| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a slow path action is a controller action, meter it when the
controller meter is configured. For other kinds of slow path actions,
meter it when the slowpath meter is configured.
Note, this patch only considers the meters configuration of the
packet's input bridge, which may not be the same bridge that the
action is generated.
Signed-off-by: Andy Zhou <azhou@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
|
|
|
|
|
|
|
|
| |
When slowpath meter is configured, add meter action when translate
sample action.
Signed-off-by: Andy Zhou <azhou@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
|
|
|
|
|
|
|
|
| |
Normally ICMP responses are in the reply direction of a conntrack
entry. This test exercises an ICMP response to the original direction
of the conntrack entry.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support of OFPR_PACKET_OUT as the packet-in reason.
This packet-in reason is a required feature for OF1.4+, and it indicates
that the associated packet-in message to the controller is triggered when
the switch is processing a packet-out message. This reason code is enabled
by default when OF1.4+ is used.
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Starting from OpenFlow 1.4+, OFPR_ACTION is split into four more descriptive
reasons, OFPR_APPLY_ACTION, OFPR_ACTION_SET, OFPR_GROUP, and OFPR_PACKET_OUT.
OVS maintains the new reason code internally, and it currently supports the
first three reason code. If the version of an established OpenFlow connection
is less than 1.4, OVS converts the internal reason code back to OFPR_ACTION to
be backward compatible. However, the internal packet-in reason code mask is
not properly maintained for the older OpenFlow version that may emit the
packet-in messages wth the new reason code. It is because OVS does not enable
the new reason code internally in the reason code mask for older OpenFlow
version. This commit tries to address the aforementioned issue.
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
| |
Fix memory leaks reported by valgrind.
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Open vSwitch datapath recirculates packets for tunneling, i.e. the
incoming packets are encapsulated at first pass. Further actions are
applied on encapsulated packets on the second pass after
recirculating. The proposed patch compute and append the post tunnel
actions at the time of translation itself instead of recirculating at
datapath. These actions are solely depends on tunnel attributes so
there is no need of datapath recirculation. By avoiding the
recirculation at datapath, the patch offers up to 30% performance
improvement for VXLAN tunneling in our testing. The action execution
logic is using the new CLONE action to define the packet cloning when
the actions are combined. The length in the CLONE action specifies
the size of nested action set.
It also fixing the testsuite failures that are introduced by nested
CLONE action in tunneling.
Signed-off-by: Sugesh Chandran <sugesh.chandran@intel.com>
Signed-off-by: Zoltán Balogh <zoltan.balogh@ericsson.com>
Co-authored-by: Zoltán Balogh <zoltan.balogh@ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
| |
On Google cloud, a VM gets a /32 IP address. When OVN
is deployed on such VMs, the OVN gateway router's IP
address becomes a /32 IP address. This commit allows
such a configuration.
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The idea is to use OFPPS_LIVE bit to propagate link aliveness state
towards the controller also when sending port status. The
ofport->may_enable flag could be used for this purpose, thus any
change in LIVE bit is propagated towards conrtoller in
OFPT_PORT_STATUS message. OFPPS_LIVE bit is set only when links is
not down not administratively, neither operationally as recommended
in OF papers. I added 9 new unit tests to verify link state changes
when monitored with cfm, bfd or lacp for OF 1.3, OF 1.4 and OF 1.5.
I updated related unit tests according to the changes of
ofproto-dpif.
Signed-off-by: László Sürü <laszlo.suru at ericsson.com>
Co-authored-by: Zoltán Balogh <zoltan.balogh at ericsson.com>
Signed-off-by: Zoltán Balogh <zoltan.balogh at ericsson.com>
Co-authored-by: Jan Scheurich <jan.scheurich at ericsson.com>
Signed-off-by: Jan Scheurich <jan.scheurich at ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 21b2fa617126 ("ofp-parse: Allow match field names in actions
and brackets in matches.") added support for matching a consecutive
set of bits with the [x..y]=z format, but the copying of the parsed
value ('z') to the match was done from a wrong offset, so that the
actual value matched would be incorrect.
Fix this and add a test case preventing regression in future.
Fixes: 21b2fa617126 ("ofp-parse: Allow match field names in actions and brackets in matches.")
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
| |
OVN will generate the IPv6 address for a logical port if requested
using the IPv6 prefix and the MAC address (as IEEE EUI64 identifier).
To generate the IPv6 address, CMS should define the IPv6 prefix in the
'Logical_switch.other_config:ipv6_prefix' column.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Co-authored-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the CMS wants to make use of ovn ipam it can now provide a
list of IPv4 addresses and a range of IPv4 addresses which
will be excluded from the dynamic address assignment.
To support this, a new option 'exclude_ips' is added in the
Logical_switch.other_config column.
Eg. ovn-nbctl set Logical_switch sw0
other_config:exclude_ips="10.0.0.2 10.0.0.30..10.0.0.40"
The present code, uses hash maps to store the assigned IP addresses.
In order to support this option, this patch has refactored the IPAM
assignment. It now uses a bitmap to manage the IP assignment with
each bit in the bitmap representing an IPv4 address.
This patch also clears the 'Logical_switch_port.dynamic_addresses'
if the CMS has cleared 'dynamic' address assignment request.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
| |
This test clearly demonstrates the bit order of labels in the OpenFlow
wire format.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Older kernels have variable sized labels, and the struct itself
contains only the length, so we must memcpy the bits explicitly.
The modified system test fails on older kernels without this change.
VMware-BZ: #1841876
Fixes: 09aa98ad496d ("datapath: Inherit master's labels.")
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Andy Zhou <azhou@ovn.org>
|
|
|
|
|
|
|
|
|
| |
OpenFlow 1.6 adds support for EUI-64 addresses for ports, and extends
the maximum length of OpenFlow port names from 16 to 64 bytes.
ONF-JIRA: EXT-566
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Andy Zhou <azhou@ovn.org>
|
|
|
|
|
|
|
|
|
|
| |
Currently, the mirror code doesn't check new value of snaplen when try
to reconfigure snaplen.
This patch fix this issue and add testings to reconfigure snaplen.
Signed-off-by: Zhenyu Gao <sysugaozhenyu@gmail.com>
Acked-by: William Tu <u9012063@gmail.com>
Signed-off-by: Andy Zhou <azhou@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends gratuitous ARP support for NAT addresses so that it
applies to distributed NAT rules on a distributed logical router.
Distributed NAT rules have type "dnat_and_snat" and specify
'external_mac' and 'logical_port'.
Gratuitous ARP packets for distributed NAT rules are only generated on
the chassis where the 'logical_port' specified in the NAT rule resides.
Gratuitous ARPs are issued for the 'external_ip' address, resolving to
the 'external_mac'.
Since the MAC address varies for each distributed NAT rule, a separate
'nat_addresses' string must be generated for each distributed NAT rule.
For this reason, in the southbound 'Port_Binding',
'options:nat-addresses' is replaced by a 'nat_addresses' column that
can have an unlimited number of instances. In order to allow for
upgrades, pinctrl in the ovn-controller can work off either the
'nat_addresses' column (if present), or 'options:nat-addresses'
otherwise.
Signed-off-by: Mickey Spiegel <mickeys.dev@gmail.com>
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends gratuitous ARP support for NAT addresses so that it
applies to centralized NAT rules on a distributed router, in addition to
the existing gratuitous ARP support for NAT addresses on gateway routers.
Centralized NAT rules have type other than "dnat_and_snat", or have type
"dnat_and_snat" but do not specify external_mac or logical_port. These
NAT rules apply on the redirect-chassis.
Gratuitous ARP packets for centralized NAT rules on a distributed router
are only generated on the redirect-chassis. This is achieved by extending
the syntax for "options:nat-addresses" in the southbound database,
allowing the condition 'is_chassis_resident("LPORT_NAME")' to be appended
after the MAC and IP addresses. This condition is automatically inserted
by ovn-northd when the northbound "options:nat-addresses" is set to
"router" and the peer is a distributed gateway port.
A separate patch will be required to support gratuitous ARP for
distributed NAT rules that specify logical_port and external_mac. Since
the MAC address differs and the logical port often resides on a different
chassis from the redirect-chassis, these addresses cannot be included in
the same "nat-addresses" string as for centralized NAT rules.
Signed-off-by: Mickey Spiegel <mickeys.dev@gmail.com>
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
| |
In two of the Gratuitous ARP tests, "options:router-port"
is not set correctly. This does not currently affect
validity of the tests since the next line resets
"options:router-port" to the correct value.
Reported-by: Guruchuran Shetty <guru@ovn.org>
Signed-off-by: Mickey Spiegel <mickeys.dev@gmail.com>
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
|
|
|
|
|
|
|
| |
Test case for dot1q-tunnel between two "customer" bridges.
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
|
|
| |
Two test cases to push and pop an outer tag between two "customer"
bridges. One to push/pop 0x88a8. One to push/pop a second 0x8100.
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
|
|
| |
Verify that vlan_limit works as expected and preserves legacy dl_type
matching behavior.
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
| |
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
|
| |
Add macro OVS_CHECK_8021AD().
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The difference between machines may cause the test to fail.
More importantly, when topology is changed or the root brdige
receives the TCN BPDU, the root bridge will start the topology
change timer. We should wait the topology change timer to stop
after 35s (max age 20 + forward delay 15). After 35s, the root
bridge will stop send CONF BPDU with STP_CONFIG_TOPOLOGY_CHANGE
flag and the topology will be stable. During this time, we should
make time warp (in a second) because the hold timer of stp ports
will stop after 1s. Then the root bridge can send quickly topology
change ack (other bridges may send TCN BPDU to root bridge) for
avoiding root brdige to flush fdb and mdb frequently.
This patch has been tested on centos 7.2 (kernel 3.10.0, python
2.7.5 and gcc 4.8.5), ubuntu 16.04 (kernel 4.4.0, python 3.5.2
and gcc 5.4.0) and ubuntu 16.04 (kernel 4.10.4, python 3.5.2 and
gcc 5.4.0). This patch has been tested for 3 hours. This patch
may make the stp tests more stable.
[Committer notes]
Folded time/warp execution into a for loop.
Fixes: 427e9751f300 ("tests: Add and improve stp tests.")
Reported-at: http://paste.ubuntu.com/24215426
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/330032.html
Signed-off-by: nickcooper-zhangtonghao <nic@opencloud.tech>
Acked-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Signed-off-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
|
| |
POSIX does not specify WAIT_ANY and at least MUSL libc does not define it.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Various printf() format specifiers in the tree had minor technical issues
which the Mac OS build reported, e.g. here:
https://s3.amazonaws.com/archive.travis-ci.org/jobs/208718342/log.txt
These tend to fall into two categories of harmless warnings:
1. Wrong width for types that are all promoted to 'int'. For example,
both uint8_t and uint16_t are both promoted to 'int' as part of a call
to printf(), but using PRIu8 for a uint16_t causes a warning.
2. Wrong format specifier for type promoted to 'int' due to arithmetic.
For example, if 'x' is a uint8_t, then x >> 1 has type 'int' due to
C's promotion rules, so the correct format specifier is %d and using
PRIu8 will cause a warning.
This commit fixes the warnings. I didn't see anything that rose to the
level of a bug.
These warnings only showed up on Mac OS X because of differences in the
format specifiers that Mac OS uses for PRI*.
Reported-by: Shu Shen <shu.shen@gmail.com>
Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
| |
This patch makes the stp tests more stable and
adds the test for fdb/mdb flushing when topology
is changed.
Signed-off-by: nickcooper-zhangtonghao <nic@opencloud.tech>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Example:
ovs-vsctl set Port p1 vlan_mode=dot1q-tunnel tag=100
Pushes another VLAN 100 header on packets (tagged and untagged) on
ingress, and pops it on egress.
- Customer VLAN check:
ovs-vsctl set Port p1 vlan_mode=dot1q-tunnel tag=100 cvlans=10,20
Only customer VLAN of 10 and 20 are allowed.
Co-authored-by: Xiao Liang <shaw.leon@gmail.com>
Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Flow key handling changes:
- Add VLAN header array in struct flow, to record multiple 802.1q VLAN
headers.
- Add dpif multi-VLAN capability probing. If datapath supports
multi-VLAN, increase the maximum depth of nested OVS_KEY_ATTR_ENCAP.
Refactor VLAN handling in dpif-xlate:
- Introduce 'xvlan' to track VLAN stack during flow processing.
- Input and output VLAN translation according to the xbundle type.
Push VLAN action support:
- Allow ethertype 0x88a8 in VLAN headers and push_vlan action.
- Support push_vlan on dot1q packets.
Use other_config:vlan-limit in table Open_vSwitch to limit maximum VLANs
that can be matched. This allows us to preserve backwards compatibility.
Add test cases for VLAN depth limit, Multi-VLAN actions and QinQ VLAN
handling
Co-authored-by: Thomas F Herbert <thomasfherbert@gmail.com>
Signed-off-by: Thomas F Herbert <thomasfherbert@gmail.com>
Co-authored-by: Xiao Liang <shaw.leon@gmail.com>
Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new feature to the learn actions: the possibility to
limit the number of learned flows.
To be compatible with users of the old learn action, a new structure is
introduced as well as a new OpenFlow raw action number.
There's a small corner case when we have to delete the ukey. This
happens when:
* The learned rule has expired (or has been deleted).
* The ukey that learned the rule is still in the datapath.
* No packets hit the datapath flow recently.
In this case we cannot relearn the rule (because there are no new
packets), and the actions might depend on the learn execution, so the
only option is to delete the ukey. I don't think this has big
performance implications since it's done only for ukey with no traffic.
We could also slowpath it, but that will cause an action upcall and the
correct datapath actions will be installed later by a revalidator. If
we delete the ukey, the next upcall will be a miss upcall and that will
immediatedly install the correct datapath flow.
Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, a controller may potentially trigger a segmentation fault if it
accidentally removes a TLV mapping that is still used by an active flow.
To resolve this issue, in this patch, we maintain reference counting for each
dynamically allocated variable length mf_fields, so that vswitchd can use this
information to properly remove a TLV mapping, and to return an error if the
controller tries to remove a TLV mapping that is still used by any active flow.
To keep track of the usage of tun_metadata for each flow, two 'uint64_t'
bitmaps are introduce for the flow match and flow action respectively. We use
'uint64_t' as a bitmap since the 64 geneve TLV tunnel metadata are the only
available variable length mf_fields for now. We shall adopt general bitmap when
more variable length mf_fields are introduced. The bitmaps are configured
during the flow decoding process, and vswitchd use these bitmaps to increase or
decrease the ref counting when the flow is created or deleted.
VMWare-BZ: #1768370
Fixes: 04f48a68c428 ("ofp-actions: Fix variable length meta-flow OXMs.")
Suggested-by: Jarno Rajahalme <jarno@ovn.org>
Suggested-by: Joe Stringer <joe@ovn.org>
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Signed-off-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
|
|
|
|
| |
vl_mff_map is introduced in commit 04f48a68c428 ("ofp-actions: Fix variable
length meta-flow OXMs") to account variable length mf_field, and it is used
to decode variable length mf_field in ofp_action. In this patch, vl_mff_map
is further used to decode the variable length match field as well.
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Signed-off-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
On slow systems(or which start processes slow) the test:
`testing mcast - delete the port mdb when port destroyed`
is influenced by the running time.
i.e.: http://64.119.130.115/ovs/911b7e9b08b9f4f890eeecd228d5124f4ce94d4e/testsuite.dir/2326/testsuite.log.gz
This patches adds a time stop on vswitchd.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
| |
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Interworking of BFD and RSTP does not work, as currently BFD messages
are dropped if RSTP port is not in forwarding mode. To correct this
problem, an extra check is added to allow BFD messages to be sent even
when rstp_forward_state is false.
[Committer notes]
Shifted logic checks out into a separate else if {} condition, extended
to CFM and added CFM test case.
Signed-off-by: Mika Vaisanen <mika.vaisanen@gmail.com>
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Expose existing netdev stats via sFlow.
Export sFlow ETHERNET structure with available counters.
Map existing stats to counters in the GENERIC INTERFACE
sFlow structure.
Adjust unit test to accommodate these new counters.
Signed-off-by: Robert Wojciechowicz <robertx.wojciechowicz@intel.com>
Acked-by: Neil McKee <neil.mckee@inmon.com>
Acked-by: Ian Stokes <ian.stokes@intel.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
| |
https://review.openstack.org/#/c/432906/
flake8-import-order adds 3 new flake8 warnings:
I100: Your import statements are in the wrong order.
I101: The names in your from import are in the wrong order.
I201: Missing newline between sections or imports.
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
| |
If FTP tests with conntrack fail, it is informative to know if the
problem is with the FTP client and/or server, or with conntrack
itself.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
| |
Userspace support for force commit.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
|
|
|
|
| |
Add resubmit option to use the conntrack original direction tuple
swapped with the corresponding packet header fields during the lookup.
This could allow the same ACL table be used for admitting return
and/or related traffic as is used for admitting the original direction
traffic.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
| |
Userspace support for datapath original direction conntrack tuple.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
|
| |
'ct_state' currently only needs 8 bits, so we can make room for a new
CT field introduced in the next patch.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream commit:
commit 9ff464db50e437eef131f719cc2e9902eea9c607
Author: Jarno Rajahalme <jarno@ovn.org>
Date: Thu Feb 9 11:21:53 2017 -0800
openvswitch: Use inverted tuple in ovs_ct_find_existing() if NATted.
The conntrack lookup for existing connections fails to invert the
packet 5-tuple for NATted packets, and therefore fails to find the
existing conntrack entry. Conntrack only stores 5-tuples for incoming
packets, and there are various situations where a lookup on a packet
that has already been transformed by NAT needs to be made. Looking up
an existing conntrack entry upon executing packet received from the
userspace is one of them.
This patch fixes ovs_ct_find_existing() to invert the packet 5-tuple
for the conntrack lookup whenever the packet has already been
transformed by conntrack from its input form as evidenced by one of
the NAT flags being set in the conntrack state metadata.
Fixes: 05752523e565 ("openvswitch: Interface with NAT.")
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch also adds a test case to OVS system tests to verify the
behavior.
The following is a more thorough explanation of what is going on:
When we have evidence that an existing conntrack entry could exist, we
must invert the tuple if NAT has already been applied, as the current
packet headers do not match any tuple stored in conntrack. For
example, if a packet from private address X to a public address B is
source-NATted to A, the conntrack entry will have the following tuples
(ignoring the protocol and port numbers) after the conntrack entry is
committed:
Original direction tuple: (X,B)
Reply direction tuple: (B,A)
Now, if a reply packet is already transformed back to the private
address space (e.g., with a CT(nat) action), the tuple corresponding
to the current packet headers is:
Current packet tuple: (B,X)
This does not match either of the conntrack tuples above. Normally
this does not matter, as the conntrack lookup was already done using
the tuple (B,A), but if the current packet does not match any flow in
the OVS datapath, the packet is sent to userspace via an upcall,
during which the packet's skb is freed, and the conntrack entry
pointer in the skb is lost. When the packet is reintroduced to the
datapath, any further conntrack action will need to perform a new
conntrack lookup to find the entry again. Prior to this patch this
second lookup failed. The datapath flow setup corresponding to the
upcall can succeed, however, allowing all further packets in the reply
direction to re-use the conntrack entry pointer in the skb, so
typically the lookup failure only causes a packet drop.
The solution is to invert the tuple derived from the current packet
headers in case the conntrack state stored in the packet metadata
indicates that the packet has been transformed by NAT:
Inverted tuple: (X,B)
With this the conntrack entry can be found, matching the original
direction tuple.
This same logic also works for the original direction packets:
Current packet tuple (after reverse NAT): (A,B)
Inverted tuple: (B,A)
While the current packet tuple (A,B) does not match either of the
conntrack tuples, the inverted one (B,A) does match the reply
direction tuple.
Since the inverted tuple matches the reverse direction tuple the
direction of the packet must be reversed as well.
Fixes: c5f6c06b58d6 ("datapath: Interface with NAT.")
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using set_field for nw_ecn with OF1.0 or OF1.1, you get an error
instead of a proper translation. This use to work before 4b684612d900
("ofp-actions: Translate mod_nw_ecn action to OF1.1 properly.") because
it would fallback to using NXM.
e.g.
[root@rhel7 ~]# ovs-ofctl -O OpenFlow10 add-flow br0 'ip actions=set_field:2->nw_ecn'
OFPT_ERROR (xid=0x4): OFPBAC_BAD_ARGUMENT
NXT_FLOW_MOD (xid=0x4):
...
$ ovs-ofctl -O OpenFlow11 add-flow br0 'ip actions=set_field:2->nw_ecn'
ovs-ofctl: none of the usable flow formats (NXM,OXM) is among the
allowed flow formats (OpenFlow11)
Fixes: 4b684612d900 ("ofp-actions: Translate mod_nw_ecn action to OF1.1 properly.")
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Meters may be used by any flow, so some kind of locking must be used.
In this version we have an adaptive mutex for each meter, which may
not be optimal for DPDK. However, this should serve as a basis for
further improvement.
A batch of packets is first tried as a whole, and only if some of the
meter bands are hit, we need to process the packets individually.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Signed-off-by: Andy Zhou <azhou@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently in OVN, the "nat-addresses" in the "options" column of a
logical switch port of type "router" must be specified manually.
Typically the user would specify as "nat-addresses" all of the NAT
external IP addresses and load balancer IP addresses that have
already been specified separately on the router.
This patch allows the logical switch port's "nat-addresses" to be
specified as the string "router". When ovn-northd sees this string,
it automatically copies the following into the southbound
Port_Binding's "nat-addresses" in the "options" column:
The options:router-port's MAC address.
Each NAT external IP address (of any NAT type) specified on the
logical router of options:router-port.
Each load balancer IP address specified on the logical router of
options:router-port.
This will cause the controller where the gateway router resides to
issue gratuitous ARPs for each NAT external IP address and for each
load balancer IP address specified on the gateway router.
Signed-off-by: Mickey Spiegel <mickeys.dev@gmail.com>
Acked-by: Gurucharan Shetty <guru@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When datapath does not support the 'clone' action directly, generate
sample action (with 100% probability) instead.
Specifically, currently, there is no plan to support the 'clone'
action on the Linux kernel datapath directly, so the sample action
will be used to translate the openflow clone action for this datapath.
Signed-off-by: Andy Zhou <azhou@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
|
|
|
|
|
| |
Signed-off-by: nickcooper-zhangtonghao <nic@opencloud.tech>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
|
|
|
| |
Signed-off-by: nickcooper-zhangtonghao <nic@opencloud.tech>
Signed-off-by: Andy Zhou <azhou@ovn.org>
|