomodate FreeBSD return value for ssl connection.

On FreeBSD I see ECONNRESET being returned from check_connection_completion
in ssl_connect. This happens before entering the SSL states, which return
EPROTO on failure.

Signed-off-by: Ed Maste <emaste@adaranet.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ARP packets must have print arp_tpa/arp_spa instead of nw_dst/nw_src.

With a previous commit 953cc1888321346e6c4175fbc0a3f66d34913ea3, the
ovs logs were re-formatted such that they can be input into the
ofproto/trace. For ARP packets, ofproto/trace expects arp_tpa/arp_spa
instead of nw_dst/nw_src.

Signed-off-by: Mehak Mahajan <mmahajan@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

Do not print ICMP fields for non IP packets.

The packet's nw_proto field overlaps with the ARP opcode field.  The
nw_proto for ICMP packets is 1.  Hence when the packet is an ARP
request (opcode 1), we erroneously print the ICMP code and ICMP type
for ARP frames as well.  With this commit, the ICMP code and ICMP
type will be printed only if the packet is an IP packet and the
nw_proto is ICMP.

Signed-off-by: Mehak Mahajan <mmahajan@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

Change logging format for flows to that accepted by ofproto/trace.

flow_format() logs packets contents.  However, the format used is not
the format accepted by ofproto/trace.  Hence it becomes difficult to
trace the packets using the debugs printed.  With this commit, the
logging of the packet contents is done in a format that is accepted
by ofproto/trace.  This will make debugging easier.

Signed-off-by: Mehak Mahajan <mmahajan@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>

ovs-pki: Unique subject DNs for certificate requests.

Some applications expect subject DNs to be unique.

Bug #13609.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>

timeval: Simplify poll interval logging.

log_poll_interval() is a little bit too aggressive, and is
therefore less useful than it could be. This patch removes the
mean interval calculation, and simply logs if the poll loop took
longer than 1 second instead.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

ovs-vsctl: Do not accept any arguments to "del-manager" command.

It doesn't use them and never has.

Found when I accidentally typed this command with some arguments and it
worked, surprising me.

Signed-off-by: Ben Pfaff <blp@nicira.com>