Re: [ovs-dev] [PATCH 2/2] ovn-nbctl: Clarify error messages in qos-add command.

[Justin Pettit]

Thanks for the review.  I pushed these to master (and fixed a test failure that 
the original versions introduced.)

--Justin


> On Jul 9, 2018, at 2:39 PM, Yifeng Sun  wrote:
> 
> Looks good to me, thanks.
> 
> Reviewed-by: Yifeng Sun 
> 
> On Sat, Jul 7, 2018 at 2:11 PM, Justin Pettit  wrote:
> Signed-off-by: Justin Pettit 
> ---
>  ovn/utilities/ovn-nbctl.c | 13 +++--
>  1 file changed, 7 insertions(+), 6 deletions(-)
> 
> diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
> index fbdb5a4d9ae9..5638b0a197e0 100644
> --- a/ovn/utilities/ovn-nbctl.c
> +++ b/ovn/utilities/ovn-nbctl.c
> @@ -1761,14 +1761,15 @@ nbctl_qos_add(struct ctl_context *ctx)
>  if (!strncmp(ctx->argv[i], "dscp=", 5)) {
>  if (!ovs_scan(ctx->argv[i] + 5, "%"SCNd64, )
>  || dscp < 0 || dscp > 63) {
> -ctl_fatal("%s: dscp must in range 0...63.", ctx->argv[i] + 
> 5);
> +ctl_fatal("%s: dscp must be in the range 0...63",
> +  ctx->argv[i] + 5);
>  return;
>  }
>  }
>  else if (!strncmp(ctx->argv[i], "rate=", 5)) {
>  if (!ovs_scan(ctx->argv[i] + 5, "%"SCNd64, )
>  || rate < 1 || rate > UINT32_MAX) {
> -ctl_fatal("%s: rate must in range 1...4294967295.",
> +ctl_fatal("%s: rate must be in the range 1...4294967295.",
>ctx->argv[i] + 5);
>  return;
>  }
> @@ -1776,20 +1777,20 @@ nbctl_qos_add(struct ctl_context *ctx)
>  else if (!strncmp(ctx->argv[i], "burst=", 6)) {
>  if (!ovs_scan(ctx->argv[i] + 6, "%"SCNd64, )
>  || burst < 1 || burst > UINT32_MAX) {
> -ctl_fatal("%s: burst must in range 1...4294967295.",
> +ctl_fatal("%s: burst must be in the range 1...4294967295.",
>ctx->argv[i] + 6);
>  return;
>  }
>  } else {
> -ctl_fatal("%s: must be start of \"dscp=\", \"rate=\", 
> \"burst=\".",
> -  ctx->argv[i]);
> +ctl_fatal("%s: supported arguments are \"dscp=\", \"rate=\", "
> +  "and \"burst=\"", ctx->argv[i]);
>  return;
>  }
>  }
> 
>  /* Validate rate and dscp. */
>  if (-1 == dscp && !rate) {
> -ctl_fatal("One of the rate or dscp must be configured.");
> +ctl_fatal("Either \"rate\" and/or \"dscp\" must be specified");
>  return;
>  }
>  
> -- 
> 2.17.1
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> 

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v4] dpif-netdev: Avoid reordering of packets in a batch with same megaflow

[Shahaf Shuler]

Tuesday, July 10, 2018 12:14 AM, Vishal Deep Ajmera:
> Subject: [ovs-dev] [PATCH v4] dpif-netdev: Avoid reordering of packets in a
> batch with same megaflow
> 
> OVS reads packets in batches from a given port and packets in the batch are
> subjected to potentially 3 levels of lookups to identify the datapath
> megaflow entry (or flow) associated with the packet.
> Each megaflow entry has a dedicated buffer in which packets that match the
> flow classification criteria are collected. This buffer helps OVS perform 
> batch
> processing for all packets associated with a given flow.
> 
> Each packet in the received batch is first subjected to lookup in the Exact
> Match Cache (EMC). Each EMC entry will point to a flow. If the EMC lookup is
> successful, the packet is moved from the rx batch to the per-flow buffer.
> 
> Packets that did not match any EMC entry are rearranged in the rx batch at
> the beginning and are now subjected to a lookup in the megaflow cache.
> Packets that match a megaflow cache entry are *appended* to the per-flow
> buffer.
> 
> Packets that do not match any megaflow entry are subjected to slow-path
> processing through the upcall mechanism. This cannot change the order of
> packets as by definition upcall processing is only done for packets without
> matching megaflow entry.
> 
> The EMC entry match fields encompass all potentially significant header
> fields, typically more than specified in the associated flow's match criteria.
> Hence, multiple EMC entries can point to the same flow. Given that per-flow
> batching happens at each lookup stage, packets belonging to the same
> megaflow can get re-ordered because some packets match EMC entries
> while others do not.
> 
> The following example can illustrate the issue better. Consider following
> batch of packets (labelled P1 to P8) associated with a single TCP connection
> and associated with a single flow. Let us assume that packets with just the
> ACK bit set in TCP flags have been received in a prior batch also and a
> corresponding EMC entry exists.
> 
> 1. P1 (TCP Flag: ACK)
> 2. P2 (TCP Flag: ACK)
> 3. P3 (TCP Flag: ACK)
> 4. P4 (TCP Flag: ACK, PSH)
> 5. P5 (TCP Flag: ACK)
> 6. P6 (TCP Flag: ACK)
> 7. P7 (TCP Flag: ACK)
> 8. P8 (TCP Flag: ACK)
> 
> The megaflow classification criteria does not include TCP flags while the EMC
> match criteria does. Thus, all packets other than P4 match the existing EMC
> entry and are moved to the per-flow packet batch.
> Subsequently, packet P4 is moved to the same per-flow packet batch as a
> result of the megaflow lookup. Though the packets have all been correctly
> classified as being associated with the same flow, the packet order has not
> been preserved because of the per-flow batching performed during the EMC
> lookup stage. This packet re-ordering has performance implications for TCP
> applications.
> 
> This patch preserves the packet ordering by performing the per-flow
> batching after both the EMC and megaflow lookups are complete. As an
> optimization, packets are flow-batched in emc processing till any packet in
> the batch has an EMC miss.
> 
> A new flow map is maintained to keep the original order of packet along with
> flow information. Post fastpath processing, packets from flow map are
> *appended* to per-flow buffer.
> 
> Signed-off-by: Vishal Deep Ajmera 
> Co-authored-by: Venkatesan Pradeep
> 
> Signed-off-by: Venkatesan Pradeep 

Reviewed-by: Shahaf Shuler  

> ---
>  lib/dpif-netdev.c | 103
> +-
>  1 file changed, 87 insertions(+), 16 deletions(-)
> 
> diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c index 8b3556d..d4b8f99
> 100644
> --- a/lib/dpif-netdev.c
> +++ b/lib/dpif-netdev.c
> @@ -208,6 +208,13 @@ struct dpcls_rule {
>  /* 'flow' must be the last field, additional space is allocated here. */ 
>  };
> 
> +/* data structure to keep packet order till fastpath processing */
> +struct dp_packet_flow_map {
> +struct dp_packet *packet;
> +struct dp_netdev_flow *flow;
> +uint16_t tcp_flags;
> +};
> +
>  static void dpcls_init(struct dpcls *);  static void dpcls_destroy(struct 
> dpcls *);
> static void dpcls_sort_subtable_vector(struct dpcls *); @@ -5602,6 +5609,19
> @@ dp_netdev_queue_batches(struct dp_packet *pkt,
>  packet_batch_per_flow_update(batch, pkt, tcp_flags);  }
> 
> +static inline void
> +packet_enqueue_to_flow_map(struct dp_packet_flow_map *flow_map,
> +   struct dp_netdev_flow *flow,
> +   struct dp_packet *packet,
> +   uint16_t tcp_flags,
> +   size_t *map_cnt) {
> +struct dp_packet_flow_map *map = _map[(*map_cnt)++];
> +map->flow = flow;
> +map->packet = packet;
> +map->tcp_flags = tcp_flags;
> +}
> +
>  /* Try to process all ('cnt') the 'packets' using only the exact match cache
>   * 'pmd->flow_cache'. If a flow is not found for a packet 'packets[i]', the
>   * 

Re: [ovs-dev] [PATCH 1/2] flow: Fix buffer overread for crafted IPv6 packets.

[Ben Pfaff]

Yeah, that's always a risk.

I applied this to master and backported as far as branch-2.4.

On Mon, Jul 09, 2018 at 08:13:16PM -0700, Darrell Ball wrote:
> Acked-by: Darrell Ball 
> 
> I never read the contents of that function; just assumed it was sanitizing
> the packet :-)
> 
> On Mon, Jul 9, 2018 at 1:04 PM, Ben Pfaff  wrote:
> 
> > The ipv6_sanity_check() function implemented a check for IPv6 payload
> > length wrong: ip6_plen is the payload length but this function checked
> > whether it was longer than the total length of IPv6 header plus payload.
> > This meant that a packet with a crafted ip6_plen could result in a buffer
> > overread of up to the length of an IPv6 header (40 bytes).
> >
> > The kernel datapath flow extraction code does not obviously have a similar
> > problem.
> >
> > Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9287
> > Signed-off-by: Ben Pfaff 
> > ---
> >  lib/flow.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/lib/flow.c b/lib/flow.c
> > index a785e63a82f3..76a8b9aaeaae 100644
> > --- a/lib/flow.c
> > +++ b/lib/flow.c
> > @@ -677,7 +677,7 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr
> > *nh, size_t size)
> >  }
> >
> >  plen = ntohs(nh->ip6_plen);
> > -if (OVS_UNLIKELY(plen > size)) {
> > +if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
> >  return false;
> >  }
> >  /* Jumbo Payload option not supported yet. */
> > --
> > 2.16.1
> >
> > ___
> > dev mailing list
> > d...@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v2 1/4] dpif-netlink: Detect Out-Of-Resource condition on a netdev

[Sriharsha Basavapatna via dev]

On Tue, Jul 10, 2018 at 4:13 AM, Ben Pfaff  wrote:
> On Sun, Jul 08, 2018 at 07:15:37PM +0530, Sriharsha Basavapatna via dev wrote:
>> This is the first patch in the patch-set to support dynamic rebalancing
>> of offloaded flows.
>>
>> The patch detects OOR condition on a netdev port when ENOSPC error is
>> returned by TC-Flower while adding a flow rule. A new structure is added
>> to the netdev called "netdev_hw_info", to store OOR related information
>> required to perform dynamic offload-rebalancing.
>>
>> Signed-off-by: Sriharsha Basavapatna 
>> Co-authored-by: Venkat Duvvuru 
>> Signed-off-by: Venkat Duvvuru 
>> Reviewed-by: Sathya Perla 
>
> Thanks for the patch.
>
> This fails to build on my system, with:
>
> In file included from ../lib/lldp/lldpd.h:32,
>  from ../lib/ovs-lldp.h:26,
>  from ../ofproto/ofproto-dpif-xlate.h:28,
>  from ../ofproto/ofproto-dpif-upcall.c:36:
> ../ofproto/ofproto-dpif-upcall.c: In function 'udpif_update_flow_pps':
> ../ofproto/ofproto-dpif-upcall.c:2630:18: error: format '%lu' expects 
> argument of type 'long unsigned int', but argument 5 has type 'long long 
> unsigned int' [-Werror=format=]
> ../include/openvswitch/vlog.h:277:41: note: in definition of macro 'VLOG'
> ../ofproto/ofproto-dpif-upcall.c:2630:9: note: in expansion of macro 
> 'VLOG_DBG'
> ../ofproto/ofproto-dpif-upcall.c:2630:18: error: format '%lu' expects 
> argument of type 'long unsigned int', but argument 6 has type 'uint64_t' {aka 
> 'long long unsigned int'} [-Werror=format=]
> ../include/openvswitch/vlog.h:277:41: note: in definition of macro 'VLOG'
> ../ofproto/ofproto-dpif-upcall.c:2630:9: note: in expansion of macro 
> 'VLOG_DBG'
>
> I guess that you should use "%llu" for unsigned long long, and "%"PRIu64
> for uint64_t.  Alternatively, a lot of the debug logging here doesn't
> seem particularly useful, should it be there?  (Often __func__ is a sign
> that a log message is more of a debug aid for the programmer and not
> something that should appear in the field.)

I agree, this one was more of a debug aid. I'll remove it and revisit
the other ones that we added.
Thanks,
-Harsha
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 1/2] flow: Fix buffer overread for crafted IPv6 packets.

[Darrell Ball]

Acked-by: Darrell Ball 

I never read the contents of that function; just assumed it was sanitizing
the packet :-)

On Mon, Jul 9, 2018 at 1:04 PM, Ben Pfaff  wrote:

> The ipv6_sanity_check() function implemented a check for IPv6 payload
> length wrong: ip6_plen is the payload length but this function checked
> whether it was longer than the total length of IPv6 header plus payload.
> This meant that a packet with a crafted ip6_plen could result in a buffer
> overread of up to the length of an IPv6 header (40 bytes).
>
> The kernel datapath flow extraction code does not obviously have a similar
> problem.
>
> Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9287
> Signed-off-by: Ben Pfaff 
> ---
>  lib/flow.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/flow.c b/lib/flow.c
> index a785e63a82f3..76a8b9aaeaae 100644
> --- a/lib/flow.c
> +++ b/lib/flow.c
> @@ -677,7 +677,7 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr
> *nh, size_t size)
>  }
>
>  plen = ntohs(nh->ip6_plen);
> -if (OVS_UNLIKELY(plen > size)) {
> +if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
>  return false;
>  }
>  /* Jumbo Payload option not supported yet. */
> --
> 2.16.1
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] ofproto: Return error codes for Rule insertions"

[Aravind Prasad]

Currently, rule_insert() API doesnot have return value. There are some
possible
> scenarios where rule insertions can fail at run-time even though the
static
> checks during rule_construct() had passed previously.
> Some possible scenarios for failure of rule insertions:
> **) Rule insertions can fail dynamically in Hybrid mode (both Openflow and
> Normal switch functioning coexist) where the CAM space could get suddenly
> filled up by Normal switch functioning and Openflow gets devoid of
> available space.
> **) Some deployments could have separate independent layers for HW rule
> insertions and application layer to interact with OVS. HW layer
> could face any dynamic issue during rule handling which application could
> not have predicted/captured in rule-construction phase.
> Rule-insert errors for bundles are not handled in this pull-request.
> Will be handled in upcoming pull request.

>> I don't think that ofproto-dpif can ever see such a failure.  Are you
>> planning to submit an ofproto provider that exercises this behavior?

Hi Ben,

These type of errors are possible in actual Hardware implementations.
It is possible that ofproto and netdev providers could be implemented
for a actual HW.
Usually, in such cases, in the rule construct phase, all the static
checks like verifying the qualifiers and actions could be done and the
other related verifications.
But during the rule insert phase, it is possible that the rule insertion
may get failed in HW (runtime errors, HW errors and so on).
Hence, we need a way to rollback for rule-insert phase also.
Kindly let me know your views.

Thanks,
Aravind Prasad S


On Tue, Jul 10, 2018 at 3:45 AM Ben Pfaff  wrote:

> On Mon, Jul 09, 2018 at 01:02:08PM +0530, Aravind Prasad S wrote:
> > Currently, rule_insert() API doesnot have return value. There are some
> possible
> > scenarios where rule insertions can fail at run-time even though the
> static
> > checks during rule_construct() had passed previously.
> > Some possible scenarios for failure of rule insertions:
> > **) Rule insertions can fail dynamically in Hybrid mode (both Openflow
> and
> > Normal switch functioning coexist) where the CAM space could get suddenly
> > filled up by Normal switch functioning and Openflow gets devoid of
> > available space.
> > **) Some deployments could have separate independent layers for HW rule
> > insertions and application layer to interact with OVS. HW layer
> > could face any dynamic issue during rule handling which application could
> > not have predicted/captured in rule-construction phase.
> > Rule-insert errors for bundles are not handled in this pull-request.
> > Will be handled in upcoming pull request.
> >
> > Signed-off-by: Aravind Prasad S 
>
> I don't think that ofproto-dpif can ever see such a failure.  Are you
> planning to submit an ofproto provider that exercises this behavior?
>
> Thanks,
>
> Ben.
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] treewide: Remove pointless "return; " at ends of functions.

[Darrell Ball]

Acked-by: Darrell Ball 
Tested-by: Darrell Ball 

Thanks for the pointer



On Mon, Jul 9, 2018 at 4:48 PM, Ben Pfaff  wrote:

> Found with:
> git ls-files | xargs pcregrep -n -M 'return;\n*}'
>
> Signed-off-by: Ben Pfaff 
> ---
>  datapath-windows/ovsext/Driver.c  | 1 -
>  datapath-windows/ovsext/IpHelper.c| 6 --
>  datapath-windows/ovsext/Netlink/Netlink.c | 1 -
>  datapath-windows/ovsext/Vport.c   | 1 -
>  lib/conntrack.c   | 4 
>  lib/lldp/lldpd.c  | 2 --
>  lib/netdev-native-tnl.c   | 1 -
>  tests/test-aa.c   | 6 --
>  tests/test-ovsdb.c| 3 ---
>  9 files changed, 25 deletions(-)
>
> diff --git a/datapath-windows/ovsext/Driver.c b/datapath-windows/ovsext/
> Driver.c
> index 50c9614e42ef..0d23adaf7296 100644
> --- a/datapath-windows/ovsext/Driver.c
> +++ b/datapath-windows/ovsext/Driver.c
> @@ -201,5 +201,4 @@ OvsExtStatus(NDIS_HANDLE filterModuleContext,
>  POVS_SWITCH_CONTEXT switchObject = (POVS_SWITCH_CONTEXT)
> filterModuleContext;
>
>  NdisFIndicateStatus(switchObject->NdisFilterHandle,
> statusIndication);
> -return;
>  }
> diff --git a/datapath-windows/ovsext/IpHelper.c b/datapath-windows/ovsext/
> IpHelper.c
> index 6bbd096c53b0..c734b0ecc2e2 100644
> --- a/datapath-windows/ovsext/IpHelper.c
> +++ b/datapath-windows/ovsext/IpHelper.c
> @@ -565,8 +565,6 @@ OvsUpdateIpInterfaceNotification(PMIB_IPINTERFACE_ROW
> ipRow)
>  ExReleaseResourceLite(>lock);
>  }
>  ExReleaseResourceLite();
> -
> -return;
>  }
>
>  static VOID
> @@ -672,8 +670,6 @@ error:
>  OvsIpHelperDeleteInstance(instance);
>  }
>  }
> -
> -return;
>  }
>
>  static VOID
> @@ -713,8 +709,6 @@ OvsRemoveIpInterfaceNotification(PMIB_IPINTERFACE_ROW
> ipRow)
>  OvsCleanupIpHelperRequestList();
>  OvsCleanupFwdTable();
>  }
> -
> -return;
>  }
>
>  static VOID
> diff --git a/datapath-windows/ovsext/Netlink/Netlink.c
> b/datapath-windows/ovsext/Netlink/Netlink.c
> index 156732cdb3af..f4a0050480c2 100644
> --- a/datapath-windows/ovsext/Netlink/Netlink.c
> +++ b/datapath-windows/ovsext/Netlink/Netlink.c
> @@ -653,7 +653,6 @@ VOID
>  NlMsgAlignSize(const PNL_MSG_HDR nlh)
>  {
>  nlh->nlmsgLen = NLMSG_ALIGN(nlh->nlmsgLen);
> -return;
>  }
>
>  /*
> diff --git a/datapath-windows/ovsext/Vport.c b/datapath-windows/ovsext/
> Vport.c
> index 7cf2497e3988..380870a111d8 100644
> --- a/datapath-windows/ovsext/Vport.c
> +++ b/datapath-windows/ovsext/Vport.c
> @@ -1219,7 +1219,6 @@ UpdateSwitchCtxWithVport(POVS_SWITCH_CONTEXT
> switchContext,
>  if (newPort) {
>  switchContext->numHvVports++;
>  }
> -return;
>  }
>
>  /*
> diff --git a/lib/conntrack.c b/lib/conntrack.c
> index 97fd46a5e167..333f5d41aa1e 100644
> --- a/lib/conntrack.c
> +++ b/lib/conntrack.c
> @@ -2085,8 +2085,6 @@ nat_ipv6_addr_increment(struct in6_addr
> *ipv6_aligned, uint32_t increment)
>
>  memcpy(ipv6_hi, _64_hi, sizeof addr6_64_hi);
>  memcpy(ipv6_lo, _64_lo, sizeof addr6_64_lo);
> -
> -return;
>  }
>
>  static uint32_t
> @@ -3282,7 +3280,6 @@ handle_ftp_ctl(struct conntrack *ct, const struct
> conn_lookup_ctx *ctx,
>  uint8_t pad = dp_packet_l2_pad_size(pkt);
>  th->tcp_csum = csum_finish(
>  csum_continue(tcp_csum, th, tail - (char *) th - pad));
> -return;
>  }
>
>  static void
> @@ -3296,5 +3293,4 @@ handle_tftp_ctl(struct conntrack *ct,
>  expectation_create(ct, conn_for_expectation->key.src.port,
> conn_for_expectation,
> !!(pkt->md.ct_state & CS_REPLY_DIR), false, false);
> -return;
>  }
> diff --git a/lib/lldp/lldpd.c b/lib/lldp/lldpd.c
> index 036ff4f4ccdc..19e930526695 100644
> --- a/lib/lldp/lldpd.c
> +++ b/lib/lldp/lldpd.c
> @@ -408,8 +408,6 @@ lldpd_decode(struct lldpd *cfg, char *frame, int s,
>  if (!oport)  {
>  hw->h_insert_cnt++;
>  }
> -
> -return;
>  }
>
>  static void
> diff --git a/lib/netdev-native-tnl.c b/lib/netdev-native-tnl.c
> index a63fe24196d9..56baaa217a5d 100644
> --- a/lib/netdev-native-tnl.c
> +++ b/lib/netdev-native-tnl.c
> @@ -614,7 +614,6 @@ netdev_erspan_push_header(const struct netdev *netdev,
>  md2 = ALIGNED_CAST(struct erspan_md2 *, ersh + 1);
>  put_16aligned_be32(>timestamp, get_erspan_ts(ERSPAN_100US));
>  }
> -return;
>  }
>
>  int
> diff --git a/tests/test-aa.c b/tests/test-aa.c
> index 1290ca8c9a7c..0107d2263bc8 100644
> --- a/tests/test-aa.c
> +++ b/tests/test-aa.c
> @@ -47,8 +47,6 @@ check_received_port(struct lldpd_port *sport,
>  assert(rport->p_id_len == sport->p_id_len);
>  assert(strncmp(rport->p_id, sport->p_id, sport->p_id_len) == 0);
>  assert(strcmp(rport->p_descr, sport->p_descr) == 0);
> -
> -return;
>  }
>
>
> @@ -66,8 +64,6 @@ check_received_chassis(struct lldpd_chassis *schassis,
>  

Re: [ovs-dev] [PATCH v4 1/2] dpif-netdev: Add SMC cache after EMC cache

[Wang, Yipeng1]

Thanks for the comments, please see my reply inlined. I made all the changes 
you suggested and included in v5 which I will send out soon.

>> diff --git a/lib/cmap.c b/lib/cmap.c
>> index 07719a8..db1c806 100644
>> --- a/lib/cmap.c
>> +++ b/lib/cmap.c
>> @@ -373,6 +373,79 @@ cmap_find(const struct cmap *cmap, uint32_t hash)
>> hash);
>>  }
>>
>> +/* Find a node by the index of the entry of cmap. For example, index 7
>> +means
>> + * the second bucket and the third item.
>> + * Notice that it is not protected by the optimistic lock (versioning)
>> +because
>> + * of performance reasons. Currently it is only used by the datapath DFC 
>> cache.
>> + *
>> + * Return node for the entry of index or NULL if the index beyond
>> +boundary */ const struct cmap_node * cmap_find_by_index(const struct
>> +cmap *cmap, uint16_t index) {
>> +const struct cmap_impl *impl = cmap_get_impl(cmap);
>> +
>> +uint32_t b = index / CMAP_K;
>> +uint32_t e = index % CMAP_K;
>> +
>> +if (b > impl->mask) {
>> +return NULL;
>> +}
>> +
>> +const struct cmap_bucket *bucket = >buckets[b];
>> +
>> +return cmap_node_next(>nodes[e]);
>> +}
>> +
>> +/* Find the index of certain hash value. Currently only used by the
>> +datapath
>> + * DFC cache.
>> + *
>> + * Return the index of the entry if found, or UINT32_MAX if not found
>[[BO'M]]  An intro the concept of index would be useful here especially as it 
>does not currently exist in cmap. Something like: "The
>'index' of a cmap entry is a way to combine the specific bucket and item 
>occupied by an entry into a convenient single integer value. It
>is not used internally by cmap." Unless of course that is actually wrong :)
[Wang, Yipeng]  I will add the comments you suggested. It indeed makes it more 
understandable.

>If a cmap's capacity exceeds the range of UINT32_MAX what happens? Does 
>something different happen if the entry is in a bucket
>that can be expressed in a uint32_t versus a bucket that is outside of that 
>range?
[Wang, Yipeng] I currently assume the cmap cannot be larger than uint32_max. It 
is a very large number and I guess OvS should not deal with
this big table.  But you are right that I should make it clear,
 I add comments in cmap header file and other places to explain this 
restriction for the newly added API.
>
>> +*/
>> @@ -155,6 +166,11 @@ struct netdev_flow_key {  #define
>> EM_FLOW_HASH_MASK (EM_FLOW_HASH_ENTRIES - 1)  #define
>> EM_FLOW_HASH_SEGS 2
>>
>> +#define SMC_ENTRY_PER_BUCKET 4
>[[BO'M]] SMC_ENTRY_PER_BUCKET -> SMC_ENTRIES_PER_BUCKET.
>Also a comment something like "A bucket forms the set of possible entries that 
>a flow hash can occupy. Therefore
>SMC_ENTRIES_PER_BUCKET for SMC in analagous to EM_FLOW_HASH_SEGS for EMC." 
>Might help people familiar with the current
>EMC to grok the SMC a little faster.
>
[Wang, Yipeng] I added more explanations as you suggested. For the 
SMC_ENTRIES_PER_BUCKET, it is actually slightly different from
EM_FLOW_HASH_SEGS.  For EMC, two hash functions are used to index two 
locations, for SMC currently, I just use one hash
function to index a bucket, and iterate the entries in that bucket. It is more 
like a middle ground between EMC and CMAP.

>> @@ -2297,6 +2373,76 @@ emc_lookup(struct emc_cache *cache, const struct
>> netdev_flow_key *key)
>>  return NULL;
>>  }
>>
>> +static inline const struct cmap_node *
>> +smc_entry_get(struct dp_netdev_pmd_thread *pmd, struct smc_cache *cache,
>> +const uint32_t hash)
>> +{
>> +struct smc_bucket *bucket = >buckets[hash & SMC_MASK];
>> +uint16_t sig = hash >> 16;
>> +uint16_t index = UINT16_MAX;
>> +
>> +for (int i = 0; i < SMC_ENTRY_PER_BUCKET; i++) {
>> +if (bucket->sig[i] == sig) {
>> +index = bucket->flow_idx[i];
>> +break;
>> +}
>> +}
>> +if (index != UINT16_MAX) {
>> +return cmap_find_by_index(>flow_table, index);
>> +}
>> +return NULL;
>> +}
>> +
>> +static void
>> +smc_clear_entry(struct smc_bucket *b, int idx) {
>> +b->flow_idx[idx] = UINT16_MAX;
>> +}
>> +
>> +static inline int
>[[BO'M]] As return value seems to be 1 for ok and 0 for failure suggest using 
>a bool for the return value. Also a comment describing
>when an insert may fail. Describe insertion strategy which seems to be 'if 
>entry already exists update it, otherwise insert in a free
>space, if no free space available randomly pick an entry form the bucket'
>
[Wang, Yipeng] Thanks for pointing it out. I eventually changed it to void 
function since I realize that I do not need a return value indeed.
I will include this change and more comments for the logic in V5. 

>> +smc_insert(struct dp_netdev_pmd_thread *pmd,
>> +   const struct netdev_flow_key *key,
>> +   uint32_t hash)
>> +{
>> +struct smc_cache *smc_cache = >flow_cache.smc_cache;
>> +struct smc_bucket *bucket = _cache->buckets[key->hash &
>> SMC_MASK];
>> +

Re: [ovs-dev] [RFC PATCH 0/9] Daemon mode for ovn-nbctl

[Ben Pfaff]

On Mon, Jul 09, 2018 at 08:57:14PM +0200, Jakub Sitnicki wrote:
> This series extends ovn-nbctl tool with support for the daemon mode, where
> ovn-nbctl acts a long-lived process that accepts commands over a UNIX socket.

Seems like a great start, I'll look forward to its evolution toward
being ready for final review.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [RFC PATCH 4/9] ovn-nbctl: Signal need to try again via an output param.

[Ben Pfaff]

On Mon, Jul 09, 2018 at 08:57:18PM +0200, Jakub Sitnicki wrote:
> Introduce an output parameter for the flag that signals need to retry
> running the command. This leaves the return value for error reporting.
> 
> Preparatory work for reusing the main loop in daemon mode.
> 
> Signed-off-by: Jakub Sitnicki 

I noticed that this introduces a plain "return;" as the last statement
in the function, which can be removed.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [patch v7 9/9] ipf: Add fragmentation status reporting.

[Darrell Ball]

A new command "ovs-appctl dpctl/ipf-get-status" is added
for userspace datapath conntrack fragmentation support.
The command shows the configuration status, fragment counters and
ipf lists state.

Signed-off-by: Darrell Ball 
---
 NEWS |   2 +
 lib/ct-dpif.c|  45 +++
 lib/ct-dpif.h|   9 +++
 lib/dpctl.c  | 107 ++
 lib/dpctl.man|   6 ++
 lib/dpif-netdev.c|  58 +++
 lib/dpif-netlink.c   |   4 ++
 lib/dpif-provider.h  |  16 +
 lib/ipf.c| 107 ++
 lib/ipf.h|  10 
 tests/system-kmod-macros.at  |  32 ++
 tests/system-traffic.at  |  40 +
 tests/system-userspace-macros.at | 122 +++
 13 files changed, 548 insertions(+), 10 deletions(-)

diff --git a/NEWS b/NEWS
index 2b22a84..af8f9a8 100644
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,8 @@ Post-v2.9.0
datapath conntrack fragmentation support.
  * New "ovs-appctl dpctl/ipf-set-max-nfrags" command for userspace datapath
conntrack fragmentation support.
+ * New "ovs-appctl dpctl/ipf-get-status" command for userspace datapath
+   conntrack fragmentation support.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index ee23a4d..a59bc1e 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -188,6 +188,51 @@ ct_dpif_ipf_set_max_nfrags(struct dpif *dpif, uint32_t 
max_frags)
 : EOPNOTSUPP);
 }
 
+int ct_dpif_ipf_get_status(struct dpif *dpif, bool *ipf_v4_enabled,
+unsigned int *min_v4_frag_size, unsigned int *nfrag_max,
+unsigned int *nfrag, unsigned int *n4frag_accepted,
+unsigned int *n4frag_completed_sent,
+unsigned int *n4frag_expired_sent, unsigned int *n4frag_too_small,
+unsigned int *n4frag_overlap, bool *ipf_v6_enabled,
+unsigned int *min_v6_frag_size, unsigned int *n6frag_accepted,
+unsigned int *n6frag_completed_sent,
+unsigned int *n6frag_expired_sent, unsigned int *n6frag_too_small,
+unsigned int *n6frag_overlap)
+{
+return (dpif->dpif_class->ipf_get_status
+? dpif->dpif_class->ipf_get_status(dpif, ipf_v4_enabled,
+min_v4_frag_size, nfrag_max, nfrag, n4frag_accepted,
+n4frag_completed_sent, n4frag_expired_sent, n4frag_too_small,
+n4frag_overlap, ipf_v6_enabled, min_v6_frag_size, n6frag_accepted,
+n6frag_completed_sent, n6frag_expired_sent, n6frag_too_small,
+n6frag_overlap)
+: EOPNOTSUPP);
+}
+
+int
+ct_dpif_ipf_dump_start(struct dpif *dpif, struct ipf_dump_ctx **dump_ctx)
+{
+return (dpif->dpif_class->ipf_dump_start
+   ? dpif->dpif_class->ipf_dump_start(dpif, dump_ctx)
+   : EOPNOTSUPP);
+}
+
+int
+ct_dpif_ipf_dump_next(struct dpif *dpif, void *dump_ctx,  char **dump)
+{
+return (dpif->dpif_class->ipf_dump_next
+? dpif->dpif_class->ipf_dump_next(dpif, dump_ctx, dump)
+: EOPNOTSUPP);
+}
+
+int
+ct_dpif_ipf_dump_done(struct dpif *dpif, void *dump_ctx)
+{
+return (dpif->dpif_class->ipf_dump_done
+? dpif->dpif_class->ipf_dump_done(dpif, dump_ctx)
+: EOPNOTSUPP);
+}
+
 void
 ct_dpif_entry_uninit(struct ct_dpif_entry *entry)
 {
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index f886ab9..2ff7e26 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -204,6 +204,15 @@ int ct_dpif_get_nconns(struct dpif *dpif, uint32_t 
*nconns);
 int ct_dpif_ipf_set_enabled(struct dpif *, bool v6, bool enable);
 int ct_dpif_ipf_set_min_frag(struct dpif *, bool, uint32_t);
 int ct_dpif_ipf_set_max_nfrags(struct dpif *, uint32_t);
+int ct_dpif_ipf_get_status(struct dpif *dpif, bool *, unsigned int *,
+   unsigned int *, unsigned int *, unsigned int *,
+   unsigned int *, unsigned int *, unsigned int *,
+   unsigned int *, bool *, unsigned int *,
+   unsigned int *, unsigned int *, unsigned int *,
+   unsigned int *, unsigned int *);
+int ct_dpif_ipf_dump_start(struct dpif *dpif, struct ipf_dump_ctx **);
+int ct_dpif_ipf_dump_next(struct dpif *dpif, void *, char **);
+int ct_dpif_ipf_dump_done(struct dpif *dpif, void *);
 void ct_dpif_entry_uninit(struct ct_dpif_entry *);
 void ct_dpif_format_entry(const struct ct_dpif_entry *, struct ds *,
   bool verbose, bool print_stats);
diff --git a/lib/dpctl.c b/lib/dpctl.c
index ab0f60b..2b2a74a 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -1792,6 +1792,111 @@ dpctl_ipf_set_max_nfrags(int argc, const char *argv[],
 return error;
 }
 
+static void
+dpctl_dump_ipf(struct dpif *dpif, struct 

[ovs-dev] [patch v7 7/9] ipf: Add set minimum fragment size command.

[Darrell Ball]

A new command "ovs-appctl dpctl/ipf-set-min-frag" is added
for userspace datapath conntrack fragmentation support.

Signed-off-by: Darrell Ball 
---
 NEWS|  2 ++
 lib/ct-dpif.c   |  8 
 lib/ct-dpif.h   |  2 ++
 lib/dpctl.c | 40 
 lib/dpctl.man   |  9 +
 lib/dpif-netdev.c   |  8 
 lib/dpif-netlink.c  |  1 +
 lib/dpif-provider.h |  3 +++
 lib/ipf.c   | 23 +++
 lib/ipf.h   |  2 ++
 10 files changed, 98 insertions(+)

diff --git a/NEWS b/NEWS
index 96fa05b..9ab9970 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,8 @@ Post-v2.9.0
conntrack fragmentation support.
  * New "ovs-appctl dpctl/ipf-set-disabled" command for userspace datapath
conntrack fragmentation support.
+ * New "ovs-appctl dpctl/ipf-set-min-frag" command for userspace
+   datapath conntrack fragmentation support.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index b1f29dc..d5596af 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -172,6 +172,14 @@ ct_dpif_ipf_set_enabled(struct dpif *dpif, bool v6, bool 
enable)
 : EOPNOTSUPP);
 }
 
+int
+ct_dpif_ipf_set_min_frag(struct dpif *dpif, bool v6, uint32_t min_frag)
+{
+return (dpif->dpif_class->ipf_set_min_frag
+? dpif->dpif_class->ipf_set_min_frag(dpif, v6, min_frag)
+: EOPNOTSUPP);
+}
+
 void
 ct_dpif_entry_uninit(struct ct_dpif_entry *entry)
 {
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index bd6234d..6eb55b4 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -17,6 +17,7 @@
 #ifndef CT_DPIF_H
 #define CT_DPIF_H
 
+#include "ipf.h"
 #include "openvswitch/types.h"
 #include "packets.h"
 
@@ -201,6 +202,7 @@ int ct_dpif_set_maxconns(struct dpif *dpif, uint32_t 
maxconns);
 int ct_dpif_get_maxconns(struct dpif *dpif, uint32_t *maxconns);
 int ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns);
 int ct_dpif_ipf_set_enabled(struct dpif *, bool v6, bool enable);
+int ct_dpif_ipf_set_min_frag(struct dpif *, bool, uint32_t);
 void ct_dpif_entry_uninit(struct ct_dpif_entry *);
 void ct_dpif_format_entry(const struct ct_dpif_entry *, struct ds *,
   bool verbose, bool print_stats);
diff --git a/lib/dpctl.c b/lib/dpctl.c
index ad7ca8d..e74d713 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -1726,6 +1726,44 @@ dpctl_ipf_set_disabled(int argc, const char *argv[],
 return ipf_set_enabled__(argc, argv, dpctl_p, false);
 }
 
+static int
+dpctl_ipf_set_min_frag(int argc, const char *argv[],
+   struct dpctl_params *dpctl_p)
+{
+struct dpif *dpif;
+int error = opt_dpif_open(argc, argv, dpctl_p, 4, );
+if (!error) {
+char v4_or_v6[3] = {0};
+if (ovs_scan(argv[argc - 2], "%2s", v4_or_v6) &&
+(!strncmp(v4_or_v6, "v4", 2) || !strncmp(v4_or_v6, "v6", 2))) {
+uint32_t min_fragment;
+if (ovs_scan(argv[argc - 1], "%"SCNu32, _fragment)) {
+error = ct_dpif_ipf_set_min_frag(
+dpif, !strncmp(v4_or_v6, "v6", 2), min_fragment);
+if (!error) {
+dpctl_print(dpctl_p,
+"setting minimum fragment size successful");
+} else {
+dpctl_error(dpctl_p, error,
+"requested minimum fragment size too small;"
+" see documentation");
+}
+} else {
+error = EINVAL;
+dpctl_error(dpctl_p, error,
+"parameter missing for minimum fragment size");
+}
+} else {
+error = EINVAL;
+dpctl_error(dpctl_p, error,
+"parameter missing: v4 for ipv4 or v6 for ipv6");
+}
+dpif_close(dpif);
+}
+
+return error;
+}
+
 /* Undocumented commands for unit testing. */
 
 static int
@@ -2029,6 +2067,8 @@ static const struct dpctl_command all_commands[] = {
dpctl_ipf_set_enabled, DP_RW },
 { "ipf-set-disabled", "[dp] v4 | v6", 1, 2,
dpctl_ipf_set_disabled, DP_RW },
+{ "ipf-set-min-frag", "[dp] v4 | v6 minfragment", 2, 3,
+   dpctl_ipf_set_min_frag, DP_RW },
 { "help", "", 0, INT_MAX, dpctl_help, DP_RO },
 { "list-commands", "", 0, INT_MAX, dpctl_list_commands, DP_RO },
 
diff --git a/lib/dpctl.man b/lib/dpctl.man
index 43d161a..900900d 100644
--- a/lib/dpctl.man
+++ b/lib/dpctl.man
@@ -287,3 +287,12 @@ after conntrack.  Both v4 and v6 are enabled by default.
 Disables fragmentation handling for the userspace datapath connection
 tracker.  Either \fBv4\fR or \fBv6\fR must be specified.  Both v4 and v6 are
 enabled by default.
+.
+.TP
+\*(DX\fBipf\-set\-min\-frag\fR [\fIdp\fR] \fBv4\fR | \fBv6\fR \fIminfrag\fR
+Sets 

[ovs-dev] [patch v7 8/9] ipf: Add set maximum fragments supported command.

[Darrell Ball]

A new command "ovs-appctl dpctl/ipf-set-max-nfrags" is added
for userspace datapath conntrack fragmentation support.

Signed-off-by: Darrell Ball 
---
 NEWS|  2 ++
 lib/ct-dpif.c   |  8 
 lib/ct-dpif.h   |  1 +
 lib/dpctl.c | 30 ++
 lib/dpctl.man   |  8 
 lib/dpif-netdev.c   |  8 
 lib/dpif-netlink.c  |  1 +
 lib/dpif-provider.h |  2 ++
 lib/ipf.c   | 10 ++
 lib/ipf.h   |  2 ++
 10 files changed, 72 insertions(+)

diff --git a/NEWS b/NEWS
index 9ab9970..2b22a84 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,8 @@ Post-v2.9.0
conntrack fragmentation support.
  * New "ovs-appctl dpctl/ipf-set-min-frag" command for userspace
datapath conntrack fragmentation support.
+ * New "ovs-appctl dpctl/ipf-set-max-nfrags" command for userspace datapath
+   conntrack fragmentation support.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index d5596af..ee23a4d 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -180,6 +180,14 @@ ct_dpif_ipf_set_min_frag(struct dpif *dpif, bool v6, 
uint32_t min_frag)
 : EOPNOTSUPP);
 }
 
+int
+ct_dpif_ipf_set_max_nfrags(struct dpif *dpif, uint32_t max_frags)
+{
+return (dpif->dpif_class->ipf_set_max_nfrags
+? dpif->dpif_class->ipf_set_max_nfrags(dpif, max_frags)
+: EOPNOTSUPP);
+}
+
 void
 ct_dpif_entry_uninit(struct ct_dpif_entry *entry)
 {
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index 6eb55b4..f886ab9 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -203,6 +203,7 @@ int ct_dpif_get_maxconns(struct dpif *dpif, uint32_t 
*maxconns);
 int ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns);
 int ct_dpif_ipf_set_enabled(struct dpif *, bool v6, bool enable);
 int ct_dpif_ipf_set_min_frag(struct dpif *, bool, uint32_t);
+int ct_dpif_ipf_set_max_nfrags(struct dpif *, uint32_t);
 void ct_dpif_entry_uninit(struct ct_dpif_entry *);
 void ct_dpif_format_entry(const struct ct_dpif_entry *, struct ds *,
   bool verbose, bool print_stats);
diff --git a/lib/dpctl.c b/lib/dpctl.c
index e74d713..ab0f60b 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -1764,6 +1764,34 @@ dpctl_ipf_set_min_frag(int argc, const char *argv[],
 return error;
 }
 
+static int
+dpctl_ipf_set_max_nfrags(int argc, const char *argv[],
+ struct dpctl_params *dpctl_p)
+{
+struct dpif *dpif;
+int error = opt_dpif_open(argc, argv, dpctl_p, 3, );
+if (!error) {
+uint32_t nfrags_max;
+if (ovs_scan(argv[argc - 1], "%"SCNu32, _max)) {
+error = ct_dpif_ipf_set_max_nfrags(dpif, nfrags_max);
+if (!error) {
+dpctl_print(dpctl_p,
+"setting maximum fragments successful");
+} else {
+dpctl_error(dpctl_p, error,
+"setting maximum fragments failed");
+}
+} else {
+error = EINVAL;
+dpctl_error(dpctl_p, error,
+"parameter missing for maximum fragments");
+}
+dpif_close(dpif);
+}
+
+return error;
+}
+
 /* Undocumented commands for unit testing. */
 
 static int
@@ -2069,6 +2097,8 @@ static const struct dpctl_command all_commands[] = {
dpctl_ipf_set_disabled, DP_RW },
 { "ipf-set-min-frag", "[dp] v4 | v6 minfragment", 2, 3,
dpctl_ipf_set_min_frag, DP_RW },
+{ "ipf-set-max-nfrags", "[dp] maxfrags", 1, 2,
+   dpctl_ipf_set_max_nfrags, DP_RW },
 { "help", "", 0, INT_MAX, dpctl_help, DP_RO },
 { "list-commands", "", 0, INT_MAX, dpctl_list_commands, DP_RO },
 
diff --git a/lib/dpctl.man b/lib/dpctl.man
index 900900d..c6c4a87 100644
--- a/lib/dpctl.man
+++ b/lib/dpctl.man
@@ -296,3 +296,11 @@ must be specified.  The default v4 value is 1200 and the 
clamped minimum is
 400.  The default v6 value is 1280, with a clamped minimum of 400, for
 testing flexibility.  The maximum frag size is not clamped, however setting
 this value too high might result in valid fragments being dropped.
+.
+.TP
+\*(DX\fBipf\-set\-max\-nfrags\fR [\fIdp\fR] \fImaxfrags\fR
+Sets the maximum number of fragments tracked by the userspace datapath
+connection tracker.  The default value is 1000 and the clamped maximum
+is 5000.  Note that packet buffers can be held by the fragmentation
+module while fragments are incomplete, but will timeout after 15 seconds.
+Memory pool sizing should be set accordingly when fragmentation is enabled.
diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index 653c313..76bc1d9 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -6546,6 +6546,13 @@ dpif_netdev_ipf_set_min_frag(struct dpif *dpif 
OVS_UNUSED, bool v6,
 return ipf_set_min_frag(v6, min_frag);
 }
 
+static int

[ovs-dev] [patch v7 5/9] Userspace datapath: Add fragmentation handling.

[Darrell Ball]

Fragmentation handling is added for supporting conntrack.
Both v4 and v6 are supported.

After discussion with several people, I decided to not store
configuration state in the database to be more consistent with
the kernel in future, similarity with other conntrack configuration
which will not be in the database as well and overall simplicity.
Accordingly, fragmentation handling is enabled by default.

This patch enables fragmentation tests for the userspace datapath.

Signed-off-by: Darrell Ball 
---
 NEWS |2 +
 include/sparse/netinet/ip6.h |1 +
 lib/automake.mk  |2 +
 lib/conntrack.c  |   13 +-
 lib/ipf.c| 1266 ++
 lib/ipf.h|   60 ++
 tests/system-kmod-macros.at  |   10 +-
 tests/system-traffic.at  |   30 +-
 tests/system-userspace-macros.at |   26 +-
 9 files changed, 1365 insertions(+), 45 deletions(-)
 create mode 100644 lib/ipf.c
 create mode 100644 lib/ipf.h

diff --git a/NEWS b/NEWS
index 92e9b92..e0418a5 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,8 @@ Post-v2.9.0
  * ovs-ofctl now accepts and display table names in place of numbers.  By
default it always accepts names and in interactive use it displays them;
use --names or --no-names to override.  See ovs-ofctl(8) for details.
+   - Userspace datapath:
+ * Add v4/v6 fragmentation support for conntrack.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/include/sparse/netinet/ip6.h b/include/sparse/netinet/ip6.h
index d2a54de..bfa637a 100644
--- a/include/sparse/netinet/ip6.h
+++ b/include/sparse/netinet/ip6.h
@@ -64,5 +64,6 @@ struct ip6_frag {
 };
 
 #define IP6F_OFF_MASK ((OVS_FORCE ovs_be16) 0xfff8)
+#define IP6F_MORE_FRAG ((OVS_FORCE ovs_be16) 0x0001)
 
 #endif /* netinet/ip6.h sparse */
diff --git a/lib/automake.mk b/lib/automake.mk
index fb43aa1..142587f 100644
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -107,6 +107,8 @@ lib_libopenvswitch_la_SOURCES = \
lib/hmapx.h \
lib/id-pool.c \
lib/id-pool.h \
+   lib/ipf.c \
+   lib/ipf.h \
lib/jhash.c \
lib/jhash.h \
lib/json.c \
diff --git a/lib/conntrack.c b/lib/conntrack.c
index 30941ff..e1c1f2e 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -30,6 +30,7 @@
 #include "ct-dpif.h"
 #include "dp-packet.h"
 #include "flow.h"
+#include "ipf.h"
 #include "netdev.h"
 #include "odp-netlink.h"
 #include "openvswitch/hmap.h"
@@ -339,6 +340,7 @@ conntrack_init(struct conntrack *ct)
 atomic_init(>n_conn_limit, DEFAULT_N_CONN_LIMIT);
 latch_init(>clean_thread_exit);
 ct->clean_thread = ovs_thread_create("ct_clean", clean_thread_main, ct);
+ipf_init();
 }
 
 /* Destroys the connection tracker 'ct' and frees all the allocated memory. */
@@ -381,6 +383,7 @@ conntrack_destroy(struct conntrack *ct)
 hindex_destroy(>alg_expectation_refs);
 ct_rwlock_unlock(>resources_lock);
 ct_rwlock_destroy(>resources_lock);
+ipf_destroy();
 }
 
 static unsigned hash_to_bucket(uint32_t hash)
@@ -1292,7 +1295,8 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
 
 /* Sends the packets in '*pkt_batch' through the connection tracker 'ct'.  All
  * the packets must have the same 'dl_type' (IPv4 or IPv6) and should have
- * the l3 and and l4 offset properly set.
+ * the l3 and and l4 offset properly set.  Performs fragment reassembly with
+ * the help of ipf_preprocess_conntrack().
  *
  * If 'commit' is true, the packets are allowed to create new entries in the
  * connection tables.  'setmark', if not NULL, should point to a two
@@ -1307,11 +1311,14 @@ conntrack_execute(struct conntrack *ct, struct 
dp_packet_batch *pkt_batch,
   const struct nat_action_info_t *nat_action_info,
   long long now)
 {
+ipf_preprocess_conntrack(pkt_batch, now, dl_type, zone, ct->hash_basis);
+
 struct dp_packet *packet;
 struct conn_lookup_ctx ctx;
 
 DP_PACKET_BATCH_FOR_EACH (i, packet, pkt_batch) {
-if (!conn_key_extract(ct, packet, dl_type, , zone)) {
+if (packet->md.ct_state == CS_INVALID
+|| !conn_key_extract(ct, packet, dl_type, , zone)) {
 packet->md.ct_state = CS_INVALID;
 write_ct_md(packet, zone, NULL, NULL, NULL);
 continue;
@@ -1320,6 +1327,8 @@ conntrack_execute(struct conntrack *ct, struct 
dp_packet_batch *pkt_batch,
 setlabel, nat_action_info, tp_src, tp_dst, helper);
 }
 
+ipf_postprocess_conntrack(pkt_batch, now, dl_type);
+
 return 0;
 }
 
diff --git a/lib/ipf.c b/lib/ipf.c
new file mode 100644
index 000..2c26e1f
--- /dev/null
+++ b/lib/ipf.c
@@ -0,0 +1,1266 @@
+/*
+ * Copyright (c) 2018 Nicira, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not 

[ovs-dev] [patch v7 6/9] ipf: Add command to disable fragmentation handling.

[Darrell Ball]

Commands are added to disable and also enable fragmentation handling
for conntrack.

Signed-off-by: Darrell Ball 
---
 NEWS|  4 
 lib/ct-dpif.c   |  8 
 lib/ct-dpif.h   |  1 +
 lib/dpctl.c | 50 ++
 lib/dpctl.man   | 15 +++
 lib/dpif-netdev.c   |  9 +
 lib/dpif-netlink.c  |  1 +
 lib/dpif-provider.h |  4 +++-
 lib/ipf.c   |  7 +++
 lib/ipf.h   |  2 ++
 10 files changed, 100 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index e0418a5..96fa05b 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,10 @@ Post-v2.9.0
use --names or --no-names to override.  See ovs-ofctl(8) for details.
- Userspace datapath:
  * Add v4/v6 fragmentation support for conntrack.
+ * New "ovs-appctl dpctl/ipf-set-enabled" command for userspace datapath
+   conntrack fragmentation support.
+ * New "ovs-appctl dpctl/ipf-set-disabled" command for userspace datapath
+   conntrack fragmentation support.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index 5fa3a97..b1f29dc 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -164,6 +164,14 @@ ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns)
 : EOPNOTSUPP);
 }
 
+int
+ct_dpif_ipf_set_enabled(struct dpif *dpif, bool v6, bool enable)
+{
+return (dpif->dpif_class->ipf_set_enabled
+? dpif->dpif_class->ipf_set_enabled(dpif, v6, enable)
+: EOPNOTSUPP);
+}
+
 void
 ct_dpif_entry_uninit(struct ct_dpif_entry *entry)
 {
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index 09e7698..bd6234d 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -200,6 +200,7 @@ int ct_dpif_flush(struct dpif *, const uint16_t *zone,
 int ct_dpif_set_maxconns(struct dpif *dpif, uint32_t maxconns);
 int ct_dpif_get_maxconns(struct dpif *dpif, uint32_t *maxconns);
 int ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns);
+int ct_dpif_ipf_set_enabled(struct dpif *, bool v6, bool enable);
 void ct_dpif_entry_uninit(struct ct_dpif_entry *);
 void ct_dpif_format_entry(const struct ct_dpif_entry *, struct ds *,
   bool verbose, bool print_stats);
diff --git a/lib/dpctl.c b/lib/dpctl.c
index 4f1e443..ad7ca8d 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -35,6 +35,7 @@
 #include "dpif.h"
 #include "openvswitch/dynamic-string.h"
 #include "flow.h"
+#include "ipf.h"
 #include "openvswitch/match.h"
 #include "netdev.h"
 #include "netdev-dpdk.h"
@@ -1680,6 +1681,51 @@ dpctl_ct_get_nconns(int argc, const char *argv[],
 return error;
 }
 
+static int
+ipf_set_enabled__(int argc, const char *argv[], struct dpctl_params *dpctl_p,
+  bool enabled)
+{
+struct dpif *dpif;
+int error = opt_dpif_open(argc, argv, dpctl_p, 4, );
+if (!error) {
+char v4_or_v6[3] = {0};
+if (ovs_scan(argv[argc - 2], "%2s", v4_or_v6) &&
+(!strncmp(v4_or_v6, "v4", 2) || !strncmp(v4_or_v6, "v6", 2))) {
+error = ct_dpif_ipf_set_enabled(
+dpif, !strncmp(v4_or_v6, "v6", 2), enabled);
+if (!error) {
+dpctl_print(dpctl_p,
+"%s fragmentation reassembly successful",
+enabled ? "enabling" : "disabling");
+} else {
+dpctl_error(dpctl_p, error,
+"%s fragmentation reassembly failed",
+enabled ? "enabling" : "disabling");
+}
+} else {
+error = EINVAL;
+dpctl_error(dpctl_p, error,
+"parameter missing: 'v4' for ipv4 or 'v6' for ipv6");
+}
+dpif_close(dpif);
+}
+return error;
+}
+
+static int
+dpctl_ipf_set_enabled(int argc, const char *argv[],
+  struct dpctl_params *dpctl_p)
+{
+return ipf_set_enabled__(argc, argv, dpctl_p, true);
+}
+
+static int
+dpctl_ipf_set_disabled(int argc, const char *argv[],
+   struct dpctl_params *dpctl_p)
+{
+return ipf_set_enabled__(argc, argv, dpctl_p, false);
+}
+
 /* Undocumented commands for unit testing. */
 
 static int
@@ -1979,6 +2025,10 @@ static const struct dpctl_command all_commands[] = {
 { "ct-set-maxconns", "[dp] maxconns", 1, 2, dpctl_ct_set_maxconns, DP_RW },
 { "ct-get-maxconns", "[dp]", 0, 1, dpctl_ct_get_maxconns, DP_RO },
 { "ct-get-nconns", "[dp]", 0, 1, dpctl_ct_get_nconns, DP_RO },
+{ "ipf-set-enabled", "[dp] v4 | v6", 1, 2,
+   dpctl_ipf_set_enabled, DP_RW },
+{ "ipf-set-disabled", "[dp] v4 | v6", 1, 2,
+   dpctl_ipf_set_disabled, DP_RW },
 { "help", "", 0, INT_MAX, dpctl_help, DP_RO },
 { "list-commands", "", 0, INT_MAX, dpctl_list_commands, DP_RO },
 
diff --git a/lib/dpctl.man b/lib/dpctl.man
index 5d987e6..43d161a 100644
--- 

[ovs-dev] [PATCH] treewide: Remove pointless "return; " at ends of functions.

[Ben Pfaff]

Found with:
git ls-files | xargs pcregrep -n -M 'return;\n*}'

Signed-off-by: Ben Pfaff 
---
 datapath-windows/ovsext/Driver.c  | 1 -
 datapath-windows/ovsext/IpHelper.c| 6 --
 datapath-windows/ovsext/Netlink/Netlink.c | 1 -
 datapath-windows/ovsext/Vport.c   | 1 -
 lib/conntrack.c   | 4 
 lib/lldp/lldpd.c  | 2 --
 lib/netdev-native-tnl.c   | 1 -
 tests/test-aa.c   | 6 --
 tests/test-ovsdb.c| 3 ---
 9 files changed, 25 deletions(-)

diff --git a/datapath-windows/ovsext/Driver.c b/datapath-windows/ovsext/Driver.c
index 50c9614e42ef..0d23adaf7296 100644
--- a/datapath-windows/ovsext/Driver.c
+++ b/datapath-windows/ovsext/Driver.c
@@ -201,5 +201,4 @@ OvsExtStatus(NDIS_HANDLE filterModuleContext,
 POVS_SWITCH_CONTEXT switchObject = 
(POVS_SWITCH_CONTEXT)filterModuleContext;
 
 NdisFIndicateStatus(switchObject->NdisFilterHandle, statusIndication);
-return;
 }
diff --git a/datapath-windows/ovsext/IpHelper.c 
b/datapath-windows/ovsext/IpHelper.c
index 6bbd096c53b0..c734b0ecc2e2 100644
--- a/datapath-windows/ovsext/IpHelper.c
+++ b/datapath-windows/ovsext/IpHelper.c
@@ -565,8 +565,6 @@ OvsUpdateIpInterfaceNotification(PMIB_IPINTERFACE_ROW ipRow)
 ExReleaseResourceLite(>lock);
 }
 ExReleaseResourceLite();
-
-return;
 }
 
 static VOID
@@ -672,8 +670,6 @@ error:
 OvsIpHelperDeleteInstance(instance);
 }
 }
-
-return;
 }
 
 static VOID
@@ -713,8 +709,6 @@ OvsRemoveIpInterfaceNotification(PMIB_IPINTERFACE_ROW ipRow)
 OvsCleanupIpHelperRequestList();
 OvsCleanupFwdTable();
 }
-
-return;
 }
 
 static VOID
diff --git a/datapath-windows/ovsext/Netlink/Netlink.c 
b/datapath-windows/ovsext/Netlink/Netlink.c
index 156732cdb3af..f4a0050480c2 100644
--- a/datapath-windows/ovsext/Netlink/Netlink.c
+++ b/datapath-windows/ovsext/Netlink/Netlink.c
@@ -653,7 +653,6 @@ VOID
 NlMsgAlignSize(const PNL_MSG_HDR nlh)
 {
 nlh->nlmsgLen = NLMSG_ALIGN(nlh->nlmsgLen);
-return;
 }
 
 /*
diff --git a/datapath-windows/ovsext/Vport.c b/datapath-windows/ovsext/Vport.c
index 7cf2497e3988..380870a111d8 100644
--- a/datapath-windows/ovsext/Vport.c
+++ b/datapath-windows/ovsext/Vport.c
@@ -1219,7 +1219,6 @@ UpdateSwitchCtxWithVport(POVS_SWITCH_CONTEXT 
switchContext,
 if (newPort) {
 switchContext->numHvVports++;
 }
-return;
 }
 
 /*
diff --git a/lib/conntrack.c b/lib/conntrack.c
index 97fd46a5e167..333f5d41aa1e 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -2085,8 +2085,6 @@ nat_ipv6_addr_increment(struct in6_addr *ipv6_aligned, 
uint32_t increment)
 
 memcpy(ipv6_hi, _64_hi, sizeof addr6_64_hi);
 memcpy(ipv6_lo, _64_lo, sizeof addr6_64_lo);
-
-return;
 }
 
 static uint32_t
@@ -3282,7 +3280,6 @@ handle_ftp_ctl(struct conntrack *ct, const struct 
conn_lookup_ctx *ctx,
 uint8_t pad = dp_packet_l2_pad_size(pkt);
 th->tcp_csum = csum_finish(
 csum_continue(tcp_csum, th, tail - (char *) th - pad));
-return;
 }
 
 static void
@@ -3296,5 +3293,4 @@ handle_tftp_ctl(struct conntrack *ct,
 expectation_create(ct, conn_for_expectation->key.src.port,
conn_for_expectation,
!!(pkt->md.ct_state & CS_REPLY_DIR), false, false);
-return;
 }
diff --git a/lib/lldp/lldpd.c b/lib/lldp/lldpd.c
index 036ff4f4ccdc..19e930526695 100644
--- a/lib/lldp/lldpd.c
+++ b/lib/lldp/lldpd.c
@@ -408,8 +408,6 @@ lldpd_decode(struct lldpd *cfg, char *frame, int s,
 if (!oport)  {
 hw->h_insert_cnt++;
 }
-
-return;
 }
 
 static void
diff --git a/lib/netdev-native-tnl.c b/lib/netdev-native-tnl.c
index a63fe24196d9..56baaa217a5d 100644
--- a/lib/netdev-native-tnl.c
+++ b/lib/netdev-native-tnl.c
@@ -614,7 +614,6 @@ netdev_erspan_push_header(const struct netdev *netdev,
 md2 = ALIGNED_CAST(struct erspan_md2 *, ersh + 1);
 put_16aligned_be32(>timestamp, get_erspan_ts(ERSPAN_100US));
 }
-return;
 }
 
 int
diff --git a/tests/test-aa.c b/tests/test-aa.c
index 1290ca8c9a7c..0107d2263bc8 100644
--- a/tests/test-aa.c
+++ b/tests/test-aa.c
@@ -47,8 +47,6 @@ check_received_port(struct lldpd_port *sport,
 assert(rport->p_id_len == sport->p_id_len);
 assert(strncmp(rport->p_id, sport->p_id, sport->p_id_len) == 0);
 assert(strcmp(rport->p_descr, sport->p_descr) == 0);
-
-return;
 }
 
 
@@ -66,8 +64,6 @@ check_received_chassis(struct lldpd_chassis *schassis,
 assert(strcmp(rchassis->c_descr, schassis->c_descr) == 0);
 assert(rchassis->c_cap_available == schassis->c_cap_available);
 assert(rchassis->c_cap_enabled == schassis->c_cap_enabled);
-
-return;
 }
 
 
@@ -113,8 +109,6 @@ check_received_aa(struct lldpd_port *sport,
 i++;
 }
 assert(i == 2);
-
-return;
 }
 
 
diff --git a/tests/test-ovsdb.c b/tests/test-ovsdb.c
index 48706b71c719..de94fd0cd51d 100644
--- 

[ovs-dev] [patch v7 3/9] tests: Add missed local stack checks.

[Darrell Ball]

Signed-off-by: Darrell Ball 
Acked-by: Justin Pettit 
---
 tests/system-traffic.at | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 519b234..75648d4 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -2530,6 +2530,7 @@ AT_SETUP([conntrack - Fragmentation over vxlan])
 OVS_CHECK_VXLAN()
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_FRAG()
+CHECK_CONNTRACK_LOCAL_STACK()
 
 OVS_TRAFFIC_VSWITCHD_START()
 ADD_BR([br-underlay])
@@ -2582,6 +2583,7 @@ AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
 OVS_CHECK_VXLAN()
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_FRAG()
+CHECK_CONNTRACK_LOCAL_STACK()
 
 OVS_TRAFFIC_VSWITCHD_START()
 ADD_BR([br-underlay])
-- 
1.9.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [patch v7 2/9] flow: Enhance parse_ipv6_ext_hdrs.

[Darrell Ball]

Enhance the api parse_ipv6_ext_hdrs to return the
fragmentation header to be used in later patches.

Signed-off-by: Darrell Ball 
Acked-by: Justin Pettit 
---
 lib/conntrack.c |  4 ++--
 lib/flow.c  | 31 +--
 lib/flow.h  |  3 ++-
 3 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index 97fd46a..efe8a18 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -1307,7 +1307,6 @@ conntrack_execute(struct conntrack *ct, struct 
dp_packet_batch *pkt_batch,
   const struct nat_action_info_t *nat_action_info,
   long long now)
 {
-
 struct dp_packet *packet;
 struct conn_lookup_ctx ctx;
 
@@ -1555,7 +1554,8 @@ extract_l3_ipv6(struct conn_key *key, const void *data, 
size_t size,
 uint8_t nw_proto = ip6->ip6_nxt;
 uint8_t nw_frag = 0;
 
-if (!parse_ipv6_ext_hdrs(, , _proto, _frag)) {
+const struct ovs_16aligned_ip6_frag *frag_hdr;
+if (!parse_ipv6_ext_hdrs(, , _proto, _frag, _hdr)) {
 return false;
 }
 
diff --git a/lib/flow.c b/lib/flow.c
index a785e63..8c4baf0 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -453,9 +453,14 @@ invalid:
 return true;
 }
 
+/* datap points to the first extension header and advances as parsing
+ * occurs; sizep is the remaining size and is decreased accordingly.
+ * nw_proto starts as the first extension header to process and is
+ * updated as the extension headers are parsed. */
 static inline bool
 parse_ipv6_ext_hdrs__(const void **datap, size_t *sizep, uint8_t *nw_proto,
-  uint8_t *nw_frag)
+  uint8_t *nw_frag,
+  const struct ovs_16aligned_ip6_frag **frag_hdr)
 {
 while (1) {
 if (OVS_LIKELY((*nw_proto != IPPROTO_HOPOPTS)
@@ -502,17 +507,17 @@ parse_ipv6_ext_hdrs__(const void **datap, size_t *sizep, 
uint8_t *nw_proto,
 return false;
 }
 } else if (*nw_proto == IPPROTO_FRAGMENT) {
-const struct ovs_16aligned_ip6_frag *frag_hdr = *datap;
+*frag_hdr = *datap;
 
-*nw_proto = frag_hdr->ip6f_nxt;
-if (!data_try_pull(datap, sizep, sizeof *frag_hdr)) {
+*nw_proto = (*frag_hdr)->ip6f_nxt;
+if (!data_try_pull(datap, sizep, sizeof **frag_hdr)) {
 return false;
 }
 
 /* We only process the first fragment. */
-if (frag_hdr->ip6f_offlg != htons(0)) {
+if ((*frag_hdr)->ip6f_offlg != htons(0)) {
 *nw_frag = FLOW_NW_FRAG_ANY;
-if ((frag_hdr->ip6f_offlg & IP6F_OFF_MASK) != htons(0)) {
+if (((*frag_hdr)->ip6f_offlg & IP6F_OFF_MASK) != htons(0)) {
 *nw_frag |= FLOW_NW_FRAG_LATER;
 *nw_proto = IPPROTO_FRAGMENT;
 return true;
@@ -524,9 +529,11 @@ parse_ipv6_ext_hdrs__(const void **datap, size_t *sizep, 
uint8_t *nw_proto,
 
 bool
 parse_ipv6_ext_hdrs(const void **datap, size_t *sizep, uint8_t *nw_proto,
-uint8_t *nw_frag)
+uint8_t *nw_frag,
+const struct ovs_16aligned_ip6_frag **frag_hdr)
 {
-return parse_ipv6_ext_hdrs__(datap, sizep, nw_proto, nw_frag);
+return parse_ipv6_ext_hdrs__(datap, sizep, nw_proto, nw_frag,
+ frag_hdr);
 }
 
 bool
@@ -877,7 +884,9 @@ miniflow_extract(struct dp_packet *packet, struct miniflow 
*dst)
 nw_ttl = nh->ip6_hlim;
 nw_proto = nh->ip6_nxt;
 
-if (!parse_ipv6_ext_hdrs__(, , _proto, _frag)) {
+const struct ovs_16aligned_ip6_frag *frag_hdr;
+if (!parse_ipv6_ext_hdrs__(, , _proto, _frag,
+   _hdr)) {
 goto out;
 }
 } else {
@@ -1067,7 +1076,9 @@ parse_tcp_flags(struct dp_packet *packet)
 plen = ntohs(nh->ip6_plen); /* Never pull padding. */
 dp_packet_set_l2_pad_size(packet, size - plen);
 size = plen;
-if (!parse_ipv6_ext_hdrs__(, , _proto, _frag)) {
+const struct ovs_16aligned_ip6_frag *frag_hdr;
+if (!parse_ipv6_ext_hdrs__(, , _proto, _frag,
+_hdr)) {
 return 0;
 }
 nw_proto = nh->ip6_nxt;
diff --git a/lib/flow.h b/lib/flow.h
index af7b5e9..e3e30f1 100644
--- a/lib/flow.h
+++ b/lib/flow.h
@@ -130,7 +130,8 @@ void flow_compose(struct dp_packet *, const struct flow *,
 void packet_expand(struct dp_packet *, const struct flow *, size_t size);
 
 bool parse_ipv6_ext_hdrs(const void **datap, size_t *sizep, uint8_t *nw_proto,
- uint8_t *nw_frag);
+ uint8_t *nw_frag,
+ const struct ovs_16aligned_ip6_frag **frag_hdr);
 ovs_be16 parse_dl_type(const struct eth_header *data_, size_t size);
 bool parse_nsh(const void **datap, size_t *sizep, struct ovs_key_nsh *key);
 uint16_t parse_tcp_flags(struct dp_packet *packet);
-- 
1.9.1

[ovs-dev] [patch v7 1/9] dp-packet: Add const qualifiers for checksum apis.

[Darrell Ball]

Signed-off-by: Darrell Ball 
Acked-by: Justin Pettit 
---
 lib/dp-packet.h | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/dp-packet.h b/lib/dp-packet.h
index ba91e58..ecf16fb 100644
--- a/lib/dp-packet.h
+++ b/lib/dp-packet.h
@@ -637,7 +637,7 @@ dp_packet_mbuf_init(struct dp_packet *p OVS_UNUSED)
 }
 
 static inline bool
-dp_packet_ip_checksum_valid(struct dp_packet *p OVS_UNUSED)
+dp_packet_ip_checksum_valid(const struct dp_packet *p OVS_UNUSED)
 {
 #ifdef DPDK_NETDEV
 return (p->mbuf.ol_flags & PKT_RX_IP_CKSUM_MASK) ==
@@ -648,7 +648,7 @@ dp_packet_ip_checksum_valid(struct dp_packet *p OVS_UNUSED)
 }
 
 static inline bool
-dp_packet_ip_checksum_bad(struct dp_packet *p OVS_UNUSED)
+dp_packet_ip_checksum_bad(const struct dp_packet *p OVS_UNUSED)
 {
 #ifdef DPDK_NETDEV
 return (p->mbuf.ol_flags & PKT_RX_IP_CKSUM_MASK) ==
@@ -659,7 +659,7 @@ dp_packet_ip_checksum_bad(struct dp_packet *p OVS_UNUSED)
 }
 
 static inline bool
-dp_packet_l4_checksum_valid(struct dp_packet *p OVS_UNUSED)
+dp_packet_l4_checksum_valid(const struct dp_packet *p OVS_UNUSED)
 {
 #ifdef DPDK_NETDEV
 return (p->mbuf.ol_flags & PKT_RX_L4_CKSUM_MASK) ==
@@ -670,7 +670,7 @@ dp_packet_l4_checksum_valid(struct dp_packet *p OVS_UNUSED)
 }
 
 static inline bool
-dp_packet_l4_checksum_bad(struct dp_packet *p OVS_UNUSED)
+dp_packet_l4_checksum_bad(const struct dp_packet *p OVS_UNUSED)
 {
 #ifdef DPDK_NETDEV
 return (p->mbuf.ol_flags & PKT_RX_L4_CKSUM_MASK) ==
-- 
1.9.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [patch v7 0/9] Userspace datapath: Add fragmentation support.

[Darrell Ball]

Fragmentation support for userspace datapath conntrack is added; both
v4 and v6 are supported. See the patches for additional details.

Fragmentation tests for the userspace datapath are enabled
by the patches and other test enhancements are added.

v6->v7: Address review comments (Thanks Justin).
Rebase.
Fix a couple bugs.
Some enhancements.

v5->v6: Rebase
Folded patch 4 and some test enablement into patch 3 and brought
an earlier patch forward in sequence
Enable fragmentation by default
Cleaup

v4->v5: Added a sub-feature to optionally dump fragmentation lists.
This is useful for DOS forensics and debugging.

The testing coverage was also extended including checking
more counters and frag list occupancies.

Fixed a few bugs:
1/ Handle dpdk mempool source restrictions for a batch of
   packets from multiple sources; this also brings in a purge
   frag list function to handle pathological cases of stuck frags.
2/ ipf_destroy was missing packet frees for frag lists.
3/ A setting of CS_INVALID was missing for expired packets -
   I mentioned this earlier for version 4.

Some enhancements and coding standards changes for Patch 3.

v3->v4: Add V6 support to the patches.
Fix possible race cleanup bug when the user disables
   fragmentation and there are list occupancies, not cleaned up
   yet.
Add missed orig tuple fields for copy from reassembled packet
to fragments.
Fix an fragment list increment check - shoiuld have been "> 0"
rather then "!= 0".
Fix max frags calculation in case of theoretical corner case.
Add proper lock annotations.
Made some other improvements while adding V6 support.

v2->v3: Patch 2 was updated:
Remove "XXX" todo items by implementing the ones needed,
including realloc frag_list contexts to save memory.
Fix related bug with max_frag_list_size when min_frag_size is
reconfigured.

Tighten ip_tot_len sanity check for reassembled packets which
was more loose than intended.

Add another sanity check for fragment ip_tot_len; even though
it be redundant, add for completeness.

v1->v2: Few fixes, improvements and cleanups.

Darrell Ball (9):
  dp-packet: Add const qualifiers for checksum apis.
  flow: Enhance parse_ipv6_ext_hdrs.
  tests: Add missed local stack checks.
  conntrack: Reword conntrack_execute() description.
  Userspace datapath: Add fragmentation handling.
  ipf: Add command to disable fragmentation handling.
  ipf: Add set minimum fragment size command.
  ipf: Add set maximum fragments supported command.
  ipf: Add fragmentation status reporting.

 NEWS |   12 +
 include/sparse/netinet/ip6.h |1 +
 lib/automake.mk  |2 +
 lib/conntrack.c  |   17 +-
 lib/ct-dpif.c|   69 ++
 lib/ct-dpif.h|   13 +
 lib/dp-packet.h  |8 +-
 lib/dpctl.c  |  227 ++
 lib/dpctl.man|   38 +
 lib/dpif-netdev.c|   83 +++
 lib/dpif-netlink.c   |7 +
 lib/dpif-provider.h  |   25 +-
 lib/flow.c   |   31 +-
 lib/flow.h   |3 +-
 lib/ipf.c| 1413 ++
 lib/ipf.h|   76 ++
 tests/system-kmod-macros.at  |   42 +-
 tests/system-traffic.at  |   52 +-
 tests/system-userspace-macros.at |  148 +++-
 19 files changed, 2204 insertions(+), 63 deletions(-)
 create mode 100644 lib/ipf.c
 create mode 100644 lib/ipf.h

-- 
1.9.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [ovs-dev, v7, 9 of 9] ipf: Add fragmentation status reporting.

[Darrell Ball]

On Mon, Jul 9, 2018 at 4:04 PM, 0-day Robot  wrote:

> Bleep bloop.  Greetings Darrell Ball, I am a robot and I have tried out
> your patch.
> Thanks for your contribution.
>
> I encountered some error that I wasn't expecting.  See the details below.
>
>
> git-am:
> fatal: patch fragment without header at line 693: @@ -2368,7 +2394,6 @@
> AT_CLEANUP
> Repository lacks necessary blobs to fall back on 3-way merge.
> Cannot fall back to three-way merge.
> Patch failed at 0001 ipf: Add fragmentation status reporting.
> The copy of the patch that failed is found in:
>/var/lib/jenkins/jobs/upstream_build_from_pw/
> workspace/.git/rebase-apply/patch
> When you have resolved this problem, run "git am --resolved".
> If you prefer to skip this patch, run "git am --skip" instead.
> To restore the original branch and stop patching, run "git am --abort".
>


sorry for the noise Robot et al
I think I know where the patch corruption is occurring :-)
Another try with some lines moved around in the test file.



>
>
> Please check this out.  If you feel there has been an error, please email
> acon...@bytheb.org
>
> Thanks,
> 0-day Robot
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [RFC PATCH 5/9] ovn-nbctl: Don't dup the error message just to report it.

[Ben Pfaff]

On Mon, Jul 09, 2018 at 08:57:19PM +0200, Jakub Sitnicki wrote:
> Get rid of a pointless copy operation.
> 
> Signed-off-by: Jakub Sitnicki 

Good catch.  This same issue was also in ovn-sbctl and ovs-vsctl, so I
applied the fix to them too and applied this particular commit to
master.

(This will cause a minor inconvenience for rebasing.)

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [RFC PATCH 0/9] Daemon mode for ovn-nbctl

[Ben Pfaff]

On Mon, Jul 09, 2018 at 08:57:14PM +0200, Jakub Sitnicki wrote:
>  - No support for commands that use tabular output, that is 'find' or 'list'
>(used by the mentioned failing test case).  'table' module prints formatted
>tables contents to standard output so it cannot be easily reused on the
>server side.

This is solvable:
https://patchwork.ozlabs.org/patch/941734/
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] table: New function table_format() for formatting a table as a string.

[Ben Pfaff]

This will be useful for daemonized ovn-nbctl.

Signed-off-by: Ben Pfaff 
---
 lib/table.c | 222 
 lib/table.h |   3 +
 2 files changed, 121 insertions(+), 104 deletions(-)

diff --git a/lib/table.c b/lib/table.c
index 98599d67cfcf..cd811caf5b88 100644
--- a/lib/table.c
+++ b/lib/table.c
@@ -212,13 +212,12 @@ table_add_cell(struct table *table)
 }
 
 static void
-table_print_table_line__(struct ds *line)
+table_finish_line(struct ds *s)
 {
-while (ds_last(line) == ' ') {
-line->length--;
+while (ds_last(s) == ' ') {
+s->length--;
 }
-puts(ds_cstr(line));
-ds_clear(line);
+ds_put_char(s, '\n');
 }
 
 static char *
@@ -228,31 +227,31 @@ table_format_timestamp__(void)
 }
 
 static void
-table_print_timestamp__(const struct table *table)
+table_print_timestamp__(const struct table *table, struct ds *s)
 {
 if (table->timestamp) {
-char *s = table_format_timestamp__();
-puts(s);
-free(s);
+char *timestamp = table_format_timestamp__();
+ds_put_format(s, "%s\n", timestamp);
+free(timestamp);
 }
 }
 
 static void
-table_print_table__(const struct table *table, const struct table_style *style)
+table_print_table__(const struct table *table, const struct table_style *style,
+struct ds *s)
 {
 static int n = 0;
-struct ds line = DS_EMPTY_INITIALIZER;
 int *widths;
 size_t x, y;
 
 if (n++ > 0) {
-putchar('\n');
+ds_put_char(s, '\n');
 }
 
-table_print_timestamp__(table);
+table_print_timestamp__(table, s);
 
 if (table->caption) {
-puts(table->caption);
+ds_put_format(s, "%s\n", table->caption);
 }
 
 widths = xzalloc(table->n_columns * sizeof *widths);
@@ -286,222 +285,229 @@ table_print_table__(const struct table *table, const 
struct table_style *style)
 for (x = 0; x < table->n_columns; x++) {
 const struct column *column = >columns[x];
 if (x) {
-ds_put_char(, ' ');
+ds_put_char(s, ' ');
 }
-ds_put_format(, "%-*s", widths[x], column->heading);
+ds_put_format(s, "%-*s", widths[x], column->heading);
 }
-table_print_table_line__();
+table_finish_line(s);
 
 for (x = 0; x < table->n_columns; x++) {
 if (x) {
-ds_put_char(, ' ');
+ds_put_char(s, ' ');
 }
-ds_put_char_multiple(, '-', widths[x]);
+ds_put_char_multiple(s, '-', widths[x]);
 }
-table_print_table_line__();
+table_finish_line(s);
 }
 
 for (y = 0; y < table->n_rows; y++) {
 for (x = 0; x < table->n_columns; x++) {
 const char *text = cell_to_text(table_cell__(table, y, x), style);
 if (x) {
-ds_put_char(, ' ');
+ds_put_char(s, ' ');
 }
-ds_put_format(, "%-*.*s", widths[x], widths[x], text);
+ds_put_format(s, "%-*.*s", widths[x], widths[x], text);
 }
-table_print_table_line__();
+table_finish_line(s);
 }
 
-ds_destroy();
 free(widths);
 }
 
 static void
-table_print_list__(const struct table *table, const struct table_style *style)
+table_print_list__(const struct table *table, const struct table_style *style,
+   struct ds *s)
 {
 static int n = 0;
 size_t x, y;
 
 if (n++ > 0) {
-putchar('\n');
+ds_put_char(s, '\n');
 }
 
-table_print_timestamp__(table);
+table_print_timestamp__(table, s);
 
 if (table->caption) {
-puts(table->caption);
+ds_put_format(s, "%s\n", table->caption);
 }
 
 for (y = 0; y < table->n_rows; y++) {
 if (y > 0) {
-putchar('\n');
+ds_put_char(s, '\n');
 }
 for (x = 0; x < table->n_columns; x++) {
 const char *text = cell_to_text(table_cell__(table, y, x), style);
 if (style->headings) {
-printf("%-20s: ", table->columns[x].heading);
+ds_put_format(s, "%-20s: ", table->columns[x].heading);
 }
-puts(text);
+ds_put_format(s, "%s\n", text);
 }
 }
 }
 
 static void
-table_escape_html_text__(const char *s, size_t n)
+table_escape_html_text__(const char *content, size_t n, struct ds *s)
 {
-size_t i;
-
-for (i = 0; i < n; i++) {
-char c = s[i];
-
-switch (c) {
-case '&':
-fputs("", stdout);
-break;
-case '<':
-fputs("", stdout);
-break;
-case '>':
-fputs("", stdout);
-break;
-case '"':
-fputs("", stdout);
-break;
-default:
-putchar(c);
-break;
+if (!strpbrk(content, "&<>\"")) {
+ds_put_cstr(s, 

Re: [ovs-dev] [PATCH 00/30] Get rid of ctl_fatal() calls in ovn-nbctl (part 1)

[Ben Pfaff]

On Sat, Jul 07, 2018 at 01:09:34PM +0200, Jakub Sitnicki wrote:
> This series is a follow-up to recent work done in db-ctl-base module [1].  The
> goal is to avoid using ctl_fatal() that terminates the process on error so 
> that
> ovn-nbctl, or other db-ctl tools, can run as long-lived processes (such as
> servers or daemons).

Very straightforward.  Applied to master.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [ovs-dev, v7, 9 of 9] ipf: Add fragmentation status reporting.

[0-day Robot]

Bleep bloop.  Greetings Darrell Ball, I am a robot and I have tried out your 
patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.


git-am:
fatal: patch fragment without header at line 693: @@ -2368,7 +2394,6 @@ 
AT_CLEANUP
Repository lacks necessary blobs to fall back on 3-way merge.
Cannot fall back to three-way merge.
Patch failed at 0001 ipf: Add fragmentation status reporting.
The copy of the patch that failed is found in:
   
/var/lib/jenkins/jobs/upstream_build_from_pw/workspace/.git/rebase-apply/patch
When you have resolved this problem, run "git am --resolved".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".


Please check this out.  If you feel there has been an error, please email 
acon...@bytheb.org

Thanks,
0-day Robot
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 02/30] ovn-nbctl: Report the actual error from the command handler.

[Ben Pfaff]

On Sat, Jul 07, 2018 at 01:09:36PM +0200, Jakub Sitnicki wrote:
> Fix a typo that went undetected by tests because we don't have any test
> cases for error paths when using database commands with ovn-nbctl.
> 
> Fixes: 675b152e999f ("db-ctl-base: Extend ctl_context with an error message.")
> Signed-off-by: Jakub Sitnicki 

Probably, we should add a test?
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v2 1/4] dpif-netlink: Detect Out-Of-Resource condition on a netdev

[Ben Pfaff]

On Sun, Jul 08, 2018 at 07:15:37PM +0530, Sriharsha Basavapatna via dev wrote:
> This is the first patch in the patch-set to support dynamic rebalancing
> of offloaded flows.
> 
> The patch detects OOR condition on a netdev port when ENOSPC error is
> returned by TC-Flower while adding a flow rule. A new structure is added
> to the netdev called "netdev_hw_info", to store OOR related information
> required to perform dynamic offload-rebalancing.
> 
> Signed-off-by: Sriharsha Basavapatna 
> Co-authored-by: Venkat Duvvuru 
> Signed-off-by: Venkat Duvvuru 
> Reviewed-by: Sathya Perla 

Thanks for the patch.

This fails to build on my system, with:

In file included from ../lib/lldp/lldpd.h:32,
 from ../lib/ovs-lldp.h:26,
 from ../ofproto/ofproto-dpif-xlate.h:28,
 from ../ofproto/ofproto-dpif-upcall.c:36:
../ofproto/ofproto-dpif-upcall.c: In function 'udpif_update_flow_pps':
../ofproto/ofproto-dpif-upcall.c:2630:18: error: format '%lu' expects 
argument of type 'long unsigned int', but argument 5 has type 'long long 
unsigned int' [-Werror=format=]
../include/openvswitch/vlog.h:277:41: note: in definition of macro 'VLOG'
../ofproto/ofproto-dpif-upcall.c:2630:9: note: in expansion of macro 
'VLOG_DBG'
../ofproto/ofproto-dpif-upcall.c:2630:18: error: format '%lu' expects 
argument of type 'long unsigned int', but argument 6 has type 'uint64_t' {aka 
'long long unsigned int'} [-Werror=format=]
../include/openvswitch/vlog.h:277:41: note: in definition of macro 'VLOG'
../ofproto/ofproto-dpif-upcall.c:2630:9: note: in expansion of macro 
'VLOG_DBG'

I guess that you should use "%llu" for unsigned long long, and "%"PRIu64
for uint64_t.  Alternatively, a lot of the debug logging here doesn't
seem particularly useful, should it be there?  (Often __func__ is a sign
that a log message is more of a debug aid for the programmer and not
something that should appear in the field.)
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [ovs-dev, v7, 7 of 9] ipf: Add set minimum fragment size command.

[Darrell Ball]

On Mon, Jul 9, 2018 at 10:06 AM, 0-day Robot  wrote:

> Bleep bloop.  Greetings Darrell Ball, I am a robot and I have tried out
> your patch.
> Thanks for your contribution.
>
> I encountered some error that I wasn't expecting.  See the details below.
>
>
> git-am:
> fatal: patch fragment without header at line 336: @@ -2368,7 +2376,6 @@
> AT_CLEANUP
> Repository lacks necessary blobs to fall back on 3-way merge.
> Cannot fall back to three-way merge.
> Patch failed at 0001 ipf: Add set minimum fragment size command.
> The copy of the patch that failed is found in:
>/var/lib/jenkins/jobs/upstream_build_from_pw/
> workspace/.git/rebase-apply/patch
> When you have resolved this problem, run "git am --resolved".
> If you prefer to skip this patch, run "git am --skip" instead.
> To restore the original branch and stop patching, run "git am --abort".
>


This is a valid error.

The only explanation I can think of is that repeated rebasing on the same
commits caused some type
of GIT issue.

I resent V7, just moving the test file changes in Patch 7 with the other
such changes in Patch 9






>
>
> Please check this out.  If you feel there has been an error, please email
> acon...@bytheb.org
>
> Thanks,
> 0-day Robot
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [patch v7 9/9] ipf: Add fragmentation status reporting.

[Darrell Ball]

A new command "ovs-appctl dpctl/ipf-get-status" is added
for userspace datapath conntrack fragmentation support.
The command shows the configuration status, fragment counters and
ipf lists state.

Signed-off-by: Darrell Ball 
---
 NEWS |   2 +
 lib/ct-dpif.c|  45 +++
 lib/ct-dpif.h|   9 +++
 lib/dpctl.c  | 107 ++
 lib/dpctl.man|   6 ++
 lib/dpif-netdev.c|  58 +++
 lib/dpif-netlink.c   |   4 ++
 lib/dpif-provider.h  |  16 +
 lib/ipf.c| 107 ++
 lib/ipf.h|  10 
 tests/system-kmod-macros.at  |  32 ++
 tests/system-traffic.at  |  52 +
 tests/system-userspace-macros.at | 122 +++
 13 files changed, 560 insertions(+), 10 deletions(-)

diff --git a/NEWS b/NEWS
index 2b22a84..af8f9a8 100644
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,8 @@ Post-v2.9.0
datapath conntrack fragmentation support.
  * New "ovs-appctl dpctl/ipf-set-max-nfrags" command for userspace datapath
conntrack fragmentation support.
+ * New "ovs-appctl dpctl/ipf-get-status" command for userspace datapath
+   conntrack fragmentation support.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index ee23a4d..a59bc1e 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -188,6 +188,51 @@ ct_dpif_ipf_set_max_nfrags(struct dpif *dpif, uint32_t 
max_frags)
 : EOPNOTSUPP);
 }
 
+int ct_dpif_ipf_get_status(struct dpif *dpif, bool *ipf_v4_enabled,
+unsigned int *min_v4_frag_size, unsigned int *nfrag_max,
+unsigned int *nfrag, unsigned int *n4frag_accepted,
+unsigned int *n4frag_completed_sent,
+unsigned int *n4frag_expired_sent, unsigned int *n4frag_too_small,
+unsigned int *n4frag_overlap, bool *ipf_v6_enabled,
+unsigned int *min_v6_frag_size, unsigned int *n6frag_accepted,
+unsigned int *n6frag_completed_sent,
+unsigned int *n6frag_expired_sent, unsigned int *n6frag_too_small,
+unsigned int *n6frag_overlap)
+{
+return (dpif->dpif_class->ipf_get_status
+? dpif->dpif_class->ipf_get_status(dpif, ipf_v4_enabled,
+min_v4_frag_size, nfrag_max, nfrag, n4frag_accepted,
+n4frag_completed_sent, n4frag_expired_sent, n4frag_too_small,
+n4frag_overlap, ipf_v6_enabled, min_v6_frag_size, n6frag_accepted,
+n6frag_completed_sent, n6frag_expired_sent, n6frag_too_small,
+n6frag_overlap)
+: EOPNOTSUPP);
+}
+
+int
+ct_dpif_ipf_dump_start(struct dpif *dpif, struct ipf_dump_ctx **dump_ctx)
+{
+return (dpif->dpif_class->ipf_dump_start
+   ? dpif->dpif_class->ipf_dump_start(dpif, dump_ctx)
+   : EOPNOTSUPP);
+}
+
+int
+ct_dpif_ipf_dump_next(struct dpif *dpif, void *dump_ctx,  char **dump)
+{
+return (dpif->dpif_class->ipf_dump_next
+? dpif->dpif_class->ipf_dump_next(dpif, dump_ctx, dump)
+: EOPNOTSUPP);
+}
+
+int
+ct_dpif_ipf_dump_done(struct dpif *dpif, void *dump_ctx)
+{
+return (dpif->dpif_class->ipf_dump_done
+? dpif->dpif_class->ipf_dump_done(dpif, dump_ctx)
+: EOPNOTSUPP);
+}
+
 void
 ct_dpif_entry_uninit(struct ct_dpif_entry *entry)
 {
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index f886ab9..2ff7e26 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -204,6 +204,15 @@ int ct_dpif_get_nconns(struct dpif *dpif, uint32_t 
*nconns);
 int ct_dpif_ipf_set_enabled(struct dpif *, bool v6, bool enable);
 int ct_dpif_ipf_set_min_frag(struct dpif *, bool, uint32_t);
 int ct_dpif_ipf_set_max_nfrags(struct dpif *, uint32_t);
+int ct_dpif_ipf_get_status(struct dpif *dpif, bool *, unsigned int *,
+   unsigned int *, unsigned int *, unsigned int *,
+   unsigned int *, unsigned int *, unsigned int *,
+   unsigned int *, bool *, unsigned int *,
+   unsigned int *, unsigned int *, unsigned int *,
+   unsigned int *, unsigned int *);
+int ct_dpif_ipf_dump_start(struct dpif *dpif, struct ipf_dump_ctx **);
+int ct_dpif_ipf_dump_next(struct dpif *dpif, void *, char **);
+int ct_dpif_ipf_dump_done(struct dpif *dpif, void *);
 void ct_dpif_entry_uninit(struct ct_dpif_entry *);
 void ct_dpif_format_entry(const struct ct_dpif_entry *, struct ds *,
   bool verbose, bool print_stats);
diff --git a/lib/dpctl.c b/lib/dpctl.c
index ab0f60b..2b2a74a 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -1792,6 +1792,111 @@ dpctl_ipf_set_max_nfrags(int argc, const char *argv[],
 return error;
 }
 
+static void
+dpctl_dump_ipf(struct dpif *dpif, struct 

[ovs-dev] [patch v7 8/9] ipf: Add set maximum fragments supported command.

[Darrell Ball]

A new command "ovs-appctl dpctl/ipf-set-max-nfrags" is added
for userspace datapath conntrack fragmentation support.

Signed-off-by: Darrell Ball 
---
 NEWS|  2 ++
 lib/ct-dpif.c   |  8 
 lib/ct-dpif.h   |  1 +
 lib/dpctl.c | 30 ++
 lib/dpctl.man   |  8 
 lib/dpif-netdev.c   |  8 
 lib/dpif-netlink.c  |  1 +
 lib/dpif-provider.h |  2 ++
 lib/ipf.c   | 10 ++
 lib/ipf.h   |  2 ++
 10 files changed, 72 insertions(+)

diff --git a/NEWS b/NEWS
index 9ab9970..2b22a84 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,8 @@ Post-v2.9.0
conntrack fragmentation support.
  * New "ovs-appctl dpctl/ipf-set-min-frag" command for userspace
datapath conntrack fragmentation support.
+ * New "ovs-appctl dpctl/ipf-set-max-nfrags" command for userspace datapath
+   conntrack fragmentation support.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index d5596af..ee23a4d 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -180,6 +180,14 @@ ct_dpif_ipf_set_min_frag(struct dpif *dpif, bool v6, 
uint32_t min_frag)
 : EOPNOTSUPP);
 }
 
+int
+ct_dpif_ipf_set_max_nfrags(struct dpif *dpif, uint32_t max_frags)
+{
+return (dpif->dpif_class->ipf_set_max_nfrags
+? dpif->dpif_class->ipf_set_max_nfrags(dpif, max_frags)
+: EOPNOTSUPP);
+}
+
 void
 ct_dpif_entry_uninit(struct ct_dpif_entry *entry)
 {
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index 6eb55b4..f886ab9 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -203,6 +203,7 @@ int ct_dpif_get_maxconns(struct dpif *dpif, uint32_t 
*maxconns);
 int ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns);
 int ct_dpif_ipf_set_enabled(struct dpif *, bool v6, bool enable);
 int ct_dpif_ipf_set_min_frag(struct dpif *, bool, uint32_t);
+int ct_dpif_ipf_set_max_nfrags(struct dpif *, uint32_t);
 void ct_dpif_entry_uninit(struct ct_dpif_entry *);
 void ct_dpif_format_entry(const struct ct_dpif_entry *, struct ds *,
   bool verbose, bool print_stats);
diff --git a/lib/dpctl.c b/lib/dpctl.c
index e74d713..ab0f60b 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -1764,6 +1764,34 @@ dpctl_ipf_set_min_frag(int argc, const char *argv[],
 return error;
 }
 
+static int
+dpctl_ipf_set_max_nfrags(int argc, const char *argv[],
+ struct dpctl_params *dpctl_p)
+{
+struct dpif *dpif;
+int error = opt_dpif_open(argc, argv, dpctl_p, 3, );
+if (!error) {
+uint32_t nfrags_max;
+if (ovs_scan(argv[argc - 1], "%"SCNu32, _max)) {
+error = ct_dpif_ipf_set_max_nfrags(dpif, nfrags_max);
+if (!error) {
+dpctl_print(dpctl_p,
+"setting maximum fragments successful");
+} else {
+dpctl_error(dpctl_p, error,
+"setting maximum fragments failed");
+}
+} else {
+error = EINVAL;
+dpctl_error(dpctl_p, error,
+"parameter missing for maximum fragments");
+}
+dpif_close(dpif);
+}
+
+return error;
+}
+
 /* Undocumented commands for unit testing. */
 
 static int
@@ -2069,6 +2097,8 @@ static const struct dpctl_command all_commands[] = {
dpctl_ipf_set_disabled, DP_RW },
 { "ipf-set-min-frag", "[dp] v4 | v6 minfragment", 2, 3,
dpctl_ipf_set_min_frag, DP_RW },
+{ "ipf-set-max-nfrags", "[dp] maxfrags", 1, 2,
+   dpctl_ipf_set_max_nfrags, DP_RW },
 { "help", "", 0, INT_MAX, dpctl_help, DP_RO },
 { "list-commands", "", 0, INT_MAX, dpctl_list_commands, DP_RO },
 
diff --git a/lib/dpctl.man b/lib/dpctl.man
index 900900d..c6c4a87 100644
--- a/lib/dpctl.man
+++ b/lib/dpctl.man
@@ -296,3 +296,11 @@ must be specified.  The default v4 value is 1200 and the 
clamped minimum is
 400.  The default v6 value is 1280, with a clamped minimum of 400, for
 testing flexibility.  The maximum frag size is not clamped, however setting
 this value too high might result in valid fragments being dropped.
+.
+.TP
+\*(DX\fBipf\-set\-max\-nfrags\fR [\fIdp\fR] \fImaxfrags\fR
+Sets the maximum number of fragments tracked by the userspace datapath
+connection tracker.  The default value is 1000 and the clamped maximum
+is 5000.  Note that packet buffers can be held by the fragmentation
+module while fragments are incomplete, but will timeout after 15 seconds.
+Memory pool sizing should be set accordingly when fragmentation is enabled.
diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index 653c313..76bc1d9 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -6546,6 +6546,13 @@ dpif_netdev_ipf_set_min_frag(struct dpif *dpif 
OVS_UNUSED, bool v6,
 return ipf_set_min_frag(v6, min_frag);
 }
 
+static int

[ovs-dev] [patch v7 7/9] ipf: Add set minimum fragment size command.

[Darrell Ball]

A new command "ovs-appctl dpctl/ipf-set-min-frag" is added
for userspace datapath conntrack fragmentation support.

Signed-off-by: Darrell Ball 
---
 NEWS|  2 ++
 lib/ct-dpif.c   |  8 
 lib/ct-dpif.h   |  2 ++
 lib/dpctl.c | 40 
 lib/dpctl.man   |  9 +
 lib/dpif-netdev.c   |  8 
 lib/dpif-netlink.c  |  1 +
 lib/dpif-provider.h |  3 +++
 lib/ipf.c   | 23 +++
 lib/ipf.h   |  2 ++
 10 files changed, 98 insertions(+)

diff --git a/NEWS b/NEWS
index 96fa05b..9ab9970 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,8 @@ Post-v2.9.0
conntrack fragmentation support.
  * New "ovs-appctl dpctl/ipf-set-disabled" command for userspace datapath
conntrack fragmentation support.
+ * New "ovs-appctl dpctl/ipf-set-min-frag" command for userspace
+   datapath conntrack fragmentation support.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index b1f29dc..d5596af 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -172,6 +172,14 @@ ct_dpif_ipf_set_enabled(struct dpif *dpif, bool v6, bool 
enable)
 : EOPNOTSUPP);
 }
 
+int
+ct_dpif_ipf_set_min_frag(struct dpif *dpif, bool v6, uint32_t min_frag)
+{
+return (dpif->dpif_class->ipf_set_min_frag
+? dpif->dpif_class->ipf_set_min_frag(dpif, v6, min_frag)
+: EOPNOTSUPP);
+}
+
 void
 ct_dpif_entry_uninit(struct ct_dpif_entry *entry)
 {
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index bd6234d..6eb55b4 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -17,6 +17,7 @@
 #ifndef CT_DPIF_H
 #define CT_DPIF_H
 
+#include "ipf.h"
 #include "openvswitch/types.h"
 #include "packets.h"
 
@@ -201,6 +202,7 @@ int ct_dpif_set_maxconns(struct dpif *dpif, uint32_t 
maxconns);
 int ct_dpif_get_maxconns(struct dpif *dpif, uint32_t *maxconns);
 int ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns);
 int ct_dpif_ipf_set_enabled(struct dpif *, bool v6, bool enable);
+int ct_dpif_ipf_set_min_frag(struct dpif *, bool, uint32_t);
 void ct_dpif_entry_uninit(struct ct_dpif_entry *);
 void ct_dpif_format_entry(const struct ct_dpif_entry *, struct ds *,
   bool verbose, bool print_stats);
diff --git a/lib/dpctl.c b/lib/dpctl.c
index ad7ca8d..e74d713 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -1726,6 +1726,44 @@ dpctl_ipf_set_disabled(int argc, const char *argv[],
 return ipf_set_enabled__(argc, argv, dpctl_p, false);
 }
 
+static int
+dpctl_ipf_set_min_frag(int argc, const char *argv[],
+   struct dpctl_params *dpctl_p)
+{
+struct dpif *dpif;
+int error = opt_dpif_open(argc, argv, dpctl_p, 4, );
+if (!error) {
+char v4_or_v6[3] = {0};
+if (ovs_scan(argv[argc - 2], "%2s", v4_or_v6) &&
+(!strncmp(v4_or_v6, "v4", 2) || !strncmp(v4_or_v6, "v6", 2))) {
+uint32_t min_fragment;
+if (ovs_scan(argv[argc - 1], "%"SCNu32, _fragment)) {
+error = ct_dpif_ipf_set_min_frag(
+dpif, !strncmp(v4_or_v6, "v6", 2), min_fragment);
+if (!error) {
+dpctl_print(dpctl_p,
+"setting minimum fragment size successful");
+} else {
+dpctl_error(dpctl_p, error,
+"requested minimum fragment size too small;"
+" see documentation");
+}
+} else {
+error = EINVAL;
+dpctl_error(dpctl_p, error,
+"parameter missing for minimum fragment size");
+}
+} else {
+error = EINVAL;
+dpctl_error(dpctl_p, error,
+"parameter missing: v4 for ipv4 or v6 for ipv6");
+}
+dpif_close(dpif);
+}
+
+return error;
+}
+
 /* Undocumented commands for unit testing. */
 
 static int
@@ -2029,6 +2067,8 @@ static const struct dpctl_command all_commands[] = {
dpctl_ipf_set_enabled, DP_RW },
 { "ipf-set-disabled", "[dp] v4 | v6", 1, 2,
dpctl_ipf_set_disabled, DP_RW },
+{ "ipf-set-min-frag", "[dp] v4 | v6 minfragment", 2, 3,
+   dpctl_ipf_set_min_frag, DP_RW },
 { "help", "", 0, INT_MAX, dpctl_help, DP_RO },
 { "list-commands", "", 0, INT_MAX, dpctl_list_commands, DP_RO },
 
diff --git a/lib/dpctl.man b/lib/dpctl.man
index 43d161a..900900d 100644
--- a/lib/dpctl.man
+++ b/lib/dpctl.man
@@ -287,3 +287,12 @@ after conntrack.  Both v4 and v6 are enabled by default.
 Disables fragmentation handling for the userspace datapath connection
 tracker.  Either \fBv4\fR or \fBv6\fR must be specified.  Both v4 and v6 are
 enabled by default.
+.
+.TP
+\*(DX\fBipf\-set\-min\-frag\fR [\fIdp\fR] \fBv4\fR | \fBv6\fR \fIminfrag\fR
+Sets 

[ovs-dev] [patch v7 5/9] Userspace datapath: Add fragmentation handling.

[Darrell Ball]

Fragmentation handling is added for supporting conntrack.
Both v4 and v6 are supported.

After discussion with several people, I decided to not store
configuration state in the database to be more consistent with
the kernel in future, similarity with other conntrack configuration
which will not be in the database as well and overall simplicity.
Accordingly, fragmentation handling is enabled by default.

This patch enables fragmentation tests for the userspace datapath.

Signed-off-by: Darrell Ball 
---
 NEWS |2 +
 include/sparse/netinet/ip6.h |1 +
 lib/automake.mk  |2 +
 lib/conntrack.c  |   13 +-
 lib/ipf.c| 1266 ++
 lib/ipf.h|   60 ++
 tests/system-kmod-macros.at  |   10 +-
 tests/system-traffic.at  |   30 +-
 tests/system-userspace-macros.at |   26 +-
 9 files changed, 1365 insertions(+), 45 deletions(-)
 create mode 100644 lib/ipf.c
 create mode 100644 lib/ipf.h

diff --git a/NEWS b/NEWS
index 92e9b92..e0418a5 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,8 @@ Post-v2.9.0
  * ovs-ofctl now accepts and display table names in place of numbers.  By
default it always accepts names and in interactive use it displays them;
use --names or --no-names to override.  See ovs-ofctl(8) for details.
+   - Userspace datapath:
+ * Add v4/v6 fragmentation support for conntrack.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/include/sparse/netinet/ip6.h b/include/sparse/netinet/ip6.h
index d2a54de..bfa637a 100644
--- a/include/sparse/netinet/ip6.h
+++ b/include/sparse/netinet/ip6.h
@@ -64,5 +64,6 @@ struct ip6_frag {
 };
 
 #define IP6F_OFF_MASK ((OVS_FORCE ovs_be16) 0xfff8)
+#define IP6F_MORE_FRAG ((OVS_FORCE ovs_be16) 0x0001)
 
 #endif /* netinet/ip6.h sparse */
diff --git a/lib/automake.mk b/lib/automake.mk
index fb43aa1..142587f 100644
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -107,6 +107,8 @@ lib_libopenvswitch_la_SOURCES = \
lib/hmapx.h \
lib/id-pool.c \
lib/id-pool.h \
+   lib/ipf.c \
+   lib/ipf.h \
lib/jhash.c \
lib/jhash.h \
lib/json.c \
diff --git a/lib/conntrack.c b/lib/conntrack.c
index 30941ff..e1c1f2e 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -30,6 +30,7 @@
 #include "ct-dpif.h"
 #include "dp-packet.h"
 #include "flow.h"
+#include "ipf.h"
 #include "netdev.h"
 #include "odp-netlink.h"
 #include "openvswitch/hmap.h"
@@ -339,6 +340,7 @@ conntrack_init(struct conntrack *ct)
 atomic_init(>n_conn_limit, DEFAULT_N_CONN_LIMIT);
 latch_init(>clean_thread_exit);
 ct->clean_thread = ovs_thread_create("ct_clean", clean_thread_main, ct);
+ipf_init();
 }
 
 /* Destroys the connection tracker 'ct' and frees all the allocated memory. */
@@ -381,6 +383,7 @@ conntrack_destroy(struct conntrack *ct)
 hindex_destroy(>alg_expectation_refs);
 ct_rwlock_unlock(>resources_lock);
 ct_rwlock_destroy(>resources_lock);
+ipf_destroy();
 }
 
 static unsigned hash_to_bucket(uint32_t hash)
@@ -1292,7 +1295,8 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
 
 /* Sends the packets in '*pkt_batch' through the connection tracker 'ct'.  All
  * the packets must have the same 'dl_type' (IPv4 or IPv6) and should have
- * the l3 and and l4 offset properly set.
+ * the l3 and and l4 offset properly set.  Performs fragment reassembly with
+ * the help of ipf_preprocess_conntrack().
  *
  * If 'commit' is true, the packets are allowed to create new entries in the
  * connection tables.  'setmark', if not NULL, should point to a two
@@ -1307,11 +1311,14 @@ conntrack_execute(struct conntrack *ct, struct 
dp_packet_batch *pkt_batch,
   const struct nat_action_info_t *nat_action_info,
   long long now)
 {
+ipf_preprocess_conntrack(pkt_batch, now, dl_type, zone, ct->hash_basis);
+
 struct dp_packet *packet;
 struct conn_lookup_ctx ctx;
 
 DP_PACKET_BATCH_FOR_EACH (i, packet, pkt_batch) {
-if (!conn_key_extract(ct, packet, dl_type, , zone)) {
+if (packet->md.ct_state == CS_INVALID
+|| !conn_key_extract(ct, packet, dl_type, , zone)) {
 packet->md.ct_state = CS_INVALID;
 write_ct_md(packet, zone, NULL, NULL, NULL);
 continue;
@@ -1320,6 +1327,8 @@ conntrack_execute(struct conntrack *ct, struct 
dp_packet_batch *pkt_batch,
 setlabel, nat_action_info, tp_src, tp_dst, helper);
 }
 
+ipf_postprocess_conntrack(pkt_batch, now, dl_type);
+
 return 0;
 }
 
diff --git a/lib/ipf.c b/lib/ipf.c
new file mode 100644
index 000..2c26e1f
--- /dev/null
+++ b/lib/ipf.c
@@ -0,0 +1,1266 @@
+/*
+ * Copyright (c) 2018 Nicira, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not 

[ovs-dev] [patch v7 6/9] ipf: Add command to disable fragmentation handling.

[Darrell Ball]

Commands are added to disable and also enable fragmentation handling
for conntrack.

Signed-off-by: Darrell Ball 
---
 NEWS|  4 
 lib/ct-dpif.c   |  8 
 lib/ct-dpif.h   |  1 +
 lib/dpctl.c | 50 ++
 lib/dpctl.man   | 15 +++
 lib/dpif-netdev.c   |  9 +
 lib/dpif-netlink.c  |  1 +
 lib/dpif-provider.h |  4 +++-
 lib/ipf.c   |  7 +++
 lib/ipf.h   |  2 ++
 10 files changed, 100 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index e0418a5..96fa05b 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,10 @@ Post-v2.9.0
use --names or --no-names to override.  See ovs-ofctl(8) for details.
- Userspace datapath:
  * Add v4/v6 fragmentation support for conntrack.
+ * New "ovs-appctl dpctl/ipf-set-enabled" command for userspace datapath
+   conntrack fragmentation support.
+ * New "ovs-appctl dpctl/ipf-set-disabled" command for userspace datapath
+   conntrack fragmentation support.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index 5fa3a97..b1f29dc 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -164,6 +164,14 @@ ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns)
 : EOPNOTSUPP);
 }
 
+int
+ct_dpif_ipf_set_enabled(struct dpif *dpif, bool v6, bool enable)
+{
+return (dpif->dpif_class->ipf_set_enabled
+? dpif->dpif_class->ipf_set_enabled(dpif, v6, enable)
+: EOPNOTSUPP);
+}
+
 void
 ct_dpif_entry_uninit(struct ct_dpif_entry *entry)
 {
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index 09e7698..bd6234d 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -200,6 +200,7 @@ int ct_dpif_flush(struct dpif *, const uint16_t *zone,
 int ct_dpif_set_maxconns(struct dpif *dpif, uint32_t maxconns);
 int ct_dpif_get_maxconns(struct dpif *dpif, uint32_t *maxconns);
 int ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns);
+int ct_dpif_ipf_set_enabled(struct dpif *, bool v6, bool enable);
 void ct_dpif_entry_uninit(struct ct_dpif_entry *);
 void ct_dpif_format_entry(const struct ct_dpif_entry *, struct ds *,
   bool verbose, bool print_stats);
diff --git a/lib/dpctl.c b/lib/dpctl.c
index 4f1e443..ad7ca8d 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -35,6 +35,7 @@
 #include "dpif.h"
 #include "openvswitch/dynamic-string.h"
 #include "flow.h"
+#include "ipf.h"
 #include "openvswitch/match.h"
 #include "netdev.h"
 #include "netdev-dpdk.h"
@@ -1680,6 +1681,51 @@ dpctl_ct_get_nconns(int argc, const char *argv[],
 return error;
 }
 
+static int
+ipf_set_enabled__(int argc, const char *argv[], struct dpctl_params *dpctl_p,
+  bool enabled)
+{
+struct dpif *dpif;
+int error = opt_dpif_open(argc, argv, dpctl_p, 4, );
+if (!error) {
+char v4_or_v6[3] = {0};
+if (ovs_scan(argv[argc - 2], "%2s", v4_or_v6) &&
+(!strncmp(v4_or_v6, "v4", 2) || !strncmp(v4_or_v6, "v6", 2))) {
+error = ct_dpif_ipf_set_enabled(
+dpif, !strncmp(v4_or_v6, "v6", 2), enabled);
+if (!error) {
+dpctl_print(dpctl_p,
+"%s fragmentation reassembly successful",
+enabled ? "enabling" : "disabling");
+} else {
+dpctl_error(dpctl_p, error,
+"%s fragmentation reassembly failed",
+enabled ? "enabling" : "disabling");
+}
+} else {
+error = EINVAL;
+dpctl_error(dpctl_p, error,
+"parameter missing: 'v4' for ipv4 or 'v6' for ipv6");
+}
+dpif_close(dpif);
+}
+return error;
+}
+
+static int
+dpctl_ipf_set_enabled(int argc, const char *argv[],
+  struct dpctl_params *dpctl_p)
+{
+return ipf_set_enabled__(argc, argv, dpctl_p, true);
+}
+
+static int
+dpctl_ipf_set_disabled(int argc, const char *argv[],
+   struct dpctl_params *dpctl_p)
+{
+return ipf_set_enabled__(argc, argv, dpctl_p, false);
+}
+
 /* Undocumented commands for unit testing. */
 
 static int
@@ -1979,6 +2025,10 @@ static const struct dpctl_command all_commands[] = {
 { "ct-set-maxconns", "[dp] maxconns", 1, 2, dpctl_ct_set_maxconns, DP_RW },
 { "ct-get-maxconns", "[dp]", 0, 1, dpctl_ct_get_maxconns, DP_RO },
 { "ct-get-nconns", "[dp]", 0, 1, dpctl_ct_get_nconns, DP_RO },
+{ "ipf-set-enabled", "[dp] v4 | v6", 1, 2,
+   dpctl_ipf_set_enabled, DP_RW },
+{ "ipf-set-disabled", "[dp] v4 | v6", 1, 2,
+   dpctl_ipf_set_disabled, DP_RW },
 { "help", "", 0, INT_MAX, dpctl_help, DP_RO },
 { "list-commands", "", 0, INT_MAX, dpctl_list_commands, DP_RO },
 
diff --git a/lib/dpctl.man b/lib/dpctl.man
index 5d987e6..43d161a 100644
--- 

[ovs-dev] [patch v7 4/9] conntrack: Reword conntrack_execute() description.

[Darrell Ball]

Use 'must' instead of 'should'.

Signed-off-by: Darrell Ball 
---
 lib/conntrack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index efe8a18..30941ff 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -1291,7 +1291,7 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
 }
 
 /* Sends the packets in '*pkt_batch' through the connection tracker 'ct'.  All
- * the packets should have the same 'dl_type' (IPv4 or IPv6) and should have
+ * the packets must have the same 'dl_type' (IPv4 or IPv6) and should have
  * the l3 and and l4 offset properly set.
  *
  * If 'commit' is true, the packets are allowed to create new entries in the
-- 
1.9.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [patch v7 3/9] tests: Add missed local stack checks.

[Darrell Ball]

Signed-off-by: Darrell Ball 
Acked-by: Justin Pettit 
---
 tests/system-traffic.at | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 519b234..75648d4 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -2530,6 +2530,7 @@ AT_SETUP([conntrack - Fragmentation over vxlan])
 OVS_CHECK_VXLAN()
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_FRAG()
+CHECK_CONNTRACK_LOCAL_STACK()
 
 OVS_TRAFFIC_VSWITCHD_START()
 ADD_BR([br-underlay])
@@ -2582,6 +2583,7 @@ AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
 OVS_CHECK_VXLAN()
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_FRAG()
+CHECK_CONNTRACK_LOCAL_STACK()
 
 OVS_TRAFFIC_VSWITCHD_START()
 ADD_BR([br-underlay])
-- 
1.9.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [patch v7 2/9] flow: Enhance parse_ipv6_ext_hdrs.

[Darrell Ball]

Enhance the api parse_ipv6_ext_hdrs to return the
fragmentation header to be used in later patches.

Signed-off-by: Darrell Ball 
Acked-by: Justin Pettit 
---
 lib/conntrack.c |  4 ++--
 lib/flow.c  | 31 +--
 lib/flow.h  |  3 ++-
 3 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index 97fd46a..efe8a18 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -1307,7 +1307,6 @@ conntrack_execute(struct conntrack *ct, struct 
dp_packet_batch *pkt_batch,
   const struct nat_action_info_t *nat_action_info,
   long long now)
 {
-
 struct dp_packet *packet;
 struct conn_lookup_ctx ctx;
 
@@ -1555,7 +1554,8 @@ extract_l3_ipv6(struct conn_key *key, const void *data, 
size_t size,
 uint8_t nw_proto = ip6->ip6_nxt;
 uint8_t nw_frag = 0;
 
-if (!parse_ipv6_ext_hdrs(, , _proto, _frag)) {
+const struct ovs_16aligned_ip6_frag *frag_hdr;
+if (!parse_ipv6_ext_hdrs(, , _proto, _frag, _hdr)) {
 return false;
 }
 
diff --git a/lib/flow.c b/lib/flow.c
index a785e63..8c4baf0 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -453,9 +453,14 @@ invalid:
 return true;
 }
 
+/* datap points to the first extension header and advances as parsing
+ * occurs; sizep is the remaining size and is decreased accordingly.
+ * nw_proto starts as the first extension header to process and is
+ * updated as the extension headers are parsed. */
 static inline bool
 parse_ipv6_ext_hdrs__(const void **datap, size_t *sizep, uint8_t *nw_proto,
-  uint8_t *nw_frag)
+  uint8_t *nw_frag,
+  const struct ovs_16aligned_ip6_frag **frag_hdr)
 {
 while (1) {
 if (OVS_LIKELY((*nw_proto != IPPROTO_HOPOPTS)
@@ -502,17 +507,17 @@ parse_ipv6_ext_hdrs__(const void **datap, size_t *sizep, 
uint8_t *nw_proto,
 return false;
 }
 } else if (*nw_proto == IPPROTO_FRAGMENT) {
-const struct ovs_16aligned_ip6_frag *frag_hdr = *datap;
+*frag_hdr = *datap;
 
-*nw_proto = frag_hdr->ip6f_nxt;
-if (!data_try_pull(datap, sizep, sizeof *frag_hdr)) {
+*nw_proto = (*frag_hdr)->ip6f_nxt;
+if (!data_try_pull(datap, sizep, sizeof **frag_hdr)) {
 return false;
 }
 
 /* We only process the first fragment. */
-if (frag_hdr->ip6f_offlg != htons(0)) {
+if ((*frag_hdr)->ip6f_offlg != htons(0)) {
 *nw_frag = FLOW_NW_FRAG_ANY;
-if ((frag_hdr->ip6f_offlg & IP6F_OFF_MASK) != htons(0)) {
+if (((*frag_hdr)->ip6f_offlg & IP6F_OFF_MASK) != htons(0)) {
 *nw_frag |= FLOW_NW_FRAG_LATER;
 *nw_proto = IPPROTO_FRAGMENT;
 return true;
@@ -524,9 +529,11 @@ parse_ipv6_ext_hdrs__(const void **datap, size_t *sizep, 
uint8_t *nw_proto,
 
 bool
 parse_ipv6_ext_hdrs(const void **datap, size_t *sizep, uint8_t *nw_proto,
-uint8_t *nw_frag)
+uint8_t *nw_frag,
+const struct ovs_16aligned_ip6_frag **frag_hdr)
 {
-return parse_ipv6_ext_hdrs__(datap, sizep, nw_proto, nw_frag);
+return parse_ipv6_ext_hdrs__(datap, sizep, nw_proto, nw_frag,
+ frag_hdr);
 }
 
 bool
@@ -877,7 +884,9 @@ miniflow_extract(struct dp_packet *packet, struct miniflow 
*dst)
 nw_ttl = nh->ip6_hlim;
 nw_proto = nh->ip6_nxt;
 
-if (!parse_ipv6_ext_hdrs__(, , _proto, _frag)) {
+const struct ovs_16aligned_ip6_frag *frag_hdr;
+if (!parse_ipv6_ext_hdrs__(, , _proto, _frag,
+   _hdr)) {
 goto out;
 }
 } else {
@@ -1067,7 +1076,9 @@ parse_tcp_flags(struct dp_packet *packet)
 plen = ntohs(nh->ip6_plen); /* Never pull padding. */
 dp_packet_set_l2_pad_size(packet, size - plen);
 size = plen;
-if (!parse_ipv6_ext_hdrs__(, , _proto, _frag)) {
+const struct ovs_16aligned_ip6_frag *frag_hdr;
+if (!parse_ipv6_ext_hdrs__(, , _proto, _frag,
+_hdr)) {
 return 0;
 }
 nw_proto = nh->ip6_nxt;
diff --git a/lib/flow.h b/lib/flow.h
index af7b5e9..e3e30f1 100644
--- a/lib/flow.h
+++ b/lib/flow.h
@@ -130,7 +130,8 @@ void flow_compose(struct dp_packet *, const struct flow *,
 void packet_expand(struct dp_packet *, const struct flow *, size_t size);
 
 bool parse_ipv6_ext_hdrs(const void **datap, size_t *sizep, uint8_t *nw_proto,
- uint8_t *nw_frag);
+ uint8_t *nw_frag,
+ const struct ovs_16aligned_ip6_frag **frag_hdr);
 ovs_be16 parse_dl_type(const struct eth_header *data_, size_t size);
 bool parse_nsh(const void **datap, size_t *sizep, struct ovs_key_nsh *key);
 uint16_t parse_tcp_flags(struct dp_packet *packet);
-- 
1.9.1

[ovs-dev] [patch v7 1/9] dp-packet: Add const qualifiers for checksum apis.

[Darrell Ball]

Signed-off-by: Darrell Ball 
Acked-by: Justin Pettit 
---
 lib/dp-packet.h | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/dp-packet.h b/lib/dp-packet.h
index ba91e58..ecf16fb 100644
--- a/lib/dp-packet.h
+++ b/lib/dp-packet.h
@@ -637,7 +637,7 @@ dp_packet_mbuf_init(struct dp_packet *p OVS_UNUSED)
 }
 
 static inline bool
-dp_packet_ip_checksum_valid(struct dp_packet *p OVS_UNUSED)
+dp_packet_ip_checksum_valid(const struct dp_packet *p OVS_UNUSED)
 {
 #ifdef DPDK_NETDEV
 return (p->mbuf.ol_flags & PKT_RX_IP_CKSUM_MASK) ==
@@ -648,7 +648,7 @@ dp_packet_ip_checksum_valid(struct dp_packet *p OVS_UNUSED)
 }
 
 static inline bool
-dp_packet_ip_checksum_bad(struct dp_packet *p OVS_UNUSED)
+dp_packet_ip_checksum_bad(const struct dp_packet *p OVS_UNUSED)
 {
 #ifdef DPDK_NETDEV
 return (p->mbuf.ol_flags & PKT_RX_IP_CKSUM_MASK) ==
@@ -659,7 +659,7 @@ dp_packet_ip_checksum_bad(struct dp_packet *p OVS_UNUSED)
 }
 
 static inline bool
-dp_packet_l4_checksum_valid(struct dp_packet *p OVS_UNUSED)
+dp_packet_l4_checksum_valid(const struct dp_packet *p OVS_UNUSED)
 {
 #ifdef DPDK_NETDEV
 return (p->mbuf.ol_flags & PKT_RX_L4_CKSUM_MASK) ==
@@ -670,7 +670,7 @@ dp_packet_l4_checksum_valid(struct dp_packet *p OVS_UNUSED)
 }
 
 static inline bool
-dp_packet_l4_checksum_bad(struct dp_packet *p OVS_UNUSED)
+dp_packet_l4_checksum_bad(const struct dp_packet *p OVS_UNUSED)
 {
 #ifdef DPDK_NETDEV
 return (p->mbuf.ol_flags & PKT_RX_L4_CKSUM_MASK) ==
-- 
1.9.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [patch v7 0/9] Userspace datapath: Add fragmentation support.

[Darrell Ball]

Fragmentation support for userspace datapath conntrack is added; both
v4 and v6 are supported. See the patches for additional details.

Fragmentation tests for the userspace datapath are enabled
by the patches and other test enhancements are added.

v6->v7: Address review comments (Thanks Justin).
Rebase.
Fix a couple bugs.
Some enhancements.

v5->v6: Rebase
Folded patch 4 and some test enablement into patch 3 and brought
an earlier patch forward in sequence
Enable fragmentation by default
Cleaup

v4->v5: Added a sub-feature to optionally dump fragmentation lists.
This is useful for DOS forensics and debugging.

The testing coverage was also extended including checking
more counters and frag list occupancies.

Fixed a few bugs:
1/ Handle dpdk mempool source restrictions for a batch of
   packets from multiple sources; this also brings in a purge
   frag list function to handle pathological cases of stuck frags.
2/ ipf_destroy was missing packet frees for frag lists.
3/ A setting of CS_INVALID was missing for expired packets -
   I mentioned this earlier for version 4.

Some enhancements and coding standards changes for Patch 3.

v3->v4: Add V6 support to the patches.
Fix possible race cleanup bug when the user disables
   fragmentation and there are list occupancies, not cleaned up
   yet.
Add missed orig tuple fields for copy from reassembled packet
to fragments.
Fix an fragment list increment check - shoiuld have been "> 0"
rather then "!= 0".
Fix max frags calculation in case of theoretical corner case.
Add proper lock annotations.
Made some other improvements while adding V6 support.

v2->v3: Patch 2 was updated:
Remove "XXX" todo items by implementing the ones needed,
including realloc frag_list contexts to save memory.
Fix related bug with max_frag_list_size when min_frag_size is
reconfigured.

Tighten ip_tot_len sanity check for reassembled packets which
was more loose than intended.

Add another sanity check for fragment ip_tot_len; even though
it be redundant, add for completeness.

v1->v2: Few fixes, improvements and cleanups.

Darrell Ball (9):
  dp-packet: Add const qualifiers for checksum apis.
  flow: Enhance parse_ipv6_ext_hdrs.
  tests: Add missed local stack checks.
  conntrack: Reword conntrack_execute() description.
  Userspace datapath: Add fragmentation handling.
  ipf: Add command to disable fragmentation handling.
  ipf: Add set minimum fragment size command.
  ipf: Add set maximum fragments supported command.
  ipf: Add fragmentation status reporting.

 NEWS |   12 +
 include/sparse/netinet/ip6.h |1 +
 lib/automake.mk  |2 +
 lib/conntrack.c  |   17 +-
 lib/ct-dpif.c|   69 ++
 lib/ct-dpif.h|   13 +
 lib/dp-packet.h  |8 +-
 lib/dpctl.c  |  227 ++
 lib/dpctl.man|   38 +
 lib/dpif-netdev.c|   83 +++
 lib/dpif-netlink.c   |7 +
 lib/dpif-provider.h  |   25 +-
 lib/flow.c   |   31 +-
 lib/flow.h   |3 +-
 lib/ipf.c| 1413 ++
 lib/ipf.h|   76 ++
 tests/system-kmod-macros.at  |   42 +-
 tests/system-traffic.at  |   64 +-
 tests/system-userspace-macros.at |  148 +++-
 19 files changed, 2216 insertions(+), 63 deletions(-)
 create mode 100644 lib/ipf.c
 create mode 100644 lib/ipf.h

-- 
1.9.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] OVN: add unit test for TCPv6 port unreachable support

[Ben Pfaff]

On Mon, Jul 09, 2018 at 05:02:34PM +0200, Lorenzo Bianconi wrote:
> Add unit test for the TCP reset segment sent by OVN logical router when
> it receives an IPv6 TCP segment directed to the router's IP address since
> the logical router doesn't accept any TCP traffic
> 
> Signed-off-by: Lorenzo Bianconi 

Thanks!  I applied this to master.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] ofproto: Return error codes for Rule insertions"

[Ben Pfaff]

On Mon, Jul 09, 2018 at 01:02:08PM +0530, Aravind Prasad S wrote:
> Currently, rule_insert() API doesnot have return value. There are some 
> possible
> scenarios where rule insertions can fail at run-time even though the static 
> checks during rule_construct() had passed previously.
> Some possible scenarios for failure of rule insertions:
> **) Rule insertions can fail dynamically in Hybrid mode (both Openflow and
> Normal switch functioning coexist) where the CAM space could get suddenly
> filled up by Normal switch functioning and Openflow gets devoid of
> available space.
> **) Some deployments could have separate independent layers for HW rule
> insertions and application layer to interact with OVS. HW layer
> could face any dynamic issue during rule handling which application could
> not have predicted/captured in rule-construction phase.
> Rule-insert errors for bundles are not handled in this pull-request.
> Will be handled in upcoming pull request.
> 
> Signed-off-by: Aravind Prasad S 

I don't think that ofproto-dpif can ever see such a failure.  Are you
planning to submit an ofproto provider that exercises this behavior?

Thanks,

Ben.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] configure: Disable -Wnull-pointer-arithmetic Clang warning.

[Ben Pfaff]

OVS trips over this warning all over the place, so it's not worth leaving
on.

Signed-off-by: Ben Pfaff 
---
 configure.ac | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configure.ac b/configure.ac
index af570b32012d..c89c607c7124 100644
--- a/configure.ac
+++ b/configure.ac
@@ -171,6 +171,7 @@ OVS_ENABLE_OPTION([-Wshift-negative-value])
 OVS_ENABLE_OPTION([-Wduplicated-cond])
 OVS_ENABLE_OPTION([-Qunused-arguments])
 OVS_ENABLE_OPTION([-Wshadow])
+OVS_ENABLE_OPTION([-Wno-null-pointer-arithmetic])
 OVS_CONDITIONAL_CC_OPTION([-Wno-unused], [HAVE_WNO_UNUSED])
 OVS_CONDITIONAL_CC_OPTION([-Wno-unused-parameter], [HAVE_WNO_UNUSED_PARAMETER])
 OVS_ENABLE_WERROR
-- 
2.16.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [ovs-dev, RFC, 5 of 9] ovn-nbctl: Don't dup the error message just to report it.

[Aaron Conole]

0-day Robot  writes:

> Bleep bloop.  Greetings Jakub Sitnicki, I am a robot and I have tried out 
> your patch.
> Thanks for your contribution.
>
> I encountered some error that I wasn't expecting.  See the details below.
>
>

Okay - I *think* I enabled the RFC series detection.  Sorry about this.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] oss-fuzz: Move oss-fuzz test harnesses and fuzzer configs to ovs source repo

[Ben Pfaff]

On Sat, Jul 07, 2018 at 12:12:11AM +0200, Bhargava Shastry wrote:
> > Is that the preferred way to do it?  It seems a little ad hoc.  Another
> > way would be to add a target to the OVS build tree, so that the script
> > could just become something like
> > 
> > ./boot.sh && ./configure && make -j$(nproc) tests/oss-fuzz/fuzzer
> > 
> > or whatever.
> 
> This is cleaner and my preference as well. How do I go about doing this?
> 
> > 
> > But, maybe this ad hoc build method is conventional for oss-fuzz?  I'm
> > not familiar with their usual processes.
> 
> I don't think Google cares how targets are built although a lot of
> targets are currently built in an ad-hoc way.
> 
> > Well, either they have to have #include  or we need to
> > blacklist these files, one or the other.  The former is probably
> > harmless and possibly helpful.
> 
> Let's add a make target for oss-fuzz and and everything that is needed
> to get that done. I suppose this means I add a #include  as
> the first line of each of the fuzz test harnesses?
> 
> >>> The new files need to get mentioned in an automake.mk, at least in
> >>> EXTRA_DIST, to ensure that "make dist" will put them into the tarball:
> >>>
> >>> The following files are in git but not the distribution:
> >>> tests/oss-fuzz/config/flow_extract_fuzzer.options
> >>> tests/oss-fuzz/config/json_parser_fuzzer.options
> >>> tests/oss-fuzz/config/ofp_print_fuzzer.options
> >>> tests/oss-fuzz/config/ovs.dict
> >>> tests/oss-fuzz/flow_extract_target.c
> >>> tests/oss-fuzz/json_parser_target.c
> >>> tests/oss-fuzz/ofp_print_target.c
> >>
> >> There are several automake files to choose from. How do I do this?
> > 
> > I'd add a new tests/oss-fuzz/automake.mk and then include that in
> > tests/automake.mk.
> 
> I am not sure about this step. I will get back to you once we have a
> make target ready.

Here's a revised patch that does most of the work I requested.  You can
run "make oss-fuzz-targets" to build the targets.  You probably need to
specify LDFLAGS=... to link against additional libraries though.

--8<--cut here-->8--

From: Bhargava Shastry 
Date: Thu, 5 Jul 2018 15:32:53 -0700
Subject: [PATCH] oss-fuzz: Move oss-fuzz test harnesses and fuzzer configs to
 ovs source repo

Signed-off-by: Ben Pfaff 
---
 Makefile.am   |   1 +
 tests/automake.mk |   2 +
 tests/oss-fuzz/automake.mk|  21 ++
 tests/oss-fuzz/config/flow_extract_fuzzer.options |   2 +
 tests/oss-fuzz/config/json_parser_fuzzer.options  |   2 +
 tests/oss-fuzz/config/ofp_print_fuzzer.options|   3 +
 tests/oss-fuzz/config/ovs.dict| 293 ++
 tests/oss-fuzz/flow_extract_target.c  |  14 ++
 tests/oss-fuzz/fuzzer.h   |   9 +
 tests/oss-fuzz/json_parser_target.c   |  57 +
 tests/oss-fuzz/ofp_print_target.c |  50 
 11 files changed, 454 insertions(+)
 create mode 100644 tests/oss-fuzz/automake.mk
 create mode 100644 tests/oss-fuzz/config/flow_extract_fuzzer.options
 create mode 100644 tests/oss-fuzz/config/json_parser_fuzzer.options
 create mode 100644 tests/oss-fuzz/config/ofp_print_fuzzer.options
 create mode 100644 tests/oss-fuzz/config/ovs.dict
 create mode 100644 tests/oss-fuzz/flow_extract_target.c
 create mode 100644 tests/oss-fuzz/fuzzer.h
 create mode 100644 tests/oss-fuzz/json_parser_target.c
 create mode 100644 tests/oss-fuzz/ofp_print_target.c

diff --git a/Makefile.am b/Makefile.am
index e02799a90fab..ffbd051261b1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -102,6 +102,7 @@ dist_pkgdata_SCRIPTS =
 dist_sbin_SCRIPTS =
 dist_scripts_SCRIPTS =
 dist_scripts_DATA =
+EXTRA_PROGRAMS =
 INSTALL_DATA_LOCAL =
 UNINSTALL_LOCAL =
 man_MANS =
diff --git a/tests/automake.mk b/tests/automake.mk
index 8224e5a4a22d..b7be1ea65811 100644
--- a/tests/automake.mk
+++ b/tests/automake.mk
@@ -475,3 +475,5 @@ clean-pki:
rm -f tests/pki/stamp
rm -rf tests/pki
 endif
+
+include tests/oss-fuzz/automake.mk
diff --git a/tests/oss-fuzz/automake.mk b/tests/oss-fuzz/automake.mk
new file mode 100644
index ..d64b6986fc5e
--- /dev/null
+++ b/tests/oss-fuzz/automake.mk
@@ -0,0 +1,21 @@
+OSS_FUZZ_TARGETS = \
+   tests/oss-fuzz/flow_extract_target \
+   tests/oss-fuzz/json_parser_target \
+   tests/oss-fuzz/ofp_print_target
+EXTRA_PROGRAMS += $(OSS_FUZZ_TARGETS)
+oss-fuzz-targets: $(OSS_FUZZ_TARGETS)
+
+tests_oss_fuzz_flow_extract_target_SOURCES = 
tests/oss-fuzz/flow_extract_target.c
+tests_oss_fuzz_flow_extract_target_LDADD = lib/libopenvswitch.la
+
+tests_oss_fuzz_json_parser_target_SOURCES = tests/oss-fuzz/json_parser_target.c
+tests_oss_fuzz_json_parser_target_LDADD = lib/libopenvswitch.la
+
+tests_oss_fuzz_ofp_print_target_SOURCES = tests/oss-fuzz/ofp_print_target.c
+tests_oss_fuzz_ofp_print_target_LDADD = 

Re: [ovs-dev] Creation of network using ovs in Docker

[Guru Shetty]

I am not very familiar with DPDK. From what I understand, different OVS
versions need different DPDK versions. The DPDK install documentation with
OVS should have those details.

On 9 July 2018 at 13:20, Sandeep Adapala  wrote:

> Hello Guru,
>
> I went one step ahead but now I got stuck here
>
> ubuntu@tbserver14:~$ sudo ovs-vsctl add-port br0 vhost-user1 -- set Interface 
> vhost-user1 type=dpdkvhostuser
> ovs-vsctl: Error detected while setting up 'vhost-user1'.  See ovs-vswitchd 
> log for details.
>
> 2018-07-09T20:19:13.013Z|00040|connmgr|INFO|br0: added service controller 
> "punix:/var/run/openvswitch/br0.mgmt"
> 2018-07-09T20:19:27.773Z|00041|netdev|WARN|could not create netdev 
> vhost-user1 of unknown type dpdkvhostuser
> 2018-07-09T20:19:27.773Z|00042|bridge|WARN|could not open network device 
> vhost-user1 (Address family not supported by protocol)
>
>
> I am getting this error when I try to add interface
>
>
> On Mon, Jul 9, 2018 at 3:32 PM, Sandeep Adapala <
> sandeepadapal...@gmail.com> wrote:
>
>> Let me try with 2.9.2 Guru.
>>
>> On Mon, Jul 9, 2018 at 3:25 PM, Guru Shetty  wrote:
>>
>>> That is a different ovsdb-server (used for OVS). The ovsdb-server used
>>> for OVN databases does not look to be running. OVS 2.5.2 is very old and I
>>> am not sure what is causing this behavior. You can look at logs in
>>> /var/log/openvswitch/ovsdb-server-*.log for hints. I suggest to move to
>>> OVS 2.9.2.
>>>
>>> On 9 July 2018 at 11:43, Sandeep Adapala 
>>> wrote:
>>>
 Looks like it is running

 ubuntu@tbserver14:~$ ps -ef | grep ovsdb-server
 root  4696 1  0 10:58 ?00:00:00 ovsdb-server: monitoring 
 pid 4697 (healthy)
 root  4697  4696  0 10:58 ?00:00:00 ovsdb-server 
 /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info 
 --remote=punix:/var/run/openvswitch/db.sock 
 --private-key=db:Open_vSwitch,SSL,private_key 
 --certificate=db:Open_vSwitch,SSL,certificate 
 --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir 
 --log-file=/var/log/openvswitch/ovsdb-server.log 
 --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach --monitor
 ubuntu   10124  9325  0 14:42 pts/500:00:00 grep --color=auto 
 ovsdb-server
 ubuntu@tbserver14:~$


 On Mon, Jul 9, 2018 at 2:24 PM, Guru Shetty  wrote:

> What does "ps -ef | grep ovsdb-server" say?
>
> On 9 July 2018 at 11:23, Sandeep Adapala 
> wrote:
>
>> Same output
>>
>> ubuntu@tbserver14:~$ sudo /usr/share/openvswitch/scripts/ovn-ctl 
>> restart_northd
>>  * Exiting ovn-northd (5052)
>>  * Removing OVN_Northbound from ovsdb-server
>>  * Removing OVN_Southbound from ovsdb-server
>>  * Adding /etc/openvswitch/ovnnb.db to ovsdb-server
>>  * Adding /etc/openvswitch/ovnsb.db to ovsdb-server
>>  * Starting ovn-northd
>> ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 
>> --db=tcp:192.168.14.33:6642 lswitch-add 6caabc22601b17134a4c54cc33be18
>> ovn-nbctl: tcp:192.168.14.33:6642: database connection failed 
>> (Connection refused)
>> ubuntu@tbserver14:~$
>>
>>
>> On Mon, Jul 9, 2018 at 2:22 PM, Guru Shetty  wrote:
>>
>>> Run "/usr/share/openvswitch/scripts/ovn-ctl restart_northd" and see
>>> if that helps.
>>>
>>> On 9 July 2018 at 11:19, Sandeep Adapala >> > wrote:
>>>
 I think I am doing something wrong Guru.

 I got this after running the command

 ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 
 --db=tcp:192.168.14.33:6642 lswitch-add 6caabc22601b17134a4c54cc33be18
 ovn-nbctl: tcp:192.168.14.33:6642: database connection failed 
 (Connection refused)
 ubuntu@tbserver14:~$


 you think the database is not up yet?


 I have run this to start the DB

 ovs-vsctl set Open_vSwitch . \
 external_ids:ovn-remote="tcp:192.168.14.33:6642" \
 external_ids:ovn-nb="tcp:192.168.14.33:6641" \
 external_ids:ovn-encap-ip=192.168.14.33 \
 external_ids:ovn-encap-type=geneve
 I don't have a remote server so I have used the same for remote and 
 local


 On Mon, Jul 9, 2018 at 2:12 PM, Guru Shetty  wrote:

> What happens when you run the following command on that box:
>
> ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 ls-add
> 6caabc22601b17134a4c54cc33be18
>
>
>
>
>
> On 9 July 2018 at 11:08, Sandeep Adapala <
> sandeepadapal...@gmail.com> wrote:
>
>> Hello Guru,
>>
>> below are the versions
>>
>> ubuntu@tbserver14:~$ ovs-vsctl --version; ovn-nbctl --version
>> ovs-vsctl (Open vSwitch) 2.5.4
>> Compiled Oct 30 2017 10:38:01
>> DB Schema 7.12.1

Re: [ovs-dev] Creation of network using ovs in Docker

[Sandeep Adapala]

Hello Guru,

I went one step ahead but now I got stuck here

ubuntu@tbserver14:~$ sudo ovs-vsctl add-port br0 vhost-user1 -- set
Interface vhost-user1 type=dpdkvhostuser
ovs-vsctl: Error detected while setting up 'vhost-user1'.  See
ovs-vswitchd log for details.

2018-07-09T20:19:13.013Z|00040|connmgr|INFO|br0: added service
controller "punix:/var/run/openvswitch/br0.mgmt"
2018-07-09T20:19:27.773Z|00041|netdev|WARN|could not create netdev
vhost-user1 of unknown type dpdkvhostuser
2018-07-09T20:19:27.773Z|00042|bridge|WARN|could not open network
device vhost-user1 (Address family not supported by protocol)


I am getting this error when I try to add interface


On Mon, Jul 9, 2018 at 3:32 PM, Sandeep Adapala 
wrote:

> Let me try with 2.9.2 Guru.
>
> On Mon, Jul 9, 2018 at 3:25 PM, Guru Shetty  wrote:
>
>> That is a different ovsdb-server (used for OVS). The ovsdb-server used
>> for OVN databases does not look to be running. OVS 2.5.2 is very old and I
>> am not sure what is causing this behavior. You can look at logs in
>> /var/log/openvswitch/ovsdb-server-*.log for hints. I suggest to move to
>> OVS 2.9.2.
>>
>> On 9 July 2018 at 11:43, Sandeep Adapala 
>> wrote:
>>
>>> Looks like it is running
>>>
>>> ubuntu@tbserver14:~$ ps -ef | grep ovsdb-server
>>> root  4696 1  0 10:58 ?00:00:00 ovsdb-server: monitoring 
>>> pid 4697 (healthy)
>>> root  4697  4696  0 10:58 ?00:00:00 ovsdb-server 
>>> /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info 
>>> --remote=punix:/var/run/openvswitch/db.sock 
>>> --private-key=db:Open_vSwitch,SSL,private_key 
>>> --certificate=db:Open_vSwitch,SSL,certificate 
>>> --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir 
>>> --log-file=/var/log/openvswitch/ovsdb-server.log 
>>> --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach --monitor
>>> ubuntu   10124  9325  0 14:42 pts/500:00:00 grep --color=auto 
>>> ovsdb-server
>>> ubuntu@tbserver14:~$
>>>
>>>
>>> On Mon, Jul 9, 2018 at 2:24 PM, Guru Shetty  wrote:
>>>
 What does "ps -ef | grep ovsdb-server" say?

 On 9 July 2018 at 11:23, Sandeep Adapala 
 wrote:

> Same output
>
> ubuntu@tbserver14:~$ sudo /usr/share/openvswitch/scripts/ovn-ctl 
> restart_northd
>  * Exiting ovn-northd (5052)
>  * Removing OVN_Northbound from ovsdb-server
>  * Removing OVN_Southbound from ovsdb-server
>  * Adding /etc/openvswitch/ovnnb.db to ovsdb-server
>  * Adding /etc/openvswitch/ovnsb.db to ovsdb-server
>  * Starting ovn-northd
> ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 
> --db=tcp:192.168.14.33:6642 lswitch-add 6caabc22601b17134a4c54cc33be18
> ovn-nbctl: tcp:192.168.14.33:6642: database connection failed (Connection 
> refused)
> ubuntu@tbserver14:~$
>
>
> On Mon, Jul 9, 2018 at 2:22 PM, Guru Shetty  wrote:
>
>> Run "/usr/share/openvswitch/scripts/ovn-ctl restart_northd" and see
>> if that helps.
>>
>> On 9 July 2018 at 11:19, Sandeep Adapala 
>> wrote:
>>
>>> I think I am doing something wrong Guru.
>>>
>>> I got this after running the command
>>>
>>> ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 
>>> --db=tcp:192.168.14.33:6642 lswitch-add 6caabc22601b17134a4c54cc33be18
>>> ovn-nbctl: tcp:192.168.14.33:6642: database connection failed 
>>> (Connection refused)
>>> ubuntu@tbserver14:~$
>>>
>>>
>>> you think the database is not up yet?
>>>
>>>
>>> I have run this to start the DB
>>>
>>> ovs-vsctl set Open_vSwitch . \
>>> external_ids:ovn-remote="tcp:192.168.14.33:6642" \
>>> external_ids:ovn-nb="tcp:192.168.14.33:6641" \
>>> external_ids:ovn-encap-ip=192.168.14.33 \
>>> external_ids:ovn-encap-type=geneve
>>> I don't have a remote server so I have used the same for remote and 
>>> local
>>>
>>>
>>> On Mon, Jul 9, 2018 at 2:12 PM, Guru Shetty  wrote:
>>>
 What happens when you run the following command on that box:

 ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 ls-add
 6caabc22601b17134a4c54cc33be18





 On 9 July 2018 at 11:08, Sandeep Adapala <
 sandeepadapal...@gmail.com> wrote:

> Hello Guru,
>
> below are the versions
>
> ubuntu@tbserver14:~$ ovs-vsctl --version; ovn-nbctl --version
> ovs-vsctl (Open vSwitch) 2.5.4
> Compiled Oct 30 2017 10:38:01
> DB Schema 7.12.1
> ovn-nbctl (Open vSwitch) 2.5.4
> Compiled Oct 30 2017 10:38:01
> DB Schema 2.0.1
>
> OVN plugin is also the same version.
>
>
> Regards,
>
> Sandeep
>
>
> On Mon, Jul 9, 2018 at 2:05 PM, Guru Shetty  wrote:
>
>>
>>
>> On 9 July 2018 at 09:33, Sandeep Adapala <
>> 

[ovs-dev] [PATCH 2/2] ovs-ofctl: New helper command "parse-packet".

[Ben Pfaff]

This was useful for testing the previous patch.

Signed-off-by: Ben Pfaff 
---
 utilities/ovs-ofctl.c | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/utilities/ovs-ofctl.c b/utilities/ovs-ofctl.c
index 0cd0fcb63e4b..ee08178d8fff 100644
--- a/utilities/ovs-ofctl.c
+++ b/utilities/ovs-ofctl.c
@@ -4802,6 +4802,24 @@ ofctl_compose_packet(struct ovs_cmdl_context *ctx)
 }
 }
 
+/* "parse-packet" reads an Ethernet packet from stdin and prints it out its
+ * extracted flow fields. */
+static void
+ofctl_parse_packet(struct ovs_cmdl_context *ctx OVS_UNUSED)
+{
+char packet[65535];
+ssize_t size = read(STDIN_FILENO, packet, sizeof packet);
+if (size < 0) {
+ovs_fatal(errno, "failed to read packet from stdin");
+}
+
+/* Make a copy of the packet in allocated memory to better allow Valgrind
+ * and Address Sanitizer to catch out-of-range access. */
+void *packet_copy = xmemdup(packet, size);
+ofp_print_packet(stdout, packet_copy, size, 0);
+free(packet_copy);
+}
+
 static const struct ovs_cmdl_command all_commands[] = {
 { "show", "switch",
   1, 1, ofctl_show, OVS_RO },
@@ -4936,6 +4954,7 @@ static const struct ovs_cmdl_command all_commands[] = {
 { "encode-hello", NULL, 1, 1, ofctl_encode_hello, OVS_RW },
 { "parse-key-value", NULL, 1, INT_MAX, ofctl_parse_key_value, OVS_RW },
 { "compose-packet", NULL, 1, 2, ofctl_compose_packet, OVS_RO },
+{ "parse-packet", NULL, 0, 0, ofctl_parse_packet, OVS_RO },
 
 { NULL, NULL, 0, 0, NULL, OVS_RO },
 };
-- 
2.16.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH 1/2] flow: Fix buffer overread for crafted IPv6 packets.

[Ben Pfaff]

The ipv6_sanity_check() function implemented a check for IPv6 payload
length wrong: ip6_plen is the payload length but this function checked
whether it was longer than the total length of IPv6 header plus payload.
This meant that a packet with a crafted ip6_plen could result in a buffer
overread of up to the length of an IPv6 header (40 bytes).

The kernel datapath flow extraction code does not obviously have a similar
problem.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9287
Signed-off-by: Ben Pfaff 
---
 lib/flow.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/flow.c b/lib/flow.c
index a785e63a82f3..76a8b9aaeaae 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -677,7 +677,7 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr *nh, 
size_t size)
 }
 
 plen = ntohs(nh->ip6_plen);
-if (OVS_UNLIKELY(plen > size)) {
+if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
 return false;
 }
 /* Jumbo Payload option not supported yet. */
-- 
2.16.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [ovs-dev, RFC, 6 of 9] ovn-nbctl: Propagate the error from do_nbctl().

[0-day Robot]

Bleep bloop.  Greetings Jakub Sitnicki, I am a robot and I have tried out your 
patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.


git-am:
fatal: sha1 information is lacking or useless (ovn/utilities/ovn-nbctl.c).
Repository lacks necessary blobs to fall back on 3-way merge.
Cannot fall back to three-way merge.
Patch failed at 0001 ovn-nbctl: Propagate the error from do_nbctl().
The copy of the patch that failed is found in:
   
/var/lib/jenkins/jobs/upstream_build_from_pw/workspace/.git/rebase-apply/patch
When you have resolved this problem, run "git am --resolved".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".


Please check this out.  If you feel there has been an error, please email 
acon...@bytheb.org

Thanks,
0-day Robot
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [ovs-dev, RFC, 5 of 9] ovn-nbctl: Don't dup the error message just to report it.

[0-day Robot]

Bleep bloop.  Greetings Jakub Sitnicki, I am a robot and I have tried out your 
patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.


build:
gcc -std=gnu99 -DHAVE_CONFIG_H -I.-I ./include -I ./include -I ./lib -I 
./lib-Wstrict-prototypes -Wall -Wextra -Wno-sign-compare -Wpointer-arith 
-Wformat -Wformat-security -Wswitch-enum -Wunused-parameter -Wbad-function-cast 
-Wcast-align -Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes 
-Wmissing-field-initializers -fno-strict-aliasing -Wshadow-Werror -MT 
ovn/controller-vtep/ovn-controller-vtep.o -MD -MP -MF $depbase.Tpo -c -o 
ovn/controller-vtep/ovn-controller-vtep.o 
ovn/controller-vtep/ovn-controller-vtep.c &&\
mv -f $depbase.Tpo $depbase.Po
depbase=`echo ovn/controller-vtep/vtep.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc -std=gnu99 -DHAVE_CONFIG_H -I.-I ./include -I ./include -I ./lib -I 
./lib-Wstrict-prototypes -Wall -Wextra -Wno-sign-compare -Wpointer-arith 
-Wformat -Wformat-security -Wswitch-enum -Wunused-parameter -Wbad-function-cast 
-Wcast-align -Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes 
-Wmissing-field-initializers -fno-strict-aliasing -Wshadow-Werror -MT 
ovn/controller-vtep/vtep.o -MD -MP -MF $depbase.Tpo -c -o 
ovn/controller-vtep/vtep.o ovn/controller-vtep/vtep.c &&\
mv -f $depbase.Tpo $depbase.Po
/bin/sh ./libtool  --tag=CC   --mode=link gcc -std=gnu99 -Wstrict-prototypes 
-Wall -Wextra -Wno-sign-compare -Wpointer-arith -Wformat -Wformat-security 
-Wswitch-enum -Wunused-parameter -Wbad-function-cast -Wcast-align 
-Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes 
-Wmissing-field-initializers -fno-strict-aliasing -Wshadow-Werror -o 
ovn/controller-vtep/ovn-controller-vtep ovn/controller-vtep/binding.o 
ovn/controller-vtep/gateway.o ovn/controller-vtep/ovn-controller-vtep.o 
ovn/controller-vtep/vtep.o ovn/lib/libovn.la lib/libopenvswitch.la 
vtep/libvtep.la -lpthread -lrt -lm  -lunbound
libtool: link: gcc -std=gnu99 -Wstrict-prototypes -Wall -Wextra 
-Wno-sign-compare -Wpointer-arith -Wformat -Wformat-security -Wswitch-enum 
-Wunused-parameter -Wbad-function-cast -Wcast-align -Wstrict-prototypes 
-Wold-style-definition -Wmissing-prototypes -Wmissing-field-initializers 
-fno-strict-aliasing -Wshadow -Werror -o 
ovn/controller-vtep/ovn-controller-vtep ovn/controller-vtep/binding.o 
ovn/controller-vtep/gateway.o ovn/controller-vtep/ovn-controller-vtep.o 
ovn/controller-vtep/vtep.o  ovn/lib/.libs/libovn.a lib/.libs/libopenvswitch.a 
-lssl -lcrypto -lcap-ng vtep/.libs/libvtep.a -lpthread -lrt -lm -lunbound
depbase=`echo ovn/northd/ovn-northd.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc -std=gnu99 -DHAVE_CONFIG_H -I.-I ./include -I ./include -I ./lib -I 
./lib-Wstrict-prototypes -Wall -Wextra -Wno-sign-compare -Wpointer-arith 
-Wformat -Wformat-security -Wswitch-enum -Wunused-parameter -Wbad-function-cast 
-Wcast-align -Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes 
-Wmissing-field-initializers -fno-strict-aliasing -Wshadow-Werror -MT 
ovn/northd/ovn-northd.o -MD -MP -MF $depbase.Tpo -c -o ovn/northd/ovn-northd.o 
ovn/northd/ovn-northd.c &&\
mv -f $depbase.Tpo $depbase.Po
/bin/sh ./libtool  --tag=CC   --mode=link gcc -std=gnu99 -Wstrict-prototypes 
-Wall -Wextra -Wno-sign-compare -Wpointer-arith -Wformat -Wformat-security 
-Wswitch-enum -Wunused-parameter -Wbad-function-cast -Wcast-align 
-Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes 
-Wmissing-field-initializers -fno-strict-aliasing -Wshadow-Werror -o 
ovn/northd/ovn-northd ovn/northd/ovn-northd.o ovn/lib/libovn.la 
ovsdb/libovsdb.la lib/libopenvswitch.la -lpthread -lrt -lm  -lunbound
libtool: link: gcc -std=gnu99 -Wstrict-prototypes -Wall -Wextra 
-Wno-sign-compare -Wpointer-arith -Wformat -Wformat-security -Wswitch-enum 
-Wunused-parameter -Wbad-function-cast -Wcast-align -Wstrict-prototypes 
-Wold-style-definition -Wmissing-prototypes -Wmissing-field-initializers 
-fno-strict-aliasing -Wshadow -Werror -o ovn/northd/ovn-northd 
ovn/northd/ovn-northd.o  ovn/lib/.libs/libovn.a ovsdb/.libs/libovsdb.a 
lib/.libs/libopenvswitch.a -lssl -lcrypto -lcap-ng -lpthread -lrt -lm -lunbound
depbase=`echo ovn/utilities/ovn-nbctl.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc -std=gnu99 -DHAVE_CONFIG_H -I.-I ./include -I ./include -I ./lib -I 
./lib-Wstrict-prototypes -Wall -Wextra -Wno-sign-compare -Wpointer-arith 
-Wformat -Wformat-security -Wswitch-enum -Wunused-parameter -Wbad-function-cast 
-Wcast-align -Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes 
-Wmissing-field-initializers -fno-strict-aliasing -Wshadow-Werror -MT 
ovn/utilities/ovn-nbctl.o -MD -MP -MF $depbase.Tpo -c -o 
ovn/utilities/ovn-nbctl.o ovn/utilities/ovn-nbctl.c &&\
mv -f $depbase.Tpo $depbase.Po
ovn/utilities/ovn-nbctl.c: In function ‘do_nbctl’:
ovn/utilities/ovn-nbctl.c:3872:29: error: ‘error’ undeclared (first use in this 

Re: [ovs-dev] [PATCH 2/2] ovndb-servers: Set connection table when using

[aginwala]

Cool! Thanks!

On Mon, Jul 9, 2018 at 11:28 AM Ben Pfaff  wrote:

> OK, that did it.  I backported all three.
>
> On Mon, Jul 09, 2018 at 11:04:12AM -0700, aginwala wrote:
> > Hi Ben:
> >
> > I guess the cherry pick failed because of the dependency patch. Can you
> > port https://patchwork.ozlabs.org/patch/925566/ to branch-2.9 as its
> > pre-req for these patches and apply above two on top of that. It would
> work
> > that way. Let me know further.
> >
> >
> >
> > Regards,
> >
> >
> > On Thu, Jul 5, 2018 at 11:26 AM Ben Pfaff  wrote:
> >
> > > On Thu, Jun 21, 2018 at 01:29:52AM +0530, Numan Siddique wrote:
> > > > On Sat, Jun 9, 2018 at 7:03 AM, aginwala  wrote:
> > > >
> > > > > load balancer to manage ovndb clusters via pacemaker.
> > > > >
> > > > > This is will allow setting inactivity probe on the master node.
> > > > > For pacemaker to manage ovndb resources via LB, we skipped creating
> > > > > connection
> > > > > table and hence the inactivity probe was getting set to 5000 by
> > > default.
> > > > > In order to over-ride it we need this table. However, we need to
> skip
> > > > > slaves
> > > > > listening on local sb and nb connections table so that LB feature
> is
> > > > > intact and only master is listening on 0.0.0.0
> > > > >
> > > > > e.g --remote=db:OVN_Southbound,SB_Global,connections and
> > > > > --remote=db:OVN_Northbound,NB_Global,connections
> > > > >
> > > > > will be skipped for slave SB and NB dbs respectively by unsetting
> > > > > --db-sb-use-remote-in-db  and --db-nb-use-remote-in-db in ovn-ctl.
> > > > >
> > > > > Signed-off-by: aginwala 
> > > > >
> > > >
> > > > Acked-by: Numan Siddique 
> > >
> > > I applied this to master on the strength of the acks.  I don't know
> > > enough about pacemaker to review it myself, so I just applied it
> > > verbatim.
> > >
> > > I think there was a request for a branch-2.9 backport, but the
> > > cherry-pick failed so I'll need assistance (probably a branch-2.9 post
> > > of the patches).
> > > ___
> > > dev mailing list
> > > d...@openvswitch.org
> > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> > >
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [ovs-dev, 1 of 2] ovn-nbctl: Correct qos-add documentation.

[Yifeng Sun]

Looks good to me, thanks.

Reviewed-by: Yifeng Sun 

On Sat, Jul 7, 2018 at 2:55 PM, 0-day Robot  wrote:

> Bleep bloop.  Greetings Justin Pettit, I am a robot and I have tried out
> your patch.
> Thanks for your contribution.
>
> I encountered some error that I wasn't expecting.  See the details below.
>
>
> checkpatch:
> WARNING: Line is 248 characters long (recommended limit is 79)
> #20 FILE: ovn/utilities/ovn-nbctl.8.xml:130:
>   [--may-exist] qos-add
> switch direction priority match
> [dscp=dscp] [rate=rate
> [burst=burst]]
>
> Lines checked: 73, Warnings: 1, Errors: 0
>
>
> Please check this out.  If you feel there has been an error, please email
> acon...@bytheb.org
>
> Thanks,
> 0-day Robot
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 2/2] ovn-nbctl: Clarify error messages in qos-add command.

[Yifeng Sun]

Looks good to me, thanks.


Reviewed-by: Yifeng Sun 

On Sat, Jul 7, 2018 at 2:11 PM, Justin Pettit  wrote:

> Signed-off-by: Justin Pettit 
> ---
>  ovn/utilities/ovn-nbctl.c | 13 +++--
>  1 file changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
> index fbdb5a4d9ae9..5638b0a197e0 100644
> --- a/ovn/utilities/ovn-nbctl.c
> +++ b/ovn/utilities/ovn-nbctl.c
> @@ -1761,14 +1761,15 @@ nbctl_qos_add(struct ctl_context *ctx)
>  if (!strncmp(ctx->argv[i], "dscp=", 5)) {
>  if (!ovs_scan(ctx->argv[i] + 5, "%"SCNd64, )
>  || dscp < 0 || dscp > 63) {
> -ctl_fatal("%s: dscp must in range 0...63.", ctx->argv[i]
> + 5);
> +ctl_fatal("%s: dscp must be in the range 0...63",
> +  ctx->argv[i] + 5);
>  return;
>  }
>  }
>  else if (!strncmp(ctx->argv[i], "rate=", 5)) {
>  if (!ovs_scan(ctx->argv[i] + 5, "%"SCNd64, )
>  || rate < 1 || rate > UINT32_MAX) {
> -ctl_fatal("%s: rate must in range 1...4294967295.",
> +ctl_fatal("%s: rate must be in the range 1...4294967295.",
>ctx->argv[i] + 5);
>  return;
>  }
> @@ -1776,20 +1777,20 @@ nbctl_qos_add(struct ctl_context *ctx)
>  else if (!strncmp(ctx->argv[i], "burst=", 6)) {
>  if (!ovs_scan(ctx->argv[i] + 6, "%"SCNd64, )
>  || burst < 1 || burst > UINT32_MAX) {
> -ctl_fatal("%s: burst must in range 1...4294967295.",
> +ctl_fatal("%s: burst must be in the range
> 1...4294967295.",
>ctx->argv[i] + 6);
>  return;
>  }
>  } else {
> -ctl_fatal("%s: must be start of \"dscp=\", \"rate=\",
> \"burst=\".",
> -  ctx->argv[i]);
> +ctl_fatal("%s: supported arguments are \"dscp=\", \"rate=\", "
> +  "and \"burst=\"", ctx->argv[i]);
>  return;
>  }
>  }
>
>  /* Validate rate and dscp. */
>  if (-1 == dscp && !rate) {
> -ctl_fatal("One of the rate or dscp must be configured.");
> +ctl_fatal("Either \"rate\" and/or \"dscp\" must be specified");
>  return;
>  }
>
> --
> 2.17.1
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] Creation of network using ovs in Docker

[Sandeep Adapala]

Let me try with 2.9.2 Guru.

On Mon, Jul 9, 2018 at 3:25 PM, Guru Shetty  wrote:

> That is a different ovsdb-server (used for OVS). The ovsdb-server used for
> OVN databases does not look to be running. OVS 2.5.2 is very old and I am
> not sure what is causing this behavior. You can look at logs in
> /var/log/openvswitch/ovsdb-server-*.log for hints. I suggest to move to
> OVS 2.9.2.
>
> On 9 July 2018 at 11:43, Sandeep Adapala 
> wrote:
>
>> Looks like it is running
>>
>> ubuntu@tbserver14:~$ ps -ef | grep ovsdb-server
>> root  4696 1  0 10:58 ?00:00:00 ovsdb-server: monitoring pid 
>> 4697 (healthy)
>> root  4697  4696  0 10:58 ?00:00:00 ovsdb-server 
>> /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info 
>> --remote=punix:/var/run/openvswitch/db.sock 
>> --private-key=db:Open_vSwitch,SSL,private_key 
>> --certificate=db:Open_vSwitch,SSL,certificate 
>> --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir 
>> --log-file=/var/log/openvswitch/ovsdb-server.log 
>> --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach --monitor
>> ubuntu   10124  9325  0 14:42 pts/500:00:00 grep --color=auto 
>> ovsdb-server
>> ubuntu@tbserver14:~$
>>
>>
>> On Mon, Jul 9, 2018 at 2:24 PM, Guru Shetty  wrote:
>>
>>> What does "ps -ef | grep ovsdb-server" say?
>>>
>>> On 9 July 2018 at 11:23, Sandeep Adapala 
>>> wrote:
>>>
 Same output

 ubuntu@tbserver14:~$ sudo /usr/share/openvswitch/scripts/ovn-ctl 
 restart_northd
  * Exiting ovn-northd (5052)
  * Removing OVN_Northbound from ovsdb-server
  * Removing OVN_Southbound from ovsdb-server
  * Adding /etc/openvswitch/ovnnb.db to ovsdb-server
  * Adding /etc/openvswitch/ovnsb.db to ovsdb-server
  * Starting ovn-northd
 ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 
 --db=tcp:192.168.14.33:6642 lswitch-add 6caabc22601b17134a4c54cc33be18
 ovn-nbctl: tcp:192.168.14.33:6642: database connection failed (Connection 
 refused)
 ubuntu@tbserver14:~$


 On Mon, Jul 9, 2018 at 2:22 PM, Guru Shetty  wrote:

> Run "/usr/share/openvswitch/scripts/ovn-ctl restart_northd" and see
> if that helps.
>
> On 9 July 2018 at 11:19, Sandeep Adapala 
> wrote:
>
>> I think I am doing something wrong Guru.
>>
>> I got this after running the command
>>
>> ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 
>> --db=tcp:192.168.14.33:6642 lswitch-add 6caabc22601b17134a4c54cc33be18
>> ovn-nbctl: tcp:192.168.14.33:6642: database connection failed 
>> (Connection refused)
>> ubuntu@tbserver14:~$
>>
>>
>> you think the database is not up yet?
>>
>>
>> I have run this to start the DB
>>
>> ovs-vsctl set Open_vSwitch . \
>> external_ids:ovn-remote="tcp:192.168.14.33:6642" \
>> external_ids:ovn-nb="tcp:192.168.14.33:6641" \
>> external_ids:ovn-encap-ip=192.168.14.33 \
>> external_ids:ovn-encap-type=geneve
>> I don't have a remote server so I have used the same for remote and local
>>
>>
>> On Mon, Jul 9, 2018 at 2:12 PM, Guru Shetty  wrote:
>>
>>> What happens when you run the following command on that box:
>>>
>>> ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 ls-add
>>> 6caabc22601b17134a4c54cc33be18
>>>
>>>
>>>
>>>
>>>
>>> On 9 July 2018 at 11:08, Sandeep Adapala >> > wrote:
>>>
 Hello Guru,

 below are the versions

 ubuntu@tbserver14:~$ ovs-vsctl --version; ovn-nbctl --version
 ovs-vsctl (Open vSwitch) 2.5.4
 Compiled Oct 30 2017 10:38:01
 DB Schema 7.12.1
 ovn-nbctl (Open vSwitch) 2.5.4
 Compiled Oct 30 2017 10:38:01
 DB Schema 2.0.1

 OVN plugin is also the same version.


 Regards,

 Sandeep


 On Mon, Jul 9, 2018 at 2:05 PM, Guru Shetty  wrote:

>
>
> On 9 July 2018 at 09:33, Sandeep Adapala <
> sandeepadapal...@gmail.com> wrote:
>
>> Hello All,
>>
>> I am planning to have 2 containers talk to each other using
>> ovs-dpdk
>> interface on a same host. this is how I started installing OVN on
>> Docker.
>>
>> http://docs.openvswitch.org/en/latest/howto/docker/#the-over
>> lay-mode
>>
>> I was trying to create a network using docker but I get the same
>> error
>> every time not sure what I am doing wrong can you please help me
>> out.
>>
>>
>> NID=`sudo docker network create -d openvswitch --subnet=
>> 192.168.1.0/24 foo`
>> Error response from daemon: remote: create_network: lswitch-add
>> Fatal error
>> executing ['ovn-nbctl', '--timeout=5', '-vconsole:off', '--db=tcp:
>> 192.168.14.33:6642', 

Re: [ovs-dev] Creation of network using ovs in Docker

[Guru Shetty]

That is a different ovsdb-server (used for OVS). The ovsdb-server used for
OVN databases does not look to be running. OVS 2.5.2 is very old and I am
not sure what is causing this behavior. You can look at logs in
/var/log/openvswitch/ovsdb-server-*.log for hints. I suggest to move to OVS
2.9.2.

On 9 July 2018 at 11:43, Sandeep Adapala  wrote:

> Looks like it is running
>
> ubuntu@tbserver14:~$ ps -ef | grep ovsdb-server
> root  4696 1  0 10:58 ?00:00:00 ovsdb-server: monitoring pid 
> 4697 (healthy)
> root  4697  4696  0 10:58 ?00:00:00 ovsdb-server 
> /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info 
> --remote=punix:/var/run/openvswitch/db.sock 
> --private-key=db:Open_vSwitch,SSL,private_key 
> --certificate=db:Open_vSwitch,SSL,certificate 
> --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir 
> --log-file=/var/log/openvswitch/ovsdb-server.log 
> --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach --monitor
> ubuntu   10124  9325  0 14:42 pts/500:00:00 grep --color=auto ovsdb-server
> ubuntu@tbserver14:~$
>
>
> On Mon, Jul 9, 2018 at 2:24 PM, Guru Shetty  wrote:
>
>> What does "ps -ef | grep ovsdb-server" say?
>>
>> On 9 July 2018 at 11:23, Sandeep Adapala 
>> wrote:
>>
>>> Same output
>>>
>>> ubuntu@tbserver14:~$ sudo /usr/share/openvswitch/scripts/ovn-ctl 
>>> restart_northd
>>>  * Exiting ovn-northd (5052)
>>>  * Removing OVN_Northbound from ovsdb-server
>>>  * Removing OVN_Southbound from ovsdb-server
>>>  * Adding /etc/openvswitch/ovnnb.db to ovsdb-server
>>>  * Adding /etc/openvswitch/ovnsb.db to ovsdb-server
>>>  * Starting ovn-northd
>>> ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 
>>> lswitch-add 6caabc22601b17134a4c54cc33be18
>>> ovn-nbctl: tcp:192.168.14.33:6642: database connection failed (Connection 
>>> refused)
>>> ubuntu@tbserver14:~$
>>>
>>>
>>> On Mon, Jul 9, 2018 at 2:22 PM, Guru Shetty  wrote:
>>>
 Run "/usr/share/openvswitch/scripts/ovn-ctl restart_northd" and see if
 that helps.

 On 9 July 2018 at 11:19, Sandeep Adapala 
 wrote:

> I think I am doing something wrong Guru.
>
> I got this after running the command
>
> ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 
> --db=tcp:192.168.14.33:6642 lswitch-add 6caabc22601b17134a4c54cc33be18
> ovn-nbctl: tcp:192.168.14.33:6642: database connection failed (Connection 
> refused)
> ubuntu@tbserver14:~$
>
>
> you think the database is not up yet?
>
>
> I have run this to start the DB
>
> ovs-vsctl set Open_vSwitch . \
> external_ids:ovn-remote="tcp:192.168.14.33:6642" \
> external_ids:ovn-nb="tcp:192.168.14.33:6641" \
> external_ids:ovn-encap-ip=192.168.14.33 \
> external_ids:ovn-encap-type=geneve
> I don't have a remote server so I have used the same for remote and local
>
>
> On Mon, Jul 9, 2018 at 2:12 PM, Guru Shetty  wrote:
>
>> What happens when you run the following command on that box:
>>
>> ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 ls-add
>> 6caabc22601b17134a4c54cc33be18
>>
>>
>>
>>
>>
>> On 9 July 2018 at 11:08, Sandeep Adapala 
>> wrote:
>>
>>> Hello Guru,
>>>
>>> below are the versions
>>>
>>> ubuntu@tbserver14:~$ ovs-vsctl --version; ovn-nbctl --version
>>> ovs-vsctl (Open vSwitch) 2.5.4
>>> Compiled Oct 30 2017 10:38:01
>>> DB Schema 7.12.1
>>> ovn-nbctl (Open vSwitch) 2.5.4
>>> Compiled Oct 30 2017 10:38:01
>>> DB Schema 2.0.1
>>>
>>> OVN plugin is also the same version.
>>>
>>>
>>> Regards,
>>>
>>> Sandeep
>>>
>>>
>>> On Mon, Jul 9, 2018 at 2:05 PM, Guru Shetty  wrote:
>>>


 On 9 July 2018 at 09:33, Sandeep Adapala <
 sandeepadapal...@gmail.com> wrote:

> Hello All,
>
> I am planning to have 2 containers talk to each other using
> ovs-dpdk
> interface on a same host. this is how I started installing OVN on
> Docker.
>
> http://docs.openvswitch.org/en/latest/howto/docker/#the-over
> lay-mode
>
> I was trying to create a network using docker but I get the same
> error
> every time not sure what I am doing wrong can you please help me
> out.
>
>
> NID=`sudo docker network create -d openvswitch --subnet=
> 192.168.1.0/24 foo`
> Error response from daemon: remote: create_network: lswitch-add
> Fatal error
> executing ['ovn-nbctl', '--timeout=5', '-vconsole:off', '--db=tcp:
> 192.168.14.33:6642', 'lswitch-add', u'6caabc22601b17134a4c54cc33be
> 18
> fcf3653377be99609969cc971c5f749db7', '--', 'set',
> 'Logical_Switch', u'
> 6caabc22601b17134a4c54cc33be18fcf3653377be99609969cc971c5f749db7',
> 

[ovs-dev] [RFC PATCH 9/9] WIP: tests: Integrate with ovn-nctl daemon mode.

[Jakub Sitnicki]

NOTE: This patch should not be applied. It is for testing only.

Switch ovn-nbctl test suite to use the ovn-nbctl daemon.

Signed-off-by: Jakub Sitnicki 
---
 tests/ovn-nbctl.at | 31 ++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at
index 62d82287a..ee76ce0f7 100644
--- a/tests/ovn-nbctl.at
+++ b/tests/ovn-nbctl.at
@@ -9,6 +9,10 @@ m4_define([OVN_NBCTL_TEST_START],
dnl Start ovsdb-server.
AT_CHECK([ovsdb-server --detach --no-chdir --pidfile --log-file 
--remote=punix:$OVS_RUNDIR/ovnnb_db.sock ovn-nb.db], [0], [], [stderr])
on_exit "kill `cat ovsdb-server.pid`"
+
+   dnl Start ovn-nbctl server
+   start_daemon ovn-nbctl
+
AT_CHECK([ovn-nbctl init])
AT_CHECK([[sed < stderr '
 /vlog|INFO|opened log file/d
@@ -19,7 +23,32 @@ m4_define([OVN_NBCTL_TEST_START],
 # OVN_NBCTL_TEST_STOP
 m4_define([OVN_NBCTL_TEST_STOP],
   [AT_CHECK([check_logs "$1"])
-   OVS_APP_EXIT_AND_WAIT([ovsdb-server])])
+   OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+   OVS_APP_EXIT_AND_WAIT([ovn-nbctl])
+])
+
+m4_divert_push([PREPARE_TESTS])
+[
+OVN_NBCTL_CLIENT () {
+local rc=0
+
+# Run ovs-appctl filtering just its stderr.
+exec 3>&1
+ovs-appctl -t ovn-nbctl run "$@" 2>&1 >&3 3>&- | sed 
'/^ovs-appctl:/d;s/^/ovn-nbctl: /' 1>&2 3>&-
+rc=$PIPESTATUS
+exec 3>&-
+
+# Map ovs-appctl exit status to ones from ovn-nbctl
+if [ $rc -eq 0 ]; then
+rc=0
+else
+rc=1
+fi
+return $rc
+}
+alias ovn-nbctl='OVN_NBCTL_CLIENT'
+]
+m4_divert_pop([PREPARE_TESTS])
 
 
 AT_SETUP([ovn-nbctl - basic switch commands])
-- 
2.14.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [RFC PATCH 8/9] ovn-nbctl: Initial support for daemon mode.

[Jakub Sitnicki]

Make ovn-nbctl act as a unixctl server if we were asked to detach. This
turns ovn-nbctl into a long-lived process that acts a proxy for
interacting with NB DB. The main difference to regular mode of ovn-nbctl
is that in the daemon mode, a local copy of database contents has to be
obtained only once.

Just two unixctl commands are supported 'run' and 'exit'. The former can
be used to run any ovn-nbctl command or a batch of them as so:

  ovs-appctl -t ovn-nbctl run [OPTIONS] COMMAND [-- [OPTIONS] COMMAND] ...

Commands that use tabular output ('find' and 'list') are not
supported. As are --dry-run, --timeout, and --wait ovn-nbctl options.

Also, running commands that have not yet been converted to not use
ctl_fatal() will result in death of the daemon process. However,
--monitor option can be used to keep the daemon running.

Signed-off-by: Jakub Sitnicki 
---
 ovn/utilities/ovn-nbctl.c | 180 --
 1 file changed, 158 insertions(+), 22 deletions(-)

diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index b709f0d85..0c0102c49 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -20,6 +20,7 @@
 #include 
 
 #include "command-line.h"
+#include "daemon.h"
 #include "db-ctl-base.h"
 #include "dirs.h"
 #include "fatal-signal.h"
@@ -37,6 +38,7 @@
 #include "svec.h"
 #include "table.h"
 #include "timeval.h"
+#include "unixctl.h"
 #include "util.h"
 #include "openvswitch/vlog.h"
 
@@ -79,6 +81,13 @@ OVS_NO_RETURN static void nbctl_exit(int status);
 /* --leader-only, --no-leader-only: Only accept the leader in a cluster. */
 static int leader_only = true;
 
+/* --unixctl-path: Path to use for unixctl server, for "monitor" and "snoop"
+ commands. */
+static char *unixctl_path;
+
+static unixctl_cb_func server_cmd_exit;
+static unixctl_cb_func server_cmd_run;
+
 static void nbctl_cmd_init(void);
 OVS_NO_RETURN static void usage(void);
 static void parse_options(int argc, char *argv[], struct shash *local_options);
@@ -93,14 +102,13 @@ static char * OVS_WARN_UNUSED_RESULT main_loop(const char 
*args, struct
ctl_command *commands,
size_t n_commands,
struct ovsdb_idl *idl);
+static void server_loop(struct ovsdb_idl *idl);
 
 int
 main(int argc, char *argv[])
 {
 struct ovsdb_idl *idl;
-struct ctl_command *commands;
 struct shash local_options;
-size_t n_commands;
 
 set_program_name(argv[0]);
 fatal_ignore_sigpipe();
@@ -113,35 +121,51 @@ main(int argc, char *argv[])
 char *args = process_escape_args(argv);
 shash_init(_options);
 parse_options(argc, argv, _options);
-commands = ctl_parse_commands(argc - optind, argv + optind, _options,
-  _commands);
-VLOG(ctl_might_write_to_db(commands, n_commands) ? VLL_INFO : VLL_DBG,
- "Called as %s", args);
-
-if (timeout) {
-time_alarm(timeout);
-}
+argc -= optind;
+argv += optind;
 
 /* Initialize IDL. */
 idl = the_idl = ovsdb_idl_create(db, _idl_class, true, false);
 ovsdb_idl_set_leader_only(idl, leader_only);
-run_prerequisites(commands, n_commands, idl);
 
-char *error = main_loop(args, commands, n_commands, idl);
-if (error) {
-ctl_fatal("%s", error);
+if (get_detach()) {
+if (argc != 0) {
+ctl_fatal("non-option arguments not supported with --detach "
+  "(use --help for help)");
+}
+server_loop(idl);
+} else {
+struct ctl_command *commands;
+size_t n_commands;
+
+commands = ctl_parse_commands(argc, argv, _options, _commands);
+VLOG(ctl_might_write_to_db(commands, n_commands) ? VLL_INFO : VLL_DBG,
+ "Called as %s", args);
+
+if (timeout) {
+time_alarm(timeout);
+}
+
+run_prerequisites(commands, n_commands, idl);
+
+char *error = main_loop(args, commands, n_commands, idl);
+if (error) {
+ctl_fatal("%s", error);
+}
+
+struct ctl_command *c;
+for (c = commands; c < [n_commands]; c++) {
+ds_destroy(>output);
+table_destroy(c->table);
+free(c->table);
+shash_destroy_free_data(>options);
+}
+free(commands);
 }
 
 ovsdb_idl_destroy(idl);
 idl = the_idl = NULL;
 
-for (struct ctl_command *c = commands; c < [n_commands]; c++) {
-ds_destroy(>output);
-table_destroy(c->table);
-free(c->table);
-shash_destroy_free_data(>options);
-}
-free(commands);
 free(args);
 exit(EXIT_SUCCESS);
 }
@@ -151,6 +175,7 @@ main_loop(const char *args, struct ctl_command *commands, 
size_t n_commands,
   struct ovsdb_idl *idl)
 {
 unsigned int seqno;
+bool idl_ready;
 
 /* Execute the commands.
  *
@@ 

[ovs-dev] [RFC PATCH 7/9] ovn-nbctl: Propagate errors from the main loop.

[Jakub Sitnicki]

Let the caller handle the errors instead of reporting it and
terminating. Prepare for reusing the main loop in daemon mode.

Signed-off-by: Jakub Sitnicki 
---
 ovn/utilities/ovn-nbctl.c | 19 +--
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 2caced626..b709f0d85 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -89,8 +89,10 @@ static char * OVS_WARN_UNUSED_RESULT do_nbctl(const char 
*args,
   struct ovsdb_idl *, bool *retry);
 static const struct nbrec_dhcp_options *dhcp_options_get(
 struct ctl_context *ctx, const char *id, bool must_exist);
-static void main_loop(const char *args, struct ctl_command *commands,
-  size_t n_commands, struct ovsdb_idl *idl);
+static char * OVS_WARN_UNUSED_RESULT main_loop(const char *args, struct
+   ctl_command *commands,
+   size_t n_commands,
+   struct ovsdb_idl *idl);
 
 int
 main(int argc, char *argv[])
@@ -125,7 +127,10 @@ main(int argc, char *argv[])
 ovsdb_idl_set_leader_only(idl, leader_only);
 run_prerequisites(commands, n_commands, idl);
 
-main_loop(args, commands, n_commands, idl);
+char *error = main_loop(args, commands, n_commands, idl);
+if (error) {
+ctl_fatal("%s", error);
+}
 
 ovsdb_idl_destroy(idl);
 idl = the_idl = NULL;
@@ -141,7 +146,7 @@ main(int argc, char *argv[])
 exit(EXIT_SUCCESS);
 }
 
-static void
+static char *
 main_loop(const char *args, struct ctl_command *commands, size_t n_commands,
   struct ovsdb_idl *idl)
 {
@@ -169,10 +174,10 @@ main_loop(const char *args, struct ctl_command *commands, 
size_t n_commands,
 bool retry;
 char *error = do_nbctl(args, commands, n_commands, idl, );
 if (error) {
-ctl_fatal("%s", error);
+return error;
 }
 if (!retry) {
-return;
+return NULL;
 }
 }
 
@@ -181,6 +186,8 @@ main_loop(const char *args, struct ctl_command *commands, 
size_t n_commands,
 poll_block();
 }
 }
+
+return NULL;
 }
 
 static void
-- 
2.14.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [RFC PATCH 6/9] ovn-nbctl: Propagate the error from do_nbctl().

[Jakub Sitnicki]

Instead of terminating the process, return the error to the caller.

This will allow us to reuse the main loop in daemon mode.

Signed-off-by: Jakub Sitnicki 
---
 ovn/utilities/ovn-nbctl.c | 46 +++---
 1 file changed, 31 insertions(+), 15 deletions(-)

diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 511068973..2caced626 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -84,8 +84,9 @@ OVS_NO_RETURN static void usage(void);
 static void parse_options(int argc, char *argv[], struct shash *local_options);
 static void run_prerequisites(struct ctl_command[], size_t n_commands,
   struct ovsdb_idl *);
-static void do_nbctl(const char *args, struct ctl_command *, size_t n,
- struct ovsdb_idl *, bool *retry);
+static char * OVS_WARN_UNUSED_RESULT do_nbctl(const char *args,
+  struct ctl_command *, size_t n,
+  struct ovsdb_idl *, bool *retry);
 static const struct nbrec_dhcp_options *dhcp_options_get(
 struct ctl_context *ctx, const char *id, bool must_exist);
 static void main_loop(const char *args, struct ctl_command *commands,
@@ -166,7 +167,10 @@ main_loop(const char *args, struct ctl_command *commands, 
size_t n_commands,
 seqno = ovsdb_idl_get_seqno(idl);
 
 bool retry;
-do_nbctl(args, commands, n_commands, idl, );
+char *error = do_nbctl(args, commands, n_commands, idl, );
+if (error) {
+ctl_fatal("%s", error);
+}
 if (!retry) {
 return;
 }
@@ -4140,7 +4144,7 @@ run_prerequisites(struct ctl_command *commands, size_t 
n_commands,
 }
 }
 
-static void
+static char *
 do_nbctl(const char *args, struct ctl_command *commands, size_t n_commands,
  struct ovsdb_idl *idl, bool *retry)
 {
@@ -4151,6 +4155,7 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 struct ctl_command *c;
 struct shash_node *node;
 int64_t next_cfg = 0;
+char *error = NULL;
 
 ovs_assert(retry);
 
@@ -4184,7 +4189,9 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 (c->syntax->run)();
 }
 if (ctx.error) {
-ctl_fatal("%s", ctx.error);
+error = xstrdup(ctx.error);
+ctl_context_done(, c);
+goto out_error;
 }
 ctl_context_done_command(, c);
 
@@ -4198,9 +4205,10 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 SHASH_FOR_EACH (node, >sh) {
 struct ovsdb_symbol *symbol = node->data;
 if (!symbol->created) {
-ctl_fatal("row id \"%s\" is referenced but never created (e.g. "
-  "with \"-- --id=%s create ...\")",
-  node->name, node->name);
+error = xasprintf("row id \"%s\" is referenced but never created "
+  "(e.g. with \"-- --id=%s create ...\")",
+  node->name, node->name);
+goto out_error;
 }
 if (!symbol->strong_ref) {
 if (!symbol->weak_ref) {
@@ -4225,7 +4233,9 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 ctl_context_init(, c, idl, txn, symtab, NULL);
 (c->syntax->postprocess)();
 if (ctx.error) {
-ctl_fatal("%s", ctx.error);
+error = xstrdup(ctx.error);
+ctl_context_done(, c);
+goto out_error;
 }
 ctl_context_done(, c);
 }
@@ -4239,7 +4249,8 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 
 case TXN_ABORTED:
 /* Should not happen--we never call ovsdb_idl_txn_abort(). */
-ctl_fatal("transaction aborted");
+error = xstrdup("transaction aborted");
+goto out_error;
 
 case TXN_UNCHANGED:
 case TXN_SUCCESS:
@@ -4249,11 +4260,14 @@ do_nbctl(const char *args, struct ctl_command 
*commands, size_t n_commands,
 goto try_again;
 
 case TXN_ERROR:
-ctl_fatal("transaction error: %s", ovsdb_idl_txn_get_error(txn));
+error = xasprintf("transaction error: %s",
+  ovsdb_idl_txn_get_error(txn));
+goto out_error;
 
 case TXN_NOT_LOCKED:
 /* Should not happen--we never call ovsdb_idl_set_lock(). */
-ctl_fatal("database not locked");
+error = xstrdup("database not locked");
+goto out_error;
 
 default:
 OVS_NOT_REACHED();
@@ -4312,11 +4326,14 @@ do_nbctl(const char *args, struct ctl_command 
*commands, size_t n_commands,
 ovsdb_idl_txn_destroy(txn);
 
 *retry = false;
-return;
+return NULL;
 
 try_again:
 /* Our 

[ovs-dev] [RFC PATCH 5/9] ovn-nbctl: Don't dup the error message just to report it.

[Jakub Sitnicki]

Get rid of a pointless copy operation.

Signed-off-by: Jakub Sitnicki 
---
 ovn/utilities/ovn-nbctl.c | 6 +-
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index b5de2c305..511068973 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -4151,7 +4151,6 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 struct ctl_command *c;
 struct shash_node *node;
 int64_t next_cfg = 0;
-char *error = NULL;
 
 ovs_assert(retry);
 
@@ -4232,7 +4231,6 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 }
 }
 }
-error = xstrdup(ovsdb_idl_txn_get_error(txn));
 
 switch (status) {
 case TXN_UNCOMMITTED:
@@ -4251,7 +4249,7 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 goto try_again;
 
 case TXN_ERROR:
-ctl_fatal("transaction error: %s", error);
+ctl_fatal("transaction error: %s", ovsdb_idl_txn_get_error(txn));
 
 case TXN_NOT_LOCKED:
 /* Should not happen--we never call ovsdb_idl_set_lock(). */
@@ -4260,7 +4258,6 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 default:
 OVS_NOT_REACHED();
 }
-free(error);
 
 ovsdb_symbol_table_destroy(symtab);
 
@@ -4330,7 +4327,6 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 table_destroy(c->table);
 free(c->table);
 }
-free(error);
 *retry = true;
 return;
 }
-- 
2.14.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [RFC PATCH 3/9] ovn-nbctl: Pull up releasing IDL from do_nbctl().

[Jakub Sitnicki]

Destroy IDL resources in the routine where we allocated them.

Preparatory work for reusing the main loop in daemon mode.

Signed-off-by: Jakub Sitnicki 
---
 ovn/utilities/ovn-nbctl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index d7784dff1..f1fe594ea 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -126,6 +126,9 @@ main(int argc, char *argv[])
 
 main_loop(args, commands, n_commands, idl);
 
+ovsdb_idl_destroy(idl);
+idl = the_idl = NULL;
+
 for (struct ctl_command *c = commands; c < [n_commands]; c++) {
 ds_destroy(>output);
 table_destroy(c->table);
@@ -4305,7 +4308,6 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 }
 
 ovsdb_idl_txn_destroy(txn);
-ovsdb_idl_destroy(idl);
 
 return true;
 
-- 
2.14.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [RFC PATCH 4/9] ovn-nbctl: Signal need to try again via an output param.

[Jakub Sitnicki]

Introduce an output parameter for the flag that signals need to retry
running the command. This leaves the return value for error reporting.

Preparatory work for reusing the main loop in daemon mode.

Signed-off-by: Jakub Sitnicki 
---
 ovn/utilities/ovn-nbctl.c | 21 ++---
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index f1fe594ea..b5de2c305 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -84,8 +84,8 @@ OVS_NO_RETURN static void usage(void);
 static void parse_options(int argc, char *argv[], struct shash *local_options);
 static void run_prerequisites(struct ctl_command[], size_t n_commands,
   struct ovsdb_idl *);
-static bool do_nbctl(const char *args, struct ctl_command *, size_t n,
- struct ovsdb_idl *);
+static void do_nbctl(const char *args, struct ctl_command *, size_t n,
+ struct ovsdb_idl *, bool *retry);
 static const struct nbrec_dhcp_options *dhcp_options_get(
 struct ctl_context *ctx, const char *id, bool must_exist);
 static void main_loop(const char *args, struct ctl_command *commands,
@@ -164,7 +164,10 @@ main_loop(const char *args, struct ctl_command *commands, 
size_t n_commands,
 
 if (seqno != ovsdb_idl_get_seqno(idl)) {
 seqno = ovsdb_idl_get_seqno(idl);
-if (do_nbctl(args, commands, n_commands, idl)) {
+
+bool retry;
+do_nbctl(args, commands, n_commands, idl, );
+if (!retry) {
 return;
 }
 }
@@ -4137,9 +4140,9 @@ run_prerequisites(struct ctl_command *commands, size_t 
n_commands,
 }
 }
 
-static bool
+static void
 do_nbctl(const char *args, struct ctl_command *commands, size_t n_commands,
- struct ovsdb_idl *idl)
+ struct ovsdb_idl *idl, bool *retry)
 {
 struct ovsdb_idl_txn *txn;
 enum ovsdb_idl_txn_status status;
@@ -4150,6 +4153,8 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 int64_t next_cfg = 0;
 char *error = NULL;
 
+ovs_assert(retry);
+
 txn = the_idl_txn = ovsdb_idl_txn_create(idl);
 if (dry_run) {
 ovsdb_idl_txn_set_dry_run(txn);
@@ -4309,7 +4314,8 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 
 ovsdb_idl_txn_destroy(txn);
 
-return true;
+*retry = false;
+return;
 
 try_again:
 /* Our transaction needs to be rerun, or a prerequisite was not met.  Free
@@ -4325,7 +4331,8 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 free(c->table);
 }
 free(error);
-return false;
+*retry = true;
+return;
 }
 
 /* Frees the current transaction and the underlying IDL and then calls
-- 
2.14.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [RFC PATCH 2/9] ovn-nbctl: Pull up destroying commands from do_nbctl().

[Jakub Sitnicki]

Destroy commands in the same routine where they were allocated.

Preparatory work for reusing the main loop in daemon mode.

Signed-off-by: Jakub Sitnicki 
---
 ovn/utilities/ovn-nbctl.c | 13 +++--
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 66af948de..d7784dff1 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -126,6 +126,13 @@ main(int argc, char *argv[])
 
 main_loop(args, commands, n_commands, idl);
 
+for (struct ctl_command *c = commands; c < [n_commands]; c++) {
+ds_destroy(>output);
+table_destroy(c->table);
+free(c->table);
+shash_destroy_free_data(>options);
+}
+free(commands);
 free(args);
 exit(EXIT_SUCCESS);
 }
@@ -4277,13 +4284,7 @@ do_nbctl(const char *args, struct ctl_command *commands, 
size_t n_commands,
 } else {
 fputs(ds_cstr(ds), stdout);
 }
-ds_destroy(>output);
-table_destroy(c->table);
-free(c->table);
-
-shash_destroy_free_data(>options);
 }
-free(commands);
 
 if (wait_type != NBCTL_WAIT_NONE && status != TXN_UNCHANGED) {
 ovsdb_idl_enable_reconnect(idl);
-- 
2.14.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [RFC PATCH 1/9] ovn-nbctl: Extract the main loop.

[Jakub Sitnicki]

Split out a routine for the main ovn-nbctl loop.

Preparatory work for introducing daemon mode.

Signed-off-by: Jakub Sitnicki 
---
 ovn/utilities/ovn-nbctl.c | 20 
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 1181cdfba..66af948de 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -88,6 +88,8 @@ static bool do_nbctl(const char *args, struct ctl_command *, 
size_t n,
  struct ovsdb_idl *);
 static const struct nbrec_dhcp_options *dhcp_options_get(
 struct ctl_context *ctx, const char *id, bool must_exist);
+static void main_loop(const char *args, struct ctl_command *commands,
+  size_t n_commands, struct ovsdb_idl *idl);
 
 int
 main(int argc, char *argv[])
@@ -95,7 +97,6 @@ main(int argc, char *argv[])
 struct ovsdb_idl *idl;
 struct ctl_command *commands;
 struct shash local_options;
-unsigned int seqno;
 size_t n_commands;
 
 set_program_name(argv[0]);
@@ -123,6 +124,18 @@ main(int argc, char *argv[])
 ovsdb_idl_set_leader_only(idl, leader_only);
 run_prerequisites(commands, n_commands, idl);
 
+main_loop(args, commands, n_commands, idl);
+
+free(args);
+exit(EXIT_SUCCESS);
+}
+
+static void
+main_loop(const char *args, struct ctl_command *commands, size_t n_commands,
+  struct ovsdb_idl *idl)
+{
+unsigned int seqno;
+
 /* Execute the commands.
  *
  * 'seqno' is the database sequence number for which we last tried to
@@ -136,14 +149,13 @@ main(int argc, char *argv[])
 if (!ovsdb_idl_is_alive(idl)) {
 int retval = ovsdb_idl_get_last_error(idl);
 ctl_fatal("%s: database connection failed (%s)",
-db, ovs_retval_to_string(retval));
+  db, ovs_retval_to_string(retval));
 }
 
 if (seqno != ovsdb_idl_get_seqno(idl)) {
 seqno = ovsdb_idl_get_seqno(idl);
 if (do_nbctl(args, commands, n_commands, idl)) {
-free(args);
-exit(EXIT_SUCCESS);
+return;
 }
 }
 
-- 
2.14.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [RFC PATCH 0/9] Daemon mode for ovn-nbctl

[Jakub Sitnicki]

This series extends ovn-nbctl tool with support for the daemon mode, where
ovn-nbctl acts a long-lived process that accepts commands over a UNIX socket.
The daemon can be started the same way as any other OVS/OVN server:

  ovn-nbctl --detach --pidfile --log-file

While commands can be issued to it using the 'ovs-appctl' tool:

  ovs-appctl -t ovn-nbctl run [OPTIONS] COMMAND [-- [OPTIONS] COMMAND] ...

(Although the goal is to control the daemon using the ovn-nbctl program itself.)

The motivation and the main benefit from the daemon mode is that the contents of
NB database have to be obtained only once, when the first command is ran. On big
databases (1000's of logical ports) this results in a speed up per command in
the range of 100's of milliseconds.

The changes are functional to the point that all test cases in the ovn-nbctl
test suite (tests/ovn-nbctl.at) pass. Except for "ovn-nbctl - connection" test
case (see limitations below). Last patch in the series demonstrates it.

The shortcomings of current implementation are:

 - No support for commands that use tabular output, that is 'find' or 'list'
   (used by the mentioned failing test case).  'table' module prints formatted
   tables contents to standard output so it cannot be easily reused on the
   server side.

 - '--dry-run', '--wait', '--timeout' are unsupported. Although these options
   are understood, they will either take no effect or cause the daemon to
   malfunction.

 - Hitting an error path that calls ctl_fatal() to report an error will cause
   the daemon process to die. Use '--monitor' option as a workaround.

 - Documentation is missing.

Taking this into account, daemon mode should be considered experimental.

Very much looking forward to comments and feedback.

Thanks,
Jakub


Jakub Sitnicki (9):
  ovn-nbctl: Extract the main loop.
  ovn-nbctl: Pull up destroying commands from do_nbctl().
  ovn-nbctl: Pull up releasing IDL from do_nbctl().
  ovn-nbctl: Signal need to try again via an output param.
  ovn-nbctl: Don't dup the error message just to report it.
  ovn-nbctl: Propagate the error from do_nbctl().
  ovn-nbctl: Propagate errors from the main loop.
  ovn-nbctl: Initial support for daemon mode.
  WIP: tests: Integrate with ovn-nctl daemon mode.

 ovn/utilities/ovn-nbctl.c | 259 ++
 tests/ovn-nbctl.at|  31 +-
 2 files changed, 248 insertions(+), 42 deletions(-)

--
2.14.4
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] Creation of network using ovs in Docker

[Sandeep Adapala]

Looks like it is running

ubuntu@tbserver14:~$ ps -ef | grep ovsdb-server
root  4696 1  0 10:58 ?00:00:00 ovsdb-server:
monitoring pid 4697 (healthy)
root  4697  4696  0 10:58 ?00:00:00 ovsdb-server
/etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info
--remote=punix:/var/run/openvswitch/db.sock
--private-key=db:Open_vSwitch,SSL,private_key
--certificate=db:Open_vSwitch,SSL,certificate
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir
--log-file=/var/log/openvswitch/ovsdb-server.log
--pidfile=/var/run/openvswitch/ovsdb-server.pid --detach --monitor
ubuntu   10124  9325  0 14:42 pts/500:00:00 grep --color=auto ovsdb-server
ubuntu@tbserver14:~$


On Mon, Jul 9, 2018 at 2:24 PM, Guru Shetty  wrote:

> What does "ps -ef | grep ovsdb-server" say?
>
> On 9 July 2018 at 11:23, Sandeep Adapala 
> wrote:
>
>> Same output
>>
>> ubuntu@tbserver14:~$ sudo /usr/share/openvswitch/scripts/ovn-ctl 
>> restart_northd
>>  * Exiting ovn-northd (5052)
>>  * Removing OVN_Northbound from ovsdb-server
>>  * Removing OVN_Southbound from ovsdb-server
>>  * Adding /etc/openvswitch/ovnnb.db to ovsdb-server
>>  * Adding /etc/openvswitch/ovnsb.db to ovsdb-server
>>  * Starting ovn-northd
>> ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 
>> lswitch-add 6caabc22601b17134a4c54cc33be18
>> ovn-nbctl: tcp:192.168.14.33:6642: database connection failed (Connection 
>> refused)
>> ubuntu@tbserver14:~$
>>
>>
>> On Mon, Jul 9, 2018 at 2:22 PM, Guru Shetty  wrote:
>>
>>> Run "/usr/share/openvswitch/scripts/ovn-ctl restart_northd" and see if
>>> that helps.
>>>
>>> On 9 July 2018 at 11:19, Sandeep Adapala 
>>> wrote:
>>>
 I think I am doing something wrong Guru.

 I got this after running the command

 ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 
 --db=tcp:192.168.14.33:6642 lswitch-add 6caabc22601b17134a4c54cc33be18
 ovn-nbctl: tcp:192.168.14.33:6642: database connection failed (Connection 
 refused)
 ubuntu@tbserver14:~$


 you think the database is not up yet?


 I have run this to start the DB

 ovs-vsctl set Open_vSwitch . \
 external_ids:ovn-remote="tcp:192.168.14.33:6642" \
 external_ids:ovn-nb="tcp:192.168.14.33:6641" \
 external_ids:ovn-encap-ip=192.168.14.33 \
 external_ids:ovn-encap-type=geneve
 I don't have a remote server so I have used the same for remote and local


 On Mon, Jul 9, 2018 at 2:12 PM, Guru Shetty  wrote:

> What happens when you run the following command on that box:
>
> ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 ls-add
> 6caabc22601b17134a4c54cc33be18
>
>
>
>
>
> On 9 July 2018 at 11:08, Sandeep Adapala 
> wrote:
>
>> Hello Guru,
>>
>> below are the versions
>>
>> ubuntu@tbserver14:~$ ovs-vsctl --version; ovn-nbctl --version
>> ovs-vsctl (Open vSwitch) 2.5.4
>> Compiled Oct 30 2017 10:38:01
>> DB Schema 7.12.1
>> ovn-nbctl (Open vSwitch) 2.5.4
>> Compiled Oct 30 2017 10:38:01
>> DB Schema 2.0.1
>>
>> OVN plugin is also the same version.
>>
>>
>> Regards,
>>
>> Sandeep
>>
>>
>> On Mon, Jul 9, 2018 at 2:05 PM, Guru Shetty  wrote:
>>
>>>
>>>
>>> On 9 July 2018 at 09:33, Sandeep Adapala >> > wrote:
>>>
 Hello All,

 I am planning to have 2 containers talk to each other using ovs-dpdk
 interface on a same host. this is how I started installing OVN on
 Docker.

 http://docs.openvswitch.org/en/latest/howto/docker/#the-over
 lay-mode

 I was trying to create a network using docker but I get the same
 error
 every time not sure what I am doing wrong can you please help me
 out.


 NID=`sudo docker network create -d openvswitch --subnet=
 192.168.1.0/24 foo`
 Error response from daemon: remote: create_network: lswitch-add
 Fatal error
 executing ['ovn-nbctl', '--timeout=5', '-vconsole:off', '--db=tcp:
 192.168.14.33:6642', 'lswitch-add', u'6caabc22601b17134a4c54cc33be
 18
 fcf3653377be99609969cc971c5f749db7', '--', 'set',
 'Logical_Switch', u'
 6caabc22601b17134a4c54cc33be18fcf3653377be99609969cc971c5f749db7',
 u'external_ids:subnet=192.168.1.0/24',
 u'external_ids:gateway_ip=192.
 168.1.1']

>>>
>>> What version of OVS/OVN (ovs-vsctl --version; ovn-nbctl --version)
>>> are you using?
>>>
>>> Is the OVN docker plugin version different?
>>>
>>>
>>>
>>>

 Regards,
 Sandeep
 ___
 dev mailing list
 d...@openvswitch.org
 https://mail.openvswitch.org/mailman/listinfo/ovs-dev

>>>
>>>
>>

Re: [ovs-dev] [PATCH 2/2] python: add OVSDB IDL tutorial with examples

[Ben Pfaff]

On Mon, Jul 09, 2018 at 05:53:28AM -0700, Toms Atteka wrote:
> created tutorial on how to use OVSDB IDL Python library
> 
> Signed-off-by: Toms Atteka 

The build fails because:

Warning, treated as error:
/home/blp/nicira/ovs/Documentation/tutorials/ovsdb-idl-python.rst:: 
WARNING: document isn't included in any toctree

I guess this just means that you should add ovsdb-idl-python.rst to the
index.rst in Documentation/tutorials.

The one thing I would consider adding to the tutorial is error handling
for when the commit fails.  Commits can fail for various reasons, so a
client has to be prepared to retry.  Would you mind working on that?

Thanks,

Ben.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] tests: Add more items to .gitignore

[Ben Pfaff]

On Mon, Jul 09, 2018 at 05:11:02PM +0300, Alin Gabriel Serdean wrote:
> This patch adds the system* testsuite directory and logs to .gitignore.
> 
> Signed-off-by: Alin Gabriel Serdean 

Acked-by: Ben Pfaff 
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 2/2] Datapath: Fix ovs_vport_init unreachable code and goto labels

[Ben Pfaff]

I think you're right.

On Mon, Jul 09, 2018 at 11:04:03AM -0700, Yifeng Sun wrote:
> I think the correct fix may be as follows, do you mind rechecking it?
> Thanks.
> 
> diff --git a/datapath/vport.c b/datapath/vport.c
> index 02f6b56d3243..fcf0fea0a245 100644
> --- a/datapath/vport.c
> +++ b/datapath/vport.c
> @@ -93,7 +93,6 @@ int ovs_vport_init(void)
> goto err_stt;
> 
> return 0;
> -   ovs_stt_cleanup_module();
>  err_stt:
> vxlan_cleanup_module();
>  err_vxlan:
> 
> On Mon, Jul 9, 2018 at 6:09 AM, Alin Gabriel Serdean 
> wrote:
> 
> > The line "ovs_stt_cleanup_module();" was unreachable. Looking
> > at the rest of the goto labels they also seem wrong, so fix them also.
> >
> > Found using static analysis tools.
> >
> > Signed-off-by: Alin Gabriel Serdean 
> > ---
> >  datapath/vport.c | 17 +
> >  1 file changed, 9 insertions(+), 8 deletions(-)
> >
> > diff --git a/datapath/vport.c b/datapath/vport.c
> > index 02f6b56d3..5f11dd6ad 100644
> > --- a/datapath/vport.c
> > +++ b/datapath/vport.c
> > @@ -93,22 +93,23 @@ int ovs_vport_init(void)
> > goto err_stt;
> >
> > return 0;
> > -   ovs_stt_cleanup_module();
> > +
> >  err_stt:
> > -   vxlan_cleanup_module();
> > +   ovs_stt_cleanup_module();
> >  err_vxlan:
> > -   geneve_cleanup_module();
> > +   vxlan_cleanup_module();
> >  err_geneve:
> > -   ip6_tunnel_cleanup();
> > +   geneve_cleanup_module();
> >  err_ip6_tunnel:
> > -   ip6gre_fini();
> > +   ip6_tunnel_cleanup();
> >  err_ip6gre:
> > -   ipgre_fini();
> > +   ip6gre_fini();
> >  err_ipgre:
> > -   gre_exit();
> > +   ipgre_fini();
> >  err_gre:
> > -   lisp_cleanup_module();
> > +   gre_exit();
> >  err_lisp:
> > +   lisp_cleanup_module();
> > kfree(dev_table);
> > return err;
> >  }
> > --
> > 2.16.1.windows.1
> >
> > ___
> > dev mailing list
> > d...@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 1/2] Datapath: Cleanup compat ip6_tunnel.c

[Ben Pfaff]

Acked-by: Ben Pfaff 

On Mon, Jul 09, 2018 at 11:03:10AM -0700, Yifeng Sun wrote:
> Good catch, thanks.
> 
> Reviewed-by: Yifeng Sun 
> 
> On Mon, Jul 9, 2018 at 6:09 AM, Alin Gabriel Serdean 
> wrote:
> 
> > Remove double assignment of `ip6_tnl *t`.
> >
> > Signed-off-by: Alin Gabriel Serdean 
> > ---
> >  datapath/linux/compat/ip6_tunnel.c | 2 --
> >  1 file changed, 2 deletions(-)
> >
> > diff --git a/datapath/linux/compat/ip6_tunnel.c
> > b/datapath/linux/compat/ip6_tunnel.c
> > index 7c6678796..ecec971e2 100644
> > --- a/datapath/linux/compat/ip6_tunnel.c
> > +++ b/datapath/linux/compat/ip6_tunnel.c
> > @@ -316,8 +316,6 @@ static int ip6_tnl_create2(struct net_device *dev)
> > struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id);
> > int err;
> >
> > -   t = netdev_priv(dev);
> > -
> > dev->rtnl_link_ops = _link_ops;
> > err = register_netdevice(dev);
> > if (err < 0)
> > --
> > 2.16.1.windows.1
> >
> > ___
> > dev mailing list
> > d...@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 2/2] ovndb-servers: Set connection table when using

[Ben Pfaff]

OK, that did it.  I backported all three.

On Mon, Jul 09, 2018 at 11:04:12AM -0700, aginwala wrote:
> Hi Ben:
> 
> I guess the cherry pick failed because of the dependency patch. Can you
> port https://patchwork.ozlabs.org/patch/925566/ to branch-2.9 as its
> pre-req for these patches and apply above two on top of that. It would work
> that way. Let me know further.
> 
> 
> 
> Regards,
> 
> 
> On Thu, Jul 5, 2018 at 11:26 AM Ben Pfaff  wrote:
> 
> > On Thu, Jun 21, 2018 at 01:29:52AM +0530, Numan Siddique wrote:
> > > On Sat, Jun 9, 2018 at 7:03 AM, aginwala  wrote:
> > >
> > > > load balancer to manage ovndb clusters via pacemaker.
> > > >
> > > > This is will allow setting inactivity probe on the master node.
> > > > For pacemaker to manage ovndb resources via LB, we skipped creating
> > > > connection
> > > > table and hence the inactivity probe was getting set to 5000 by
> > default.
> > > > In order to over-ride it we need this table. However, we need to skip
> > > > slaves
> > > > listening on local sb and nb connections table so that LB feature is
> > > > intact and only master is listening on 0.0.0.0
> > > >
> > > > e.g --remote=db:OVN_Southbound,SB_Global,connections and
> > > > --remote=db:OVN_Northbound,NB_Global,connections
> > > >
> > > > will be skipped for slave SB and NB dbs respectively by unsetting
> > > > --db-sb-use-remote-in-db  and --db-nb-use-remote-in-db in ovn-ctl.
> > > >
> > > > Signed-off-by: aginwala 
> > > >
> > >
> > > Acked-by: Numan Siddique 
> >
> > I applied this to master on the strength of the acks.  I don't know
> > enough about pacemaker to review it myself, so I just applied it
> > verbatim.
> >
> > I think there was a request for a branch-2.9 backport, but the
> > cherry-pick failed so I'll need assistance (probably a branch-2.9 post
> > of the patches).
> > ___
> > dev mailing list
> > d...@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] OVS frozen for release

[Ben Pfaff]

On Mon, Jul 09, 2018 at 10:48:51AM +0530, Numan Siddique wrote:
> On Thu, Jul 5, 2018 at 11:46 PM Han Zhou  wrote:
> 
> > On Mon, Jul 2, 2018 at 9:48 AM, Ben Pfaff  wrote:
> > >
> > > According to our release process, we should fork branch-2.10 from master
> > > July 1 (yesterday), then release on August 15.  I'm going to propose
> > > that we modify this in the same way that has been successful in the
> > > past, by calling for an approximately 2-week "soft freeze".  During the
> > > freeze period, we commit only to master only bug fixes and patches that
> > > have been previously discussed in public before the freeze period.
> > >
> > > In this cycle, I'm proposing the following:
> > >
> > > - Now: Soft freeze begins.
> > >
> > > - July 20: Fork branch-2.10.
> > >
> > >   (This is slightly late but I'm out July 13-18 and usually I'm involved
> > >   in branching.)
> > >
> > > - August 13: Release OVS 2.10.
> > >
> > > Thanks,
> > >
> > > Ben.
> >
> > Hi,
> >
> > Here are some patches related to bug fixes I have in mind that should be in
> > 2.10.
> >
> > Fixing port-group:
> > https://patchwork.ozlabs.org/patch/931913/
> >
> > and the follow up patch of above one:
> > https://patchwork.ozlabs.org/patch/934484/
> >
> > For OVN pacemaker:
> > https://patchwork.ozlabs.org/patch/931228/
> > https://patchwork.ozlabs.org/patch/931665/
> >
> >
> > Folks may add more to this list.
> >
> 
> Can this series - Partial cluster support in Python IDL client  (
> https://patchwork.ozlabs.org/project/openvswitch/list/?series=54336) be
> considered for OVS 2.10 ?

Sure.  I did an initial review just now.

I'm working my way through posted patches this week.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] Creation of network using ovs in Docker

[Guru Shetty]

What does "ps -ef | grep ovsdb-server" say?

On 9 July 2018 at 11:23, Sandeep Adapala  wrote:

> Same output
>
> ubuntu@tbserver14:~$ sudo /usr/share/openvswitch/scripts/ovn-ctl 
> restart_northd
>  * Exiting ovn-northd (5052)
>  * Removing OVN_Northbound from ovsdb-server
>  * Removing OVN_Southbound from ovsdb-server
>  * Adding /etc/openvswitch/ovnnb.db to ovsdb-server
>  * Adding /etc/openvswitch/ovnsb.db to ovsdb-server
>  * Starting ovn-northd
> ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 
> lswitch-add 6caabc22601b17134a4c54cc33be18
> ovn-nbctl: tcp:192.168.14.33:6642: database connection failed (Connection 
> refused)
> ubuntu@tbserver14:~$
>
>
> On Mon, Jul 9, 2018 at 2:22 PM, Guru Shetty  wrote:
>
>> Run "/usr/share/openvswitch/scripts/ovn-ctl restart_northd" and see if
>> that helps.
>>
>> On 9 July 2018 at 11:19, Sandeep Adapala 
>> wrote:
>>
>>> I think I am doing something wrong Guru.
>>>
>>> I got this after running the command
>>>
>>> ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 
>>> lswitch-add 6caabc22601b17134a4c54cc33be18
>>> ovn-nbctl: tcp:192.168.14.33:6642: database connection failed (Connection 
>>> refused)
>>> ubuntu@tbserver14:~$
>>>
>>>
>>> you think the database is not up yet?
>>>
>>>
>>> I have run this to start the DB
>>>
>>> ovs-vsctl set Open_vSwitch . \
>>> external_ids:ovn-remote="tcp:192.168.14.33:6642" \
>>> external_ids:ovn-nb="tcp:192.168.14.33:6641" \
>>> external_ids:ovn-encap-ip=192.168.14.33 \
>>> external_ids:ovn-encap-type=geneve
>>> I don't have a remote server so I have used the same for remote and local
>>>
>>>
>>> On Mon, Jul 9, 2018 at 2:12 PM, Guru Shetty  wrote:
>>>
 What happens when you run the following command on that box:

 ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 ls-add
 6caabc22601b17134a4c54cc33be18





 On 9 July 2018 at 11:08, Sandeep Adapala 
 wrote:

> Hello Guru,
>
> below are the versions
>
> ubuntu@tbserver14:~$ ovs-vsctl --version; ovn-nbctl --version
> ovs-vsctl (Open vSwitch) 2.5.4
> Compiled Oct 30 2017 10:38:01
> DB Schema 7.12.1
> ovn-nbctl (Open vSwitch) 2.5.4
> Compiled Oct 30 2017 10:38:01
> DB Schema 2.0.1
>
> OVN plugin is also the same version.
>
>
> Regards,
>
> Sandeep
>
>
> On Mon, Jul 9, 2018 at 2:05 PM, Guru Shetty  wrote:
>
>>
>>
>> On 9 July 2018 at 09:33, Sandeep Adapala 
>> wrote:
>>
>>> Hello All,
>>>
>>> I am planning to have 2 containers talk to each other using ovs-dpdk
>>> interface on a same host. this is how I started installing OVN on
>>> Docker.
>>>
>>> http://docs.openvswitch.org/en/latest/howto/docker/#the-overlay-mode
>>>
>>> I was trying to create a network using docker but I get the same
>>> error
>>> every time not sure what I am doing wrong can you please help me out.
>>>
>>>
>>> NID=`sudo docker network create -d openvswitch --subnet=
>>> 192.168.1.0/24 foo`
>>> Error response from daemon: remote: create_network: lswitch-add
>>> Fatal error
>>> executing ['ovn-nbctl', '--timeout=5', '-vconsole:off', '--db=tcp:
>>> 192.168.14.33:6642', 'lswitch-add', u'6caabc22601b17134a4c54cc33be18
>>> fcf3653377be99609969cc971c5f749db7', '--', 'set', 'Logical_Switch',
>>> u'
>>> 6caabc22601b17134a4c54cc33be18fcf3653377be99609969cc971c5f749db7',
>>> u'external_ids:subnet=192.168.1.0/24',
>>> u'external_ids:gateway_ip=192.
>>> 168.1.1']
>>>
>>
>> What version of OVS/OVN (ovs-vsctl --version; ovn-nbctl --version)
>> are you using?
>>
>> Is the OVN docker plugin version different?
>>
>>
>>
>>
>>>
>>> Regards,
>>> Sandeep
>>> ___
>>> dev mailing list
>>> d...@openvswitch.org
>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>>>
>>
>>
>

>>>
>>
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] Creation of network using ovs in Docker

[Sandeep Adapala]

Same output

ubuntu@tbserver14:~$ sudo /usr/share/openvswitch/scripts/ovn-ctl restart_northd
 * Exiting ovn-northd (5052)
 * Removing OVN_Northbound from ovsdb-server
 * Removing OVN_Southbound from ovsdb-server
 * Adding /etc/openvswitch/ovnnb.db to ovsdb-server
 * Adding /etc/openvswitch/ovnsb.db to ovsdb-server
 * Starting ovn-northd
ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5
--db=tcp:192.168.14.33:6642 lswitch-add 6caabc22601b17134a4c54cc33be18
ovn-nbctl: tcp:192.168.14.33:6642: database connection failed
(Connection refused)
ubuntu@tbserver14:~$


On Mon, Jul 9, 2018 at 2:22 PM, Guru Shetty  wrote:

> Run "/usr/share/openvswitch/scripts/ovn-ctl restart_northd" and see if
> that helps.
>
> On 9 July 2018 at 11:19, Sandeep Adapala 
> wrote:
>
>> I think I am doing something wrong Guru.
>>
>> I got this after running the command
>>
>> ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 
>> lswitch-add 6caabc22601b17134a4c54cc33be18
>> ovn-nbctl: tcp:192.168.14.33:6642: database connection failed (Connection 
>> refused)
>> ubuntu@tbserver14:~$
>>
>>
>> you think the database is not up yet?
>>
>>
>> I have run this to start the DB
>>
>> ovs-vsctl set Open_vSwitch . \
>> external_ids:ovn-remote="tcp:192.168.14.33:6642" \
>> external_ids:ovn-nb="tcp:192.168.14.33:6641" \
>> external_ids:ovn-encap-ip=192.168.14.33 \
>> external_ids:ovn-encap-type=geneve
>> I don't have a remote server so I have used the same for remote and local
>>
>>
>> On Mon, Jul 9, 2018 at 2:12 PM, Guru Shetty  wrote:
>>
>>> What happens when you run the following command on that box:
>>>
>>> ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 ls-add
>>> 6caabc22601b17134a4c54cc33be18
>>>
>>>
>>>
>>>
>>>
>>> On 9 July 2018 at 11:08, Sandeep Adapala 
>>> wrote:
>>>
 Hello Guru,

 below are the versions

 ubuntu@tbserver14:~$ ovs-vsctl --version; ovn-nbctl --version
 ovs-vsctl (Open vSwitch) 2.5.4
 Compiled Oct 30 2017 10:38:01
 DB Schema 7.12.1
 ovn-nbctl (Open vSwitch) 2.5.4
 Compiled Oct 30 2017 10:38:01
 DB Schema 2.0.1

 OVN plugin is also the same version.


 Regards,

 Sandeep


 On Mon, Jul 9, 2018 at 2:05 PM, Guru Shetty  wrote:

>
>
> On 9 July 2018 at 09:33, Sandeep Adapala 
> wrote:
>
>> Hello All,
>>
>> I am planning to have 2 containers talk to each other using ovs-dpdk
>> interface on a same host. this is how I started installing OVN on
>> Docker.
>>
>> http://docs.openvswitch.org/en/latest/howto/docker/#the-overlay-mode
>>
>> I was trying to create a network using docker but I get the same error
>> every time not sure what I am doing wrong can you please help me out.
>>
>>
>> NID=`sudo docker network create -d openvswitch --subnet=
>> 192.168.1.0/24 foo`
>> Error response from daemon: remote: create_network: lswitch-add Fatal
>> error
>> executing ['ovn-nbctl', '--timeout=5', '-vconsole:off', '--db=tcp:
>> 192.168.14.33:6642', 'lswitch-add', u'6caabc22601b17134a4c54cc33be18
>> fcf3653377be99609969cc971c5f749db7', '--', 'set', 'Logical_Switch',
>> u'
>> 6caabc22601b17134a4c54cc33be18fcf3653377be99609969cc971c5f749db7',
>> u'external_ids:subnet=192.168.1.0/24', u'external_ids:gateway_ip=192.
>> 168.1.1']
>>
>
> What version of OVS/OVN (ovs-vsctl --version; ovn-nbctl --version) are
> you using?
>
> Is the OVN docker plugin version different?
>
>
>
>
>>
>> Regards,
>> Sandeep
>> ___
>> dev mailing list
>> d...@openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>>
>
>

>>>
>>
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] Creation of network using ovs in Docker

[Guru Shetty]

Run "/usr/share/openvswitch/scripts/ovn-ctl restart_northd" and see if that
helps.

On 9 July 2018 at 11:19, Sandeep Adapala  wrote:

> I think I am doing something wrong Guru.
>
> I got this after running the command
>
> ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 
> lswitch-add 6caabc22601b17134a4c54cc33be18
> ovn-nbctl: tcp:192.168.14.33:6642: database connection failed (Connection 
> refused)
> ubuntu@tbserver14:~$
>
>
> you think the database is not up yet?
>
>
> I have run this to start the DB
>
> ovs-vsctl set Open_vSwitch . \
> external_ids:ovn-remote="tcp:192.168.14.33:6642" \
> external_ids:ovn-nb="tcp:192.168.14.33:6641" \
> external_ids:ovn-encap-ip=192.168.14.33 \
> external_ids:ovn-encap-type=geneve
> I don't have a remote server so I have used the same for remote and local
>
>
> On Mon, Jul 9, 2018 at 2:12 PM, Guru Shetty  wrote:
>
>> What happens when you run the following command on that box:
>>
>> ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 ls-add
>> 6caabc22601b17134a4c54cc33be18
>>
>>
>>
>>
>>
>> On 9 July 2018 at 11:08, Sandeep Adapala 
>> wrote:
>>
>>> Hello Guru,
>>>
>>> below are the versions
>>>
>>> ubuntu@tbserver14:~$ ovs-vsctl --version; ovn-nbctl --version
>>> ovs-vsctl (Open vSwitch) 2.5.4
>>> Compiled Oct 30 2017 10:38:01
>>> DB Schema 7.12.1
>>> ovn-nbctl (Open vSwitch) 2.5.4
>>> Compiled Oct 30 2017 10:38:01
>>> DB Schema 2.0.1
>>>
>>> OVN plugin is also the same version.
>>>
>>>
>>> Regards,
>>>
>>> Sandeep
>>>
>>>
>>> On Mon, Jul 9, 2018 at 2:05 PM, Guru Shetty  wrote:
>>>


 On 9 July 2018 at 09:33, Sandeep Adapala 
 wrote:

> Hello All,
>
> I am planning to have 2 containers talk to each other using ovs-dpdk
> interface on a same host. this is how I started installing OVN on
> Docker.
>
> http://docs.openvswitch.org/en/latest/howto/docker/#the-overlay-mode
>
> I was trying to create a network using docker but I get the same error
> every time not sure what I am doing wrong can you please help me out.
>
>
> NID=`sudo docker network create -d openvswitch --subnet=192.168.1.0/24
> foo`
> Error response from daemon: remote: create_network: lswitch-add Fatal
> error
> executing ['ovn-nbctl', '--timeout=5', '-vconsole:off', '--db=tcp:
> 192.168.14.33:6642', 'lswitch-add', u'6caabc22601b17134a4c54cc33be18
> fcf3653377be99609969cc971c5f749db7', '--', 'set', 'Logical_Switch', u'
> 6caabc22601b17134a4c54cc33be18fcf3653377be99609969cc971c5f749db7',
> u'external_ids:subnet=192.168.1.0/24', u'external_ids:gateway_ip=192.
> 168.1.1']
>

 What version of OVS/OVN (ovs-vsctl --version; ovn-nbctl --version) are
 you using?

 Is the OVN docker plugin version different?




>
> Regards,
> Sandeep
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>


>>>
>>
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] Creation of network using ovs in Docker

[Sandeep Adapala]

I think I am doing something wrong Guru.

I got this after running the command

ubuntu@tbserver14:~$ sudo ovn-nbctl --timeout=5
--db=tcp:192.168.14.33:6642 lswitch-add 6caabc22601b17134a4c54cc33be18
ovn-nbctl: tcp:192.168.14.33:6642: database connection failed
(Connection refused)
ubuntu@tbserver14:~$


you think the database is not up yet?


I have run this to start the DB

ovs-vsctl set Open_vSwitch . \
external_ids:ovn-remote="tcp:192.168.14.33:6642" \
external_ids:ovn-nb="tcp:192.168.14.33:6641" \
external_ids:ovn-encap-ip=192.168.14.33 \
external_ids:ovn-encap-type=geneve
I don't have a remote server so I have used the same for remote and local


On Mon, Jul 9, 2018 at 2:12 PM, Guru Shetty  wrote:

> What happens when you run the following command on that box:
>
> ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 ls-add
> 6caabc22601b17134a4c54cc33be18
>
>
>
>
>
> On 9 July 2018 at 11:08, Sandeep Adapala 
> wrote:
>
>> Hello Guru,
>>
>> below are the versions
>>
>> ubuntu@tbserver14:~$ ovs-vsctl --version; ovn-nbctl --version
>> ovs-vsctl (Open vSwitch) 2.5.4
>> Compiled Oct 30 2017 10:38:01
>> DB Schema 7.12.1
>> ovn-nbctl (Open vSwitch) 2.5.4
>> Compiled Oct 30 2017 10:38:01
>> DB Schema 2.0.1
>>
>> OVN plugin is also the same version.
>>
>>
>> Regards,
>>
>> Sandeep
>>
>>
>> On Mon, Jul 9, 2018 at 2:05 PM, Guru Shetty  wrote:
>>
>>>
>>>
>>> On 9 July 2018 at 09:33, Sandeep Adapala 
>>> wrote:
>>>
 Hello All,

 I am planning to have 2 containers talk to each other using ovs-dpdk
 interface on a same host. this is how I started installing OVN on
 Docker.

 http://docs.openvswitch.org/en/latest/howto/docker/#the-overlay-mode

 I was trying to create a network using docker but I get the same error
 every time not sure what I am doing wrong can you please help me out.


 NID=`sudo docker network create -d openvswitch --subnet=192.168.1.0/24
 foo`
 Error response from daemon: remote: create_network: lswitch-add Fatal
 error
 executing ['ovn-nbctl', '--timeout=5', '-vconsole:off', '--db=tcp:
 192.168.14.33:6642', 'lswitch-add', u'6caabc22601b17134a4c54cc33be18
 fcf3653377be99609969cc971c5f749db7', '--', 'set', 'Logical_Switch', u'
 6caabc22601b17134a4c54cc33be18fcf3653377be99609969cc971c5f749db7',
 u'external_ids:subnet=192.168.1.0/24', u'external_ids:gateway_ip=192.
 168.1.1']

>>>
>>> What version of OVS/OVN (ovs-vsctl --version; ovn-nbctl --version) are
>>> you using?
>>>
>>> Is the OVN docker plugin version different?
>>>
>>>
>>>
>>>

 Regards,
 Sandeep
 ___
 dev mailing list
 d...@openvswitch.org
 https://mail.openvswitch.org/mailman/listinfo/ovs-dev

>>>
>>>
>>
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v2 2/2] python jsonrpc: Allow jsonrpc_session to have more than one remote.

[Ben Pfaff]

On Sun, Jul 08, 2018 at 10:05:57PM +0530, nusid...@redhat.com wrote:
> From: Numan Siddique 
> 
> Python IDL implementation doesn't have the support to connect to the
> cluster dbs. This patch adds this support. We are still missing the
> support in python idl class to connect to the cluster master. That
> support will be added in an upcoming patch.
> 
> This patch is similar to the commit 8cf6bbb184 which added multiple remote
> support in the C jsonrpc implementation.
> 
> Signed-off-by: Numan Siddique 

Thanks for working on bringing the Python code up to speed with the C
code.

The one possibly important difference between this and the C code in
commit 8cf6bbb184 is that the C code for jsonrpc_session_open() doesn't
break the string into multiple ones at commas, whereas the Python code
does.  I thought about that for a while when I wrote the C version, and
I decided to only split the string inside the IDL because that's the
only user that understands multiple remotes and because I was concerned
that people might have file names that contain commas (in unix:)
remotes.  Would you mind making the Python version resemble the C
version in this respect?

Thanks,

Ben.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] Creation of network using ovs in Docker

[Guru Shetty]

What happens when you run the following command on that box:

ovn-nbctl --timeout=5 --db=tcp:192.168.14.33:6642 ls-add
6caabc22601b17134a4c54cc33be18





On 9 July 2018 at 11:08, Sandeep Adapala  wrote:

> Hello Guru,
>
> below are the versions
>
> ubuntu@tbserver14:~$ ovs-vsctl --version; ovn-nbctl --version
> ovs-vsctl (Open vSwitch) 2.5.4
> Compiled Oct 30 2017 10:38:01
> DB Schema 7.12.1
> ovn-nbctl (Open vSwitch) 2.5.4
> Compiled Oct 30 2017 10:38:01
> DB Schema 2.0.1
>
> OVN plugin is also the same version.
>
>
> Regards,
>
> Sandeep
>
>
> On Mon, Jul 9, 2018 at 2:05 PM, Guru Shetty  wrote:
>
>>
>>
>> On 9 July 2018 at 09:33, Sandeep Adapala 
>> wrote:
>>
>>> Hello All,
>>>
>>> I am planning to have 2 containers talk to each other using ovs-dpdk
>>> interface on a same host. this is how I started installing OVN on Docker.
>>>
>>> http://docs.openvswitch.org/en/latest/howto/docker/#the-overlay-mode
>>>
>>> I was trying to create a network using docker but I get the same error
>>> every time not sure what I am doing wrong can you please help me out.
>>>
>>>
>>> NID=`sudo docker network create -d openvswitch --subnet=192.168.1.0/24
>>> foo`
>>> Error response from daemon: remote: create_network: lswitch-add Fatal
>>> error
>>> executing ['ovn-nbctl', '--timeout=5', '-vconsole:off', '--db=tcp:
>>> 192.168.14.33:6642', 'lswitch-add', u'6caabc22601b17134a4c54cc33be18
>>> fcf3653377be99609969cc971c5f749db7', '--', 'set', 'Logical_Switch', u'
>>> 6caabc22601b17134a4c54cc33be18fcf3653377be99609969cc971c5f749db7',
>>> u'external_ids:subnet=192.168.1.0/24', u'external_ids:gateway_ip=192.
>>> 168.1.1']
>>>
>>
>> What version of OVS/OVN (ovs-vsctl --version; ovn-nbctl --version) are
>> you using?
>>
>> Is the OVN docker plugin version different?
>>
>>
>>
>>
>>>
>>> Regards,
>>> Sandeep
>>> ___
>>> dev mailing list
>>> d...@openvswitch.org
>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>>>
>>
>>
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] Creation of network using ovs in Docker

[Sandeep Adapala]

Hello Guru,

below are the versions

ubuntu@tbserver14:~$ ovs-vsctl --version; ovn-nbctl --version
ovs-vsctl (Open vSwitch) 2.5.4
Compiled Oct 30 2017 10:38:01
DB Schema 7.12.1
ovn-nbctl (Open vSwitch) 2.5.4
Compiled Oct 30 2017 10:38:01
DB Schema 2.0.1

OVN plugin is also the same version.


Regards,

Sandeep


On Mon, Jul 9, 2018 at 2:05 PM, Guru Shetty  wrote:

>
>
> On 9 July 2018 at 09:33, Sandeep Adapala 
> wrote:
>
>> Hello All,
>>
>> I am planning to have 2 containers talk to each other using ovs-dpdk
>> interface on a same host. this is how I started installing OVN on Docker.
>>
>> http://docs.openvswitch.org/en/latest/howto/docker/#the-overlay-mode
>>
>> I was trying to create a network using docker but I get the same error
>> every time not sure what I am doing wrong can you please help me out.
>>
>>
>> NID=`sudo docker network create -d openvswitch --subnet=192.168.1.0/24
>> foo`
>> Error response from daemon: remote: create_network: lswitch-add Fatal
>> error
>> executing ['ovn-nbctl', '--timeout=5', '-vconsole:off', '--db=tcp:
>> 192.168.14.33:6642', 'lswitch-add', u'6caabc22601b17134a4c54cc33be18
>> fcf3653377be99609969cc971c5f749db7', '--', 'set', 'Logical_Switch', u'
>> 6caabc22601b17134a4c54cc33be18fcf3653377be99609969cc971c5f749db7',
>> u'external_ids:subnet=192.168.1.0/24', u'external_ids:gateway_ip=192.
>> 168.1.1']
>>
>
> What version of OVS/OVN (ovs-vsctl --version; ovn-nbctl --version) are you
> using?
>
> Is the OVN docker plugin version different?
>
>
>
>
>>
>> Regards,
>> Sandeep
>> ___
>> dev mailing list
>> d...@openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>>
>
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v2 1/2] ovs python: ovs.stream.open_block() returns success even if the remote is unreachable

[Ben Pfaff]

On Sun, Jul 08, 2018 at 10:05:41PM +0530, nusid...@redhat.com wrote:
> From: Numan Siddique 
> 
> Calling ovs.stream.open_block(ovs.stream.open("tcp:127.0.0.1:6641")) returns
> success even if there is no server listening on 6641. To check if the 
> connection
> is established or not, Stream class makes use of 
> ovs.socket_util.check_connection_completion().
> This function returns zero if the select for the socket fd signals. It doesn't
> really check if the connection was established or not.
> 
> This patch fixes this issue by adding a wrapper function - 
> check_connection_completion_status()
> which calls sock.connect_ex() to get the status of the connection if
> ovs.socket_util.check_connection_completion() returns success.
> 
> The test cases added fails without the fix in this patch.
> 
> Signed-off-by: Numan Siddique 

I don't understand the problem here.  I mean, I believe when you say
there is a problem, but the cause doesn't really make sense to me.  The
code for check_connection_completion in socket_util.py looks correct to
me and equivalent to the C implementation in socket-util.c.  Do you have
an idea of why it doesn't work properly?  (Is it somehow specific to
Python?)

I don't think we have an equivalent test for the C version.  Does it
pass, or does it need a similar change?

Thanks,

Ben.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] Creation of network using ovs in Docker

[Guru Shetty]

On 9 July 2018 at 09:33, Sandeep Adapala  wrote:

> Hello All,
>
> I am planning to have 2 containers talk to each other using ovs-dpdk
> interface on a same host. this is how I started installing OVN on Docker.
>
> http://docs.openvswitch.org/en/latest/howto/docker/#the-overlay-mode
>
> I was trying to create a network using docker but I get the same error
> every time not sure what I am doing wrong can you please help me out.
>
>
> NID=`sudo docker network create -d openvswitch --subnet=192.168.1.0/24
> foo`
> Error response from daemon: remote: create_network: lswitch-add Fatal error
> executing ['ovn-nbctl', '--timeout=5', '-vconsole:off', '--db=tcp:
> 192.168.14.33:6642', 'lswitch-add', u'6caabc22601b17134a4c54cc33be18
> fcf3653377be99609969cc971c5f749db7', '--', 'set', 'Logical_Switch', u'
> 6caabc22601b17134a4c54cc33be18fcf3653377be99609969cc971c5f749db7',
> u'external_ids:subnet=192.168.1.0/24', u'external_ids:gateway_ip=192.
> 168.1.1']
>

What version of OVS/OVN (ovs-vsctl --version; ovn-nbctl --version) are you
using?

Is the OVN docker plugin version different?




>
> Regards,
> Sandeep
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 2/2] ovndb-servers: Set connection table when using

[aginwala]

Hi Ben:

I guess the cherry pick failed because of the dependency patch. Can you
port https://patchwork.ozlabs.org/patch/925566/ to branch-2.9 as its
pre-req for these patches and apply above two on top of that. It would work
that way. Let me know further.



Regards,


On Thu, Jul 5, 2018 at 11:26 AM Ben Pfaff  wrote:

> On Thu, Jun 21, 2018 at 01:29:52AM +0530, Numan Siddique wrote:
> > On Sat, Jun 9, 2018 at 7:03 AM, aginwala  wrote:
> >
> > > load balancer to manage ovndb clusters via pacemaker.
> > >
> > > This is will allow setting inactivity probe on the master node.
> > > For pacemaker to manage ovndb resources via LB, we skipped creating
> > > connection
> > > table and hence the inactivity probe was getting set to 5000 by
> default.
> > > In order to over-ride it we need this table. However, we need to skip
> > > slaves
> > > listening on local sb and nb connections table so that LB feature is
> > > intact and only master is listening on 0.0.0.0
> > >
> > > e.g --remote=db:OVN_Southbound,SB_Global,connections and
> > > --remote=db:OVN_Northbound,NB_Global,connections
> > >
> > > will be skipped for slave SB and NB dbs respectively by unsetting
> > > --db-sb-use-remote-in-db  and --db-nb-use-remote-in-db in ovn-ctl.
> > >
> > > Signed-off-by: aginwala 
> > >
> >
> > Acked-by: Numan Siddique 
>
> I applied this to master on the strength of the acks.  I don't know
> enough about pacemaker to review it myself, so I just applied it
> verbatim.
>
> I think there was a request for a branch-2.9 backport, but the
> cherry-pick failed so I'll need assistance (probably a branch-2.9 post
> of the patches).
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 2/2] Datapath: Fix ovs_vport_init unreachable code and goto labels

[Yifeng Sun]

I think the correct fix may be as follows, do you mind rechecking it?
Thanks.

diff --git a/datapath/vport.c b/datapath/vport.c
index 02f6b56d3243..fcf0fea0a245 100644
--- a/datapath/vport.c
+++ b/datapath/vport.c
@@ -93,7 +93,6 @@ int ovs_vport_init(void)
goto err_stt;

return 0;
-   ovs_stt_cleanup_module();
 err_stt:
vxlan_cleanup_module();
 err_vxlan:

On Mon, Jul 9, 2018 at 6:09 AM, Alin Gabriel Serdean 
wrote:

> The line "ovs_stt_cleanup_module();" was unreachable. Looking
> at the rest of the goto labels they also seem wrong, so fix them also.
>
> Found using static analysis tools.
>
> Signed-off-by: Alin Gabriel Serdean 
> ---
>  datapath/vport.c | 17 +
>  1 file changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/datapath/vport.c b/datapath/vport.c
> index 02f6b56d3..5f11dd6ad 100644
> --- a/datapath/vport.c
> +++ b/datapath/vport.c
> @@ -93,22 +93,23 @@ int ovs_vport_init(void)
> goto err_stt;
>
> return 0;
> -   ovs_stt_cleanup_module();
> +
>  err_stt:
> -   vxlan_cleanup_module();
> +   ovs_stt_cleanup_module();
>  err_vxlan:
> -   geneve_cleanup_module();
> +   vxlan_cleanup_module();
>  err_geneve:
> -   ip6_tunnel_cleanup();
> +   geneve_cleanup_module();
>  err_ip6_tunnel:
> -   ip6gre_fini();
> +   ip6_tunnel_cleanup();
>  err_ip6gre:
> -   ipgre_fini();
> +   ip6gre_fini();
>  err_ipgre:
> -   gre_exit();
> +   ipgre_fini();
>  err_gre:
> -   lisp_cleanup_module();
> +   gre_exit();
>  err_lisp:
> +   lisp_cleanup_module();
> kfree(dev_table);
> return err;
>  }
> --
> 2.16.1.windows.1
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 1/2] Datapath: Cleanup compat ip6_tunnel.c

[Yifeng Sun]

Good catch, thanks.

Reviewed-by: Yifeng Sun 

On Mon, Jul 9, 2018 at 6:09 AM, Alin Gabriel Serdean 
wrote:

> Remove double assignment of `ip6_tnl *t`.
>
> Signed-off-by: Alin Gabriel Serdean 
> ---
>  datapath/linux/compat/ip6_tunnel.c | 2 --
>  1 file changed, 2 deletions(-)
>
> diff --git a/datapath/linux/compat/ip6_tunnel.c
> b/datapath/linux/compat/ip6_tunnel.c
> index 7c6678796..ecec971e2 100644
> --- a/datapath/linux/compat/ip6_tunnel.c
> +++ b/datapath/linux/compat/ip6_tunnel.c
> @@ -316,8 +316,6 @@ static int ip6_tnl_create2(struct net_device *dev)
> struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id);
> int err;
>
> -   t = netdev_priv(dev);
> -
> dev->rtnl_link_ops = _link_ops;
> err = register_netdevice(dev);
> if (err < 0)
> --
> 2.16.1.windows.1
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] Reducir los costes logísticos

[Compras y Transporte]

  





 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
  
 
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
 
 
 

---
Este correo electrónico ha sido comprobado en busca de virus por AVG.
http://www.avg.com
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v2] ovn: Allow for automatic dynamic updates of IPAM

[Ben Pfaff]

On Mon, Jul 09, 2018 at 09:59:04AM -0400, Mark Michelson wrote:
> On 07/06/2018 06:36 PM, Ben Pfaff wrote:
> >On Mon, Jun 25, 2018 at 04:09:53PM -0400, Mark Michelson wrote:
> >>OVN offers a method of IP address management that allows for an IPv4 subnet 
> >>or
> >>IPv6 prefix to be specified on a logical switch. Then by specifying a
> >>switch port's address as "dynamic" or " dynamic", OVN will
> >>automatically assign addresses to the switch port.
> >>
> >>While this works great for initial assignment of addresses, addresses do
> >>not automatically adjust when changes are made to the switch's
> >>configuration. For instance:
> >>* If the subnet, ipv6_prefix, or exclude_ips for a logical switch
> >>changes, the affected switch ports are not updated.
> >>* If a switch port with a static IP address is added to the switch, and
> >>that address conflicts with a dynamically assigned IP address, the
> >>dynamic address is not updated.
> >>* If a MAC address switched from being statically assigned to
> >>dynamically assigned, the MAC address would not be updated.
> >>* If a statically assigned MAC address changed, then the IPv6 address
> >>would not be updated.
> >>
> >>This patch solves all of the above issues by changing the algorithm for
> >>IPAM assignment. There are essentially three steps.
> >>1) While joining logical ports, all statically-assigned addresses (i.e.
> >>any ports without "dynamic" addresses) have their addresses registered
> >>to IPAM. This gives them top priority.
> >>2) All logical ports with dynamic addresses are inspected. Any changes
> >>that must be made to the addresses are collected to be made later. Any
> >>addresses that do not require change are registered to IPAM. This allows
> >>for previously assigned dynamic addresses to be kept.
> >>3) All gathered changes are enacted.
> >>
> >>The change contains new tests that ensure that dynamic addresses are
> >>updated when appropriate.
> >>
> >>This patch also alters some existing IPAM tests. Those tests assumed
> >>that dynamic addresses would not be updated automatically, so those
> >>tests either had to be altered or removed.
> >>
> >>Signed-off-by: Mark Michelson 
> >>---
> >>v2->v3:
> >>  Fixed a checkpatch problem (line too long)
> >>
> >>v1->v2:
> >>  Rebased
> >
> >Thanks for the new version.
> >
> >I spent some time trying to understand this.  I think one of my issues
> >with it is that there is an unstated assumption that a logical switch
> >port has at most one dynamic address, but nothing that checks for or
> >enforces it.  It's possible to request more than one if you put multiple
> >"xx:xx:xx:xx:xx:xx dynamic" entries in an addresses column, but I don't
> >think that the code really treats them properly since it tries to
> >independently diff each one of them against the current set of
> >dynamically assigned addresses.  Is this all correct?  If so, would you
> >figure out some way to fix it?
> 
> You're definitely correct that there's an assumption that there is only a
> single dynamic address. However, this assumption is not introduced by my
> patch. I've done a quick test on a vagrant system using current master:
> 
> [root@central vagrant]# ovn-nbctl ls-add switch
> [root@central vagrant]# ovn-nbctl lsp-add switch port1
> [root@central vagrant]# ovn-nbctl lsp-set-addresses port1 "00:00:00:00:00:01
> dynamic" "00:00:00:00:00:02 dynamic"
> [root@central vagrant]# ovn-nbctl list logical_switch_port
> _uuid   : 6b880956-eb8b-49fc-bb0e-cfaa08360cc0
> addresses   : ["00:00:00:00:00:01 dynamic", "00:00:00:00:00:02
> dynamic"]
> dhcpv4_options  : []
> dhcpv6_options  : []
> dynamic_addresses   : []
> enabled : []
> external_ids: {}
> name: "port1"
> options : {}
> parent_name : []
> port_security   : []
> tag : []
> tag_request : []
> type: ""
> up  : false
> [root@central vagrant]# ovn-nbctl set Logical_Switch switch
> other_config:subnet=10.0.0.0/8
> [root@central vagrant]# ovn-nbctl list logical_switch_port
> _uuid   : 6b880956-eb8b-49fc-bb0e-cfaa08360cc0
> addresses   : ["00:00:00:00:00:01 dynamic", "00:00:00:00:00:02
> dynamic"]
> dhcpv4_options  : []
> dhcpv6_options  : []
> dynamic_addresses   : "00:00:00:00:00:02 10.0.0.2"
> enabled : []
> external_ids: {}
> name: "port1"
> options : {}
> parent_name : []
> port_security   : []
> tag : []
> tag_request : []
> type: ""
> up  : false
> 
> So I guess the question is, should there only be a single dynamic address
> assigned per switch port? If so, I guess some sort of warning should be
> logged if multiple dynamic addresses are requested? Or should we allow for
> multiple dynamic addresses to be assigned per switch port?

I don't think it's necessary to support multiple dynamic addresses,

Re: [ovs-dev] 64Byte packet performance regression on 2.9 from 2.7

[Jay Ding via dev]

Hi Ilya,

Here is the test result for performance of OVS-2.7, 2.8, and 2.9. We do see
the performance drops by 10% from OVS-2.7 to OVS-2.9. The performance of
DPDK only (testpmd) is same for those versions. Please refer to the table
for the versions of DPDK we tested.

The setup is Ixia <->PF0(OVS)PF1<->Ixia. Only one rxq is used. The test was
running on Intel 82599ES 10-G.

I attached the profiles for each version for your reference. We also
recorded the profiles with O0. I can send them over if you need them.

  -g -O2' 1-Direction-g -O2' bi-Direction   -g -O0' 1-Direction   -g
-O0' bi-Direction
Intel 82599ES 10-Gigabit SFI/SFP+
rxq=1 , pmd-rxq-affinity=0:1/0:3 Mpps drop Mpps drop Mpps drop Mpps drop
DPDK-16.11.7/OVS-2.7  8.56   16.66   2.01   4.02
DPDK-17.05.2/OVS-2.8 8.38 2% 16.46 1% 1.96 2% 3.92 2%
DPDK-17.11.3/OVS-2.9 7.73 10% 15.18 9% 1.78 11% 3.56 11%
Testpmd --rxq=1 --txq=1
DPDK-16.11.7 12.05   9.08
DPDK-17.05.2 12.05   9.08
DPDK-17.11.3 12.05   9.08
OVS setup (only list the steps with parameters):
./utilities/ovs-vsctl set Open_vSwitch . other_config:pmd-cpu-mask=0xfffe
./utilities/ovs-vsctl add-port br0 dpdk128 -- set Interface dpdk128
type=dpdk options:dpdk-devargs=:05:00.0 options:n_rxq_desc=256
options:n_txq_desc=1024 ofport_request=1
./utilities/ovs-vsctl add-port br0 dpdk129 -- set Interface dpdk129
type=dpdk options:dpdk-devargs=:05:00.1 options:n_rxq_desc=256
options:n_txq_desc=1024 ofport_request=2
./utilities/ovs-vsctl set Interface dpdk128 options:n_rxq=1
other_config:pmd-rxq-affinity="0:1"
./utilities/ovs-vsctl set Interface dpdk129 options:n_rxq=1
other_config:pmd-rxq-affinity="0:3"

Testpmd setup:
build/app/testpmd -c 0xfe -n 7 -w :05:00.0 -w :05:00.1
-mbuf-size=4096 -- --total-num-mbufs=409600 -i --nb-cores=6 --rxq=1 --txq=1
--rxd=1024 --txd=1024 --port-topology=paired

Please let us know if you need more information.

Thanks,

Jay

On Tue, Jul 3, 2018 at 6:44 AM, Shahaji Bhosle 
wrote:

> Thanks Nitin.
> Hi Ilya,
> Looks like regression was in 2.8.x itself as per Nitin's email. We will
> update our results as well. Thanks, Shahaji
>
> On Tue, Jul 3, 2018 at 12:29 AM, Nitin Katiyar  > wrote:
>
>> Hi,
>> I had tested 2.8.1/2 earlier which uses 17.05.01 or 17.05.02 and found
>> around 10% drop for udp traffic. OVS 2.7.4 gave the similar result as OVS
>> 2.6.2 (DPDK 16.11.4). I was using Intel Niantic 82599 for testing.
>>
>> Regards,
>> Nitin
>>
>> -Original Message-
>> From: Ilya Maximets [mailto:i.maxim...@samsung.com]
>> Sent: Monday, July 02, 2018 10:25 PM
>> To: Shahaji Bhosle 
>> Cc: Jan Scheurich ; Jay Ding <
>> jay.d...@broadcom.com>; Kevin Traynor ; Manasa
>> Mudireddy ; Nitin Katiyar <
>> nitin.kati...@ericsson.com>; Randy Schacher > >; Stokes, Ian ; ovs-dev@openvswitch.org
>> Subject: Re: [ovs-dev] 64Byte packet performance regression on 2.9 from
>> 2.7
>>
>> Sure, you need to collect perf records for the same binary, i.e. built
>> with the same compiler options (and on the same machine), to make them
>> useful.
>>
>> Unfortunately, I have no setup to test your case right now.
>> Data for 2.8 could help bisecting the issue.
>>
>> On 02.07.2018 18:04, Shahaji Bhosle wrote:
>> > Hi Ilya,
>> > Thanks for the reply.
>> > For performance traffic testing we are running with -O2. You are right
>> about the perf report, when were running with perf record we had set "-g
>> -O0". Do you need us to run with just "-g -O2" and give you the profile, or
>> any other optimization setting.
>> > Do you have a test setup for running 64B packets, and see the
>> difference between 2.7 and 2.9? On our side we are trying to get 2.8 to
>> work so we can give you an intermediate data point. Please let us know what
>> we can do to help you debug this.
>> > Thanks, Shahaji
>> >
>> >
>> > On Mon, Jul 2, 2018 at 10:55 AM, Ilya Maximets > > wrote:
>> >
>> > Hi.
>> > Sorry for late response.
>> >
>> > Looking at your perf data, I see functions like
>> "dp_packet_batch_size"
>> > consuming ~0.5 - 0.7 % of time. Are you building with all compiler
>> > optimizations disabled? Otherwise where should be no such symbols in
>> > perf report. They should be completely inlined.
>> >
>> > Best regards, Ilya Maximets.
>> >
>> > On 27.06.2018 04:48, Shahaji Bhosle wrote:
>> > > Hi Ilya,
>> > > Just wanted to check if you found anything interesting. Or
>> anything we can try. Thanks, Shahaji
>> > >
>> > > On Wed, Jun 20, 2018 at 9:01 AM, Shahaji Bhosle <
>> shahaji.bho...@broadcom.com  > shahaji.bho...@broadcom.com >> wrote:
>> > >
>> > > Thanks Ilya,
>> > >  Sorry for the confusion with the number, we used to get some
>> different numbers on both ports so were recording it per port. You have to
>> compare it with the two port number
>> > >
>> > >   CPU maskMpps
>> > > 17.11 

Re: [ovs-dev] [ovs-dev, v7, 7 of 9] ipf: Add set minimum fragment size command.

[0-day Robot]

Bleep bloop.  Greetings Darrell Ball, I am a robot and I have tried out your 
patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.


git-am:
fatal: patch fragment without header at line 336: @@ -2368,7 +2376,6 @@ 
AT_CLEANUP
Repository lacks necessary blobs to fall back on 3-way merge.
Cannot fall back to three-way merge.
Patch failed at 0001 ipf: Add set minimum fragment size command.
The copy of the patch that failed is found in:
   
/var/lib/jenkins/jobs/upstream_build_from_pw/workspace/.git/rebase-apply/patch
When you have resolved this problem, run "git am --resolved".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".


Please check this out.  If you feel there has been an error, please email 
acon...@bytheb.org

Thanks,
0-day Robot
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [patch v6 09/10] ipf: Enhance ipf_get_status.

[Darrell Ball]

On Thu, Jun 7, 2018 at 12:11 AM, Justin Pettit  wrote:

>
> > On Apr 8, 2018, at 7:54 PM, Darrell Ball  wrote:
> >
> > diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
> > index 60c8986..adcf42b 100644
> > --- a/lib/ct-dpif.c
> > +++ b/lib/ct-dpif.c
> > @@ -209,6 +209,30 @@ int ct_dpif_ipf_get_status(struct dpif *dpif, bool
> *ipf_v4_enabled,
> > : EOPNOTSUPP);
> > }
> >
> > +int
> > +ct_dpif_ipf_dump_start(struct dpif *dpif, struct ipf_dump_ctx
> **dump_ctx)
> > +{
> > +return (dpif->dpif_class->ipf_dump_start
> > +   ? dpif->dpif_class->ipf_dump_start(dpif, dump_ctx)
> > +   : EOPNOTSUPP);
> > +}
> > +
> > +int
> > +ct_dpif_ipf_dump_next(struct dpif *dpif, void *dump_ctx,  char **dump)
> > +{
> > +return (dpif->dpif_class->ipf_dump_next
> > +? dpif->dpif_class->ipf_dump_next(dpif, dump_ctx, dump)
> > +: EOPNOTSUPP);
> > +}
> > +
> > +int
> > +ct_dpif_ipf_dump_done(struct dpif *dpif, void *dump_ctx)
> > +{
> > +return (dpif->dpif_class->ipf_dump_done
> > +? dpif->dpif_class->ipf_dump_done(dpif, dump_ctx)
> > +: EOPNOTSUPP);
> > +}
>
> It would be helpful to have descriptions for these functions, including
> mentioning that '*dump' must be freed and that ct_dpif_ipf_dump_done() must
> be called after a call to ct_dpif_ipf_dump_start()
>


sure; I added descriptions



>
> > diff --git a/lib/dpctl.c b/lib/dpctl.c
> > index 84064cd..7c1aa65 100644
> > --- a/lib/dpctl.c
> > +++ b/lib/dpctl.c
> >
> > @@ -1852,12 +1853,37 @@ dpctl_ct_ipf_set_nfrag_max(int argc, const char
> *argv[],
> > return error;
> > }
> >
> > +static void
> > +dpctl_dump_ipf(struct dpif *dpif, struct dpctl_params *dpctl_p)
> > +{
> > +struct ipf_dump_ctx *dump_ctx;
> > +char *dump;
> > +
> > +int error = ct_dpif_ipf_dump_start(dpif, _ctx);
> > +if (error) {
> > +dpctl_error(dpctl_p, error, "starting ipf dump");
> > +return;
> > +}
> > +
> > +dpctl_print(dpctl_p, "\n\tFragment Lists:\n\n");
>
> I think this is a single list.
>


It is a list of fragment lists, where one fragment list represents a list
of fragments, so there are multiple "fragment lists".



>
> > diff --git a/lib/dpctl.man b/lib/dpctl.man
> > index 2e8c287..afb270e 100644
> > --- a/lib/dpctl.man
> > +++ b/lib/dpctl.man
> > @@ -296,6 +296,7 @@ module while fragments are incomplete, but will
> timeout after 15 seconds.
> > Memory pool sizing should be set accordingly when fragmentation is
> enabled.
> > .
> > .TP
> > -\*(DX\fBipf\-get\-status\fR [\fIdp\fR]
> > +\*(DX\fBipf\-get\-status\fR [\fIdp\fR] [\fIverbose\fR]
> > Gets the configuration settings and fragment counters associated with the
> > -fragmentation handling of the userspace datapath connection tracker.
> > +fragmentation handling of the userspace datapath connection tracker.  If
> > +verbose is specified, also dumps the ipf list entries.
>
> We usually use "-m" and "--more" as the flags to indicate verbose.  The
> description of "dump-conntrack" provides one example.  Also, like
> "dump-conntrack", it might be nice to provide a "zone" argument.
>


Since I saw both "verbose" and "more" used, I was not sure which was
preferred
I switched over to "more"; it seems to cover a wider range of meanings.

I left out the "zone" option for now; these lists are expected to be very
transient under normal conditions unlike conntrack and the if there is an
error
condition with lots of fragment lists, the user can always just grep the
zone value.



>
> > diff --git a/lib/dpif-provider.h b/lib/dpif-provider.h
> > index 82fbbfc..385394f 100644
> > --- a/lib/dpif-provider.h
> > +++ b/lib/dpif-provider.h
> > @@ -24,6 +24,7 @@
> >
> > #include "openflow/openflow.h"
> > #include "dpif.h"
> > +#include "ipf.h"
> > #include "util.h"
> >
> > #ifdef  __cplusplus
> > @@ -457,6 +458,10 @@ struct dpif_class {
> > unsigned int *, bool *, unsigned int *, unsigned int *,
> > unsigned int *, unsigned int *, unsigned int *,
> > unsigned int *);
> > +int (*ipf_dump_start)(struct dpif *, struct ipf_dump_ctx **);
> > +/* Gets an ipf list entry to display. */
> > +int (*ipf_dump_next)(struct dpif *, void *, char **);
>
> In reference to this comment, it doesn't really get an ipf entry as much
> as write it to a buffer.
>
> > +static void
> > +ipf_dump_create(const struct ipf_list *ipf_list, struct ds *ds)
> > +{
> > +
> > +ds_put_cstr(ds, "frag list elem=(");
>
> Since the header will state that this is a frag list, I don't think it's
> necessary to prepend this to each element.  Ideally this would look and act
> similar to other dump commands such as "dump-conntrack".
>

it is not needed; I dropped the prepending.



>
> This appears to be just adding a verbose option to the previous patch, so
> I think these patches can just be merged into a single one.
>


I originally spliced out this patch since it covers internal state, whereas
the first patch is externally observable information

Re: [ovs-dev] [patch v6 08/10] ipf: Add command to get fragmentation handling status.

[Darrell Ball]

On Wed, Jun 6, 2018 at 10:23 PM, Justin Pettit  wrote:

>
> > On Apr 8, 2018, at 7:54 PM, Darrell Ball  wrote:
> >
> > diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
> > index 81f9d92..60c8986 100644
> > --- a/lib/ct-dpif.c
> > +++ b/lib/ct-dpif.c
> > @@ -188,6 +188,27 @@ ct_dpif_ipf_set_nfrag_max(struct dpif *dpif,
> uint32_t max_frags)
> > : EOPNOTSUPP);
> > }
> >
> > +int ct_dpif_ipf_get_status(struct dpif *dpif, bool *ipf_v4_enabled,
> > +unsigned int *min_v4_frag_size, unsigned int *nfrag_max,
> > +unsigned int *nfrag, unsigned int *n4frag_accepted,
> > +unsigned int *n4frag_completed_sent,
> > +unsigned int *n4frag_expired_sent, unsigned int *n4frag_too_small,
> > +unsigned int *n4frag_overlap, bool *ipf_v6_enabled,
> > +unsigned int *min_v6_frag_size, unsigned int *n6frag_accepted,
> > +unsigned int *n6frag_completed_sent,
> > +unsigned int *n6frag_expired_sent, unsigned int *n6frag_too_small,
> > +unsigned int *n6frag_overlap)
> > +{
> > ...
> > diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
> > index 542478d..35094f0 100644
> > --- a/lib/dpif-netdev.c
> > +++ b/lib/dpif-netdev.c
> > @@ -5892,6 +5892,38 @@ dpif_netdev_ipf_set_nfrag_max(struct dpif *dpif
> OVS_UNUSED,
> > return ipf_set_nfrag_max(max_frags);
> > }
> >
> > +static int
> > +dpif_netdev_ipf_get_status(struct dpif *dpif OVS_UNUSED,
> > +bool *ipf_v4_enabled, unsigned int *min_v4_frag_size,
> > +unsigned int *nfrag_max, unsigned int *nfrag,
> > +unsigned int *n4frag_accepted, unsigned int *n4frag_completed_sent,
> > +unsigned int *n4frag_expired_sent, unsigned int *n4frag_too_small,
> > +unsigned int *n4frag_overlap, bool *ipf_v6_enabled,
> > +unsigned int *min_v6_frag_size, unsigned int *n6frag_accepted,
> > +unsigned int *n6frag_completed_sent, unsigned int
> *n6frag_expired_sent,
> > +unsigned int *n6frag_too_small, unsigned int *n6frag_overlap)
> > +{
>
> The arguments to these functions are pretty long.  How about using
> 'ipf_status' instead?  Most of the callers are in files that already
> including "ipf.h".
>



It is intentional information hiding from the higher layers.
Also, the API is common across dpif providers.




>
> As before, some of my previous comments will apply to this patch, too.
>


got it; thanks



>
> Thanks,
>
> --Justin
>
>
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [patch v6 07/10] ipf: Add set maximum fragments supported command.

[Darrell Ball]

On Wed, Jun 6, 2018 at 10:05 PM, Justin Pettit  wrote:

>
> > On Apr 8, 2018, at 7:54 PM, Darrell Ball  wrote:
> >
> > diff --git a/lib/dpctl.man b/lib/dpctl.man
> > index 6223c15..43cff05 100644
> > --- a/lib/dpctl.man
> > +++ b/lib/dpctl.man
> > @@ -286,3 +286,11 @@ Sets the minimum fragment size supported by the
> userspace datapath
> > connection tracker.  Either v4 or v6 must be specified.  The default v4
> > value is 1200 and the clamped minimum is 400.  The default v6 value is
> > 1280, which is also the clamped minimum.
> > +.
> > +.TP
> > +\*(DX\fBipf\-set\-maxfrags\fR [\fIdp\fR] \fBmaxfrags\fR
> > +Sets the maximum number of fragments tracked by the userspace datapath
> > +connection tracker.  The default value is 1000 and the clamped maximum
> > +is 5000.  Note that packet buffers can be held by the fragmentation
> > +module while fragments are incomplete, but will timeout after 15
> seconds.
> > +Memory pool sizing should be set accordingly when fragmentation is
> enabled.
>
> Once again, I think the internal name is a bit better than the
> user-exposed one: ipf-set-nfrag-max.
>


I was trying to avoid the 4-part name, guessing people would not like it; I
prefer the 4-part name myself, so we are
in agreement, with minor difference.

I prefer

ipf-set-max-nfrags

"max" is a bit better before "nfrag" or "nfrags" as it follows English
sentence structure, where the
adjective usually precedes the noun.



>
> Also, some of my previous comments for the other commands apply here, too.
>


got it; thanks.


>
> Thanks,
>
> --Justin
>
>
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [patch v6 06/10] ipf: Add set minimum fragment size command.

[Darrell Ball]

Thanks for the detailed review Justin



On Wed, Jun 6, 2018 at 10:00 PM, Justin Pettit  wrote:

>
> > On Apr 8, 2018, at 7:54 PM, Darrell Ball  wrote:
>
> > diff --git a/lib/dpctl.c b/lib/dpctl.c
> > index 9fc0151..f6c0a87 100644
> > --- a/lib/dpctl.c
> > +++ b/lib/dpctl.c
> > @@ -1786,6 +1786,44 @@ dpctl_ct_ipf_change_enabled(int argc, const char
> *argv[],
> > return error;
> > }
> >
> > +static int
> > +dpctl_ct_ipf_set_min_frag(int argc, const char *argv[],
> > +  struct dpctl_params *dpctl_p)
> > +{
> > ...
> > +if (!error) {
> > +dpctl_print(dpctl_p,
> > +"setting minimum fragment size
> successful");
> > +} else {
> > +dpctl_error(dpctl_p, error,
> > +"setting minimum fragment size failed");
> > +}
>
> It might be nice to give users an indication of why this failed.  It looks
> like that will only happen if the value specified isn't valid, so it may be
> worth just saying that much.
>


oops, missed this one; I took the time to add for the other cases but not
here - ADD no doubt.



>
> > diff --git a/lib/dpctl.man b/lib/dpctl.man
> > index 9bf489c..6223c15 100644
> > --- a/lib/dpctl.man
> > +++ b/lib/dpctl.man
> > @@ -279,3 +279,10 @@ differentiate between first and other fragments.
> Although, this would
> > logically already be true anyways, it is mentioned for clarity.  If there
> > is a need to differentiate between first and other fragments, do it after
> > conntrack.
> > +.
> > +.TP
> > +\*(DX\fBipf\-set\-minfrag\fR [\fIdp\fR] [\fIv4 or v6\fR] \fBminfrag\fR
> > +Sets the minimum fragment size supported by the userspace datapath
> > +connection tracker.  Either v4 or v6 must be specified.  The default v4
> > +value is 1200 and the clamped minimum is 400.  The default v6 value is
> > +1280, which is also the clamped minimum.
>
> I think it would be worth explaining a bit more about this parameter.  Can
> you explain the difference between the value being set here and the clamped
> value?
>


I added more description



>
> I like the name of the function, so what about calling the command
> "ipf-set-min-frag"?
>


I was trying to avoid the 4-part name, guessing people would not like it; I
prefer the 4-part name myself, so we are
in agreement.



>
> For all of these functions, it may be worth mentioning that they only
> apply to the userspace datapath.
>


All the APIs already say that, so I think we are covered.



>
> >
> > diff --git a/lib/dpif-provider.h b/lib/dpif-provider.h
> > index 08e0944..aa9c490 100644
> > --- a/lib/dpif-provider.h
> > +++ b/lib/dpif-provider.h
> > @@ -446,6 +446,8 @@ struct dpif_class {
> >
> > /* IP Fragmentation. */
> > int (*ipf_change_enabled)(struct dpif *, bool, bool);
> > +/* Set minimum fragment allowed. */
> > +int (*ipf_set_min_frag)(struct dpif *, bool, uint32_t);
>
> For all these definitions, I think it would be worth adding the argument
> names so the prototypes are a bit clearer.
>


yep, this file should follow the practice of using the argument names.



>
> >
> > diff --git a/lib/ipf.c b/lib/ipf.c
> > index 54f27d2..24d9b06 100644
> > --- a/lib/ipf.c
> > +++ b/lib/ipf.c
> > @@ -1251,3 +1251,26 @@ ipf_change_enabled(bool v6, bool enable)
> > }
> > return 0;
> > }
> > +
> > +int
> > +ipf_set_min_frag(bool v6, uint32_t value)
> > +{
> > +/* If the user specifies an unreasonably large number, fragmentation
> > + * will not work well but it will not blow up. */
>
> It won't blow up, but won't it drop fragments from legitimate IP stacks?
>


I added a comment just to be on the safe side.



>
> I didn't call them out, but some of my comments on the disabling
> fragmentation handling patches could apply here, too.
>


Got it.



>
> Thanks,
>
> --Justin
>
>
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 0/3] IPsec support for tunneling

[Ben Pfaff]

On Thu, Jul 05, 2018 at 09:29:37PM +, Stokes, Ian wrote:
> > On Thu, Jul 05, 2018 at 09:29:12PM +0100, Ian Stokes wrote:
> > > On 6/27/2018 6:58 PM, Qiuyu Xiao wrote:
> > > >This patch series reintroduce IPsec support for OVS tunneling and
> > > >adds new features to prepare for the OVN IPsec support. The new
> > features are:
> > > >
> > > >1) Add CA-cert based authentication support to ovs-monitor-ipsec.
> > > >2) Enable ovs-pki to generate x.509 version 3 certificate.
> > > >
> > >
> > > Thanks for working on the series.
> > >
> > > Just had a general query as regards IPsec in userspace.
> > >
> > > I had previously looked at implementing a *rough* IPsec Tunnel
> > > interface for userspace last year for OVS DPDK. I had put the work on
> > > hold as DPDK has begun working on a general IPsec library which would
> > > make implementation simpler and cleaner/simpler to maintain in the
> > > future. Targeted for DPDK
> > > 18.11 (November this year).
> > >
> > > Would the introduction of a specific IPsec tunnel interface still be
> > > acceptable in light of this patch?
> > >
> > > There are other libraries such as macsec that DPDK has libraries for
> > > as well that could be introduced in the future for user space.
> > >
> > > I'm just aware of the divergence of approaches between whats available
> > > in kernel vs userspace so thought it was worth raising for discussion
> > > at this point?
> > 
> > Qiuyu probably doesn't have the context for this so let me respond.
> > 
> > Ideally, I'd like to have a single IPsec tunnel configuration interface
> > that works well with all datapaths.  The one that Qiuyu is (re)introducing
> > works for the kernel datapath.  I don't know IPsec or DPDK well enough to
> > guess whether changes would be needed to better adapt it to a userspace
> > datapath.  Do you see weaknesses in that area?
> > It'd be great to get it right now, if we can.
> 
> Ok, Cc'ing Declan who is heading up the IPsec library for DPDK.
> 
> From the userspace POV I guess we would have to do the IPsec
> processing (encryption/decryption, SA lookup/selection/installation)
> from when a packet is received on the datapath (if certs had not been
> setup previously). This is why I had suggested using a new tunnel type
> previously. The encap/decap action can be associated with the SA
> actions ideally.

I don't understand yet why a new tunnel type is preferable.  Keep in
mind that it wouldn't be a single new tunnel type but a new tunnel type
per current tunnel type (gre_ipsec, vxlan_ipsec, stt_ipsec,
geneve_ipsec, ...).
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [patch v7 9/9] ipf: Add fragmentation status reporting.

[Darrell Ball]

A new command "ovs-appctl dpctl/ipf-get-status" is added
for userspace datapath conntrack fragmentation support.
The command shows the configuration status, fragment counters and
ipf lists state.

Signed-off-by: Darrell Ball 
---
 NEWS |   2 +
 lib/ct-dpif.c|  45 
 lib/ct-dpif.h|  10 
 lib/dpctl.c  | 107 ++
 lib/dpctl.man|   6 +++
 lib/dpif-netdev.c|  58 +
 lib/dpif-netlink.c   |   4 ++
 lib/dpif-provider.h  |  17 ++
 lib/ipf.c| 107 ++
 lib/ipf.h|  10 
 tests/system-kmod-macros.at  |  24 +
 tests/system-traffic.at  |  18 +++
 tests/system-userspace-macros.at | 109 +++
 13 files changed, 517 insertions(+)

diff --git a/NEWS b/NEWS
index 2b22a84..af8f9a8 100644
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,8 @@ Post-v2.9.0
datapath conntrack fragmentation support.
  * New "ovs-appctl dpctl/ipf-set-max-nfrags" command for userspace datapath
conntrack fragmentation support.
+ * New "ovs-appctl dpctl/ipf-get-status" command for userspace datapath
+   conntrack fragmentation support.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index ee23a4d..a59bc1e 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -188,6 +188,51 @@ ct_dpif_ipf_set_max_nfrags(struct dpif *dpif, uint32_t 
max_frags)
 : EOPNOTSUPP);
 }
 
+int ct_dpif_ipf_get_status(struct dpif *dpif, bool *ipf_v4_enabled,
+unsigned int *min_v4_frag_size, unsigned int *nfrag_max,
+unsigned int *nfrag, unsigned int *n4frag_accepted,
+unsigned int *n4frag_completed_sent,
+unsigned int *n4frag_expired_sent, unsigned int *n4frag_too_small,
+unsigned int *n4frag_overlap, bool *ipf_v6_enabled,
+unsigned int *min_v6_frag_size, unsigned int *n6frag_accepted,
+unsigned int *n6frag_completed_sent,
+unsigned int *n6frag_expired_sent, unsigned int *n6frag_too_small,
+unsigned int *n6frag_overlap)
+{
+return (dpif->dpif_class->ipf_get_status
+? dpif->dpif_class->ipf_get_status(dpif, ipf_v4_enabled,
+min_v4_frag_size, nfrag_max, nfrag, n4frag_accepted,
+n4frag_completed_sent, n4frag_expired_sent, n4frag_too_small,
+n4frag_overlap, ipf_v6_enabled, min_v6_frag_size, n6frag_accepted,
+n6frag_completed_sent, n6frag_expired_sent, n6frag_too_small,
+n6frag_overlap)
+: EOPNOTSUPP);
+}
+
+int
+ct_dpif_ipf_dump_start(struct dpif *dpif, struct ipf_dump_ctx **dump_ctx)
+{
+return (dpif->dpif_class->ipf_dump_start
+   ? dpif->dpif_class->ipf_dump_start(dpif, dump_ctx)
+   : EOPNOTSUPP);
+}
+
+int
+ct_dpif_ipf_dump_next(struct dpif *dpif, void *dump_ctx,  char **dump)
+{
+return (dpif->dpif_class->ipf_dump_next
+? dpif->dpif_class->ipf_dump_next(dpif, dump_ctx, dump)
+: EOPNOTSUPP);
+}
+
+int
+ct_dpif_ipf_dump_done(struct dpif *dpif, void *dump_ctx)
+{
+return (dpif->dpif_class->ipf_dump_done
+? dpif->dpif_class->ipf_dump_done(dpif, dump_ctx)
+: EOPNOTSUPP);
+}
+
 void
 ct_dpif_entry_uninit(struct ct_dpif_entry *entry)
 {
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index 2286dfb..2ff7e26 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -17,6 +17,7 @@
 #ifndef CT_DPIF_H
 #define CT_DPIF_H
 
+#include "ipf.h"
 #include "openvswitch/types.h"
 #include "packets.h"
 
@@ -203,6 +204,15 @@ int ct_dpif_get_nconns(struct dpif *dpif, uint32_t 
*nconns);
 int ct_dpif_ipf_set_enabled(struct dpif *, bool v6, bool enable);
 int ct_dpif_ipf_set_min_frag(struct dpif *, bool, uint32_t);
 int ct_dpif_ipf_set_max_nfrags(struct dpif *, uint32_t);
+int ct_dpif_ipf_get_status(struct dpif *dpif, bool *, unsigned int *,
+   unsigned int *, unsigned int *, unsigned int *,
+   unsigned int *, unsigned int *, unsigned int *,
+   unsigned int *, bool *, unsigned int *,
+   unsigned int *, unsigned int *, unsigned int *,
+   unsigned int *, unsigned int *);
+int ct_dpif_ipf_dump_start(struct dpif *dpif, struct ipf_dump_ctx **);
+int ct_dpif_ipf_dump_next(struct dpif *dpif, void *, char **);
+int ct_dpif_ipf_dump_done(struct dpif *dpif, void *);
 void ct_dpif_entry_uninit(struct ct_dpif_entry *);
 void ct_dpif_format_entry(const struct ct_dpif_entry *, struct ds *,
   bool verbose, bool print_stats);
diff --git a/lib/dpctl.c b/lib/dpctl.c
index ab0f60b..2b2a74a 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -1792,6 +1792,111 @@ 

[ovs-dev] Creation of network using ovs in Docker

[Sandeep Adapala]

Hello All,

I am planning to have 2 containers talk to each other using ovs-dpdk
interface on a same host. this is how I started installing OVN on Docker.

http://docs.openvswitch.org/en/latest/howto/docker/#the-overlay-mode

I was trying to create a network using docker but I get the same error
every time not sure what I am doing wrong can you please help me out.


NID=`sudo docker network create -d openvswitch --subnet=192.168.1.0/24 foo`
Error response from daemon: remote: create_network: lswitch-add Fatal error
executing ['ovn-nbctl', '--timeout=5', '-vconsole:off', '--db=tcp:
192.168.14.33:6642', 'lswitch-add', u'6caabc22601b17134a4c54cc33be18
fcf3653377be99609969cc971c5f749db7', '--', 'set', 'Logical_Switch', u'
6caabc22601b17134a4c54cc33be18fcf3653377be99609969cc971c5f749db7',
u'external_ids:subnet=192.168.1.0/24', u'external_ids:gateway_ip=192.
168.1.1']


Regards,
Sandeep
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [patch v7 8/9] ipf: Add set maximum fragments supported command.

[Darrell Ball]

A new command "ovs-appctl dpctl/ipf-set-max-nfrags" is added
for userspace datapath conntrack fragmentation support.

Signed-off-by: Darrell Ball 
---
 NEWS|  2 ++
 lib/ct-dpif.c   |  8 
 lib/ct-dpif.h   |  1 +
 lib/dpctl.c | 30 ++
 lib/dpctl.man   |  8 
 lib/dpif-netdev.c   |  8 
 lib/dpif-netlink.c  |  1 +
 lib/dpif-provider.h |  2 ++
 lib/ipf.c   | 10 ++
 lib/ipf.h   |  2 ++
 10 files changed, 72 insertions(+)

diff --git a/NEWS b/NEWS
index 9ab9970..2b22a84 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,8 @@ Post-v2.9.0
conntrack fragmentation support.
  * New "ovs-appctl dpctl/ipf-set-min-frag" command for userspace
datapath conntrack fragmentation support.
+ * New "ovs-appctl dpctl/ipf-set-max-nfrags" command for userspace datapath
+   conntrack fragmentation support.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index d5596af..ee23a4d 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -180,6 +180,14 @@ ct_dpif_ipf_set_min_frag(struct dpif *dpif, bool v6, 
uint32_t min_frag)
 : EOPNOTSUPP);
 }
 
+int
+ct_dpif_ipf_set_max_nfrags(struct dpif *dpif, uint32_t max_frags)
+{
+return (dpif->dpif_class->ipf_set_max_nfrags
+? dpif->dpif_class->ipf_set_max_nfrags(dpif, max_frags)
+: EOPNOTSUPP);
+}
+
 void
 ct_dpif_entry_uninit(struct ct_dpif_entry *entry)
 {
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index f8a3192..2286dfb 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -202,6 +202,7 @@ int ct_dpif_get_maxconns(struct dpif *dpif, uint32_t 
*maxconns);
 int ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns);
 int ct_dpif_ipf_set_enabled(struct dpif *, bool v6, bool enable);
 int ct_dpif_ipf_set_min_frag(struct dpif *, bool, uint32_t);
+int ct_dpif_ipf_set_max_nfrags(struct dpif *, uint32_t);
 void ct_dpif_entry_uninit(struct ct_dpif_entry *);
 void ct_dpif_format_entry(const struct ct_dpif_entry *, struct ds *,
   bool verbose, bool print_stats);
diff --git a/lib/dpctl.c b/lib/dpctl.c
index e74d713..ab0f60b 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -1764,6 +1764,34 @@ dpctl_ipf_set_min_frag(int argc, const char *argv[],
 return error;
 }
 
+static int
+dpctl_ipf_set_max_nfrags(int argc, const char *argv[],
+ struct dpctl_params *dpctl_p)
+{
+struct dpif *dpif;
+int error = opt_dpif_open(argc, argv, dpctl_p, 3, );
+if (!error) {
+uint32_t nfrags_max;
+if (ovs_scan(argv[argc - 1], "%"SCNu32, _max)) {
+error = ct_dpif_ipf_set_max_nfrags(dpif, nfrags_max);
+if (!error) {
+dpctl_print(dpctl_p,
+"setting maximum fragments successful");
+} else {
+dpctl_error(dpctl_p, error,
+"setting maximum fragments failed");
+}
+} else {
+error = EINVAL;
+dpctl_error(dpctl_p, error,
+"parameter missing for maximum fragments");
+}
+dpif_close(dpif);
+}
+
+return error;
+}
+
 /* Undocumented commands for unit testing. */
 
 static int
@@ -2069,6 +2097,8 @@ static const struct dpctl_command all_commands[] = {
dpctl_ipf_set_disabled, DP_RW },
 { "ipf-set-min-frag", "[dp] v4 | v6 minfragment", 2, 3,
dpctl_ipf_set_min_frag, DP_RW },
+{ "ipf-set-max-nfrags", "[dp] maxfrags", 1, 2,
+   dpctl_ipf_set_max_nfrags, DP_RW },
 { "help", "", 0, INT_MAX, dpctl_help, DP_RO },
 { "list-commands", "", 0, INT_MAX, dpctl_list_commands, DP_RO },
 
diff --git a/lib/dpctl.man b/lib/dpctl.man
index 900900d..c6c4a87 100644
--- a/lib/dpctl.man
+++ b/lib/dpctl.man
@@ -296,3 +296,11 @@ must be specified.  The default v4 value is 1200 and the 
clamped minimum is
 400.  The default v6 value is 1280, with a clamped minimum of 400, for
 testing flexibility.  The maximum frag size is not clamped, however setting
 this value too high might result in valid fragments being dropped.
+.
+.TP
+\*(DX\fBipf\-set\-max\-nfrags\fR [\fIdp\fR] \fImaxfrags\fR
+Sets the maximum number of fragments tracked by the userspace datapath
+connection tracker.  The default value is 1000 and the clamped maximum
+is 5000.  Note that packet buffers can be held by the fragmentation
+module while fragments are incomplete, but will timeout after 15 seconds.
+Memory pool sizing should be set accordingly when fragmentation is enabled.
diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index 653c313..76bc1d9 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -6546,6 +6546,13 @@ dpif_netdev_ipf_set_min_frag(struct dpif *dpif 
OVS_UNUSED, bool v6,
 return ipf_set_min_frag(v6, min_frag);
 }
 
+static int

[ovs-dev] [patch v7 7/9] ipf: Add set minimum fragment size command.

[Darrell Ball]

A new command "ovs-appctl dpctl/ipf-set-min-frag" is added
for userspace datapath conntrack fragmentation support.

Signed-off-by: Darrell Ball 
---
 NEWS |  2 ++
 lib/ct-dpif.c|  8 
 lib/ct-dpif.h|  1 +
 lib/dpctl.c  | 40 
 lib/dpctl.man|  9 +
 lib/dpif-netdev.c|  8 
 lib/dpif-netlink.c   |  1 +
 lib/dpif-provider.h  |  2 ++
 lib/ipf.c| 23 +++
 lib/ipf.h|  2 ++
 tests/system-kmod-macros.at  |  8 
 tests/system-traffic.at  | 34 --
 tests/system-userspace-macros.at | 13 +
 13 files changed, 141 insertions(+), 10 deletions(-)

diff --git a/NEWS b/NEWS
index 96fa05b..9ab9970 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,8 @@ Post-v2.9.0
conntrack fragmentation support.
  * New "ovs-appctl dpctl/ipf-set-disabled" command for userspace datapath
conntrack fragmentation support.
+ * New "ovs-appctl dpctl/ipf-set-min-frag" command for userspace
+   datapath conntrack fragmentation support.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index b1f29dc..d5596af 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -172,6 +172,14 @@ ct_dpif_ipf_set_enabled(struct dpif *dpif, bool v6, bool 
enable)
 : EOPNOTSUPP);
 }
 
+int
+ct_dpif_ipf_set_min_frag(struct dpif *dpif, bool v6, uint32_t min_frag)
+{
+return (dpif->dpif_class->ipf_set_min_frag
+? dpif->dpif_class->ipf_set_min_frag(dpif, v6, min_frag)
+: EOPNOTSUPP);
+}
+
 void
 ct_dpif_entry_uninit(struct ct_dpif_entry *entry)
 {
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index bd6234d..f8a3192 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -201,6 +201,7 @@ int ct_dpif_set_maxconns(struct dpif *dpif, uint32_t 
maxconns);
 int ct_dpif_get_maxconns(struct dpif *dpif, uint32_t *maxconns);
 int ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns);
 int ct_dpif_ipf_set_enabled(struct dpif *, bool v6, bool enable);
+int ct_dpif_ipf_set_min_frag(struct dpif *, bool, uint32_t);
 void ct_dpif_entry_uninit(struct ct_dpif_entry *);
 void ct_dpif_format_entry(const struct ct_dpif_entry *, struct ds *,
   bool verbose, bool print_stats);
diff --git a/lib/dpctl.c b/lib/dpctl.c
index ad7ca8d..e74d713 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -1726,6 +1726,44 @@ dpctl_ipf_set_disabled(int argc, const char *argv[],
 return ipf_set_enabled__(argc, argv, dpctl_p, false);
 }
 
+static int
+dpctl_ipf_set_min_frag(int argc, const char *argv[],
+   struct dpctl_params *dpctl_p)
+{
+struct dpif *dpif;
+int error = opt_dpif_open(argc, argv, dpctl_p, 4, );
+if (!error) {
+char v4_or_v6[3] = {0};
+if (ovs_scan(argv[argc - 2], "%2s", v4_or_v6) &&
+(!strncmp(v4_or_v6, "v4", 2) || !strncmp(v4_or_v6, "v6", 2))) {
+uint32_t min_fragment;
+if (ovs_scan(argv[argc - 1], "%"SCNu32, _fragment)) {
+error = ct_dpif_ipf_set_min_frag(
+dpif, !strncmp(v4_or_v6, "v6", 2), min_fragment);
+if (!error) {
+dpctl_print(dpctl_p,
+"setting minimum fragment size successful");
+} else {
+dpctl_error(dpctl_p, error,
+"requested minimum fragment size too small;"
+" see documentation");
+}
+} else {
+error = EINVAL;
+dpctl_error(dpctl_p, error,
+"parameter missing for minimum fragment size");
+}
+} else {
+error = EINVAL;
+dpctl_error(dpctl_p, error,
+"parameter missing: v4 for ipv4 or v6 for ipv6");
+}
+dpif_close(dpif);
+}
+
+return error;
+}
+
 /* Undocumented commands for unit testing. */
 
 static int
@@ -2029,6 +2067,8 @@ static const struct dpctl_command all_commands[] = {
dpctl_ipf_set_enabled, DP_RW },
 { "ipf-set-disabled", "[dp] v4 | v6", 1, 2,
dpctl_ipf_set_disabled, DP_RW },
+{ "ipf-set-min-frag", "[dp] v4 | v6 minfragment", 2, 3,
+   dpctl_ipf_set_min_frag, DP_RW },
 { "help", "", 0, INT_MAX, dpctl_help, DP_RO },
 { "list-commands", "", 0, INT_MAX, dpctl_list_commands, DP_RO },
 
diff --git a/lib/dpctl.man b/lib/dpctl.man
index 43d161a..900900d 100644
--- a/lib/dpctl.man
+++ b/lib/dpctl.man
@@ -287,3 +287,12 @@ after conntrack.  Both v4 and v6 are enabled by default.
 Disables fragmentation handling for the userspace datapath connection
 

[ovs-dev] [patch v7 5/9] Userspace datapath: Add fragmentation handling.

[Darrell Ball]

Fragmentation handling is added for supporting conntrack.
Both v4 and v6 are supported.

After discussion with several people, I decided to not store
configuration state in the database to be more consistent with
the kernel in future, similarity with other conntrack configuration
which will not be in the database as well and overall simplicity.
Accordingly, fragmentation handling is enabled by default.

This patch enables fragmentation tests for the userspace datapath.

Signed-off-by: Darrell Ball 
---
 NEWS |2 +
 include/sparse/netinet/ip6.h |1 +
 lib/automake.mk  |2 +
 lib/conntrack.c  |   13 +-
 lib/ipf.c| 1266 ++
 lib/ipf.h|   60 ++
 tests/system-kmod-macros.at  |   10 +-
 tests/system-traffic.at  |   30 +-
 tests/system-userspace-macros.at |   26 +-
 9 files changed, 1365 insertions(+), 45 deletions(-)
 create mode 100644 lib/ipf.c
 create mode 100644 lib/ipf.h

diff --git a/NEWS b/NEWS
index 92e9b92..e0418a5 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,8 @@ Post-v2.9.0
  * ovs-ofctl now accepts and display table names in place of numbers.  By
default it always accepts names and in interactive use it displays them;
use --names or --no-names to override.  See ovs-ofctl(8) for details.
+   - Userspace datapath:
+ * Add v4/v6 fragmentation support for conntrack.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
diff --git a/include/sparse/netinet/ip6.h b/include/sparse/netinet/ip6.h
index d2a54de..bfa637a 100644
--- a/include/sparse/netinet/ip6.h
+++ b/include/sparse/netinet/ip6.h
@@ -64,5 +64,6 @@ struct ip6_frag {
 };
 
 #define IP6F_OFF_MASK ((OVS_FORCE ovs_be16) 0xfff8)
+#define IP6F_MORE_FRAG ((OVS_FORCE ovs_be16) 0x0001)
 
 #endif /* netinet/ip6.h sparse */
diff --git a/lib/automake.mk b/lib/automake.mk
index fb43aa1..142587f 100644
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -107,6 +107,8 @@ lib_libopenvswitch_la_SOURCES = \
lib/hmapx.h \
lib/id-pool.c \
lib/id-pool.h \
+   lib/ipf.c \
+   lib/ipf.h \
lib/jhash.c \
lib/jhash.h \
lib/json.c \
diff --git a/lib/conntrack.c b/lib/conntrack.c
index 30941ff..e1c1f2e 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -30,6 +30,7 @@
 #include "ct-dpif.h"
 #include "dp-packet.h"
 #include "flow.h"
+#include "ipf.h"
 #include "netdev.h"
 #include "odp-netlink.h"
 #include "openvswitch/hmap.h"
@@ -339,6 +340,7 @@ conntrack_init(struct conntrack *ct)
 atomic_init(>n_conn_limit, DEFAULT_N_CONN_LIMIT);
 latch_init(>clean_thread_exit);
 ct->clean_thread = ovs_thread_create("ct_clean", clean_thread_main, ct);
+ipf_init();
 }
 
 /* Destroys the connection tracker 'ct' and frees all the allocated memory. */
@@ -381,6 +383,7 @@ conntrack_destroy(struct conntrack *ct)
 hindex_destroy(>alg_expectation_refs);
 ct_rwlock_unlock(>resources_lock);
 ct_rwlock_destroy(>resources_lock);
+ipf_destroy();
 }
 
 static unsigned hash_to_bucket(uint32_t hash)
@@ -1292,7 +1295,8 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
 
 /* Sends the packets in '*pkt_batch' through the connection tracker 'ct'.  All
  * the packets must have the same 'dl_type' (IPv4 or IPv6) and should have
- * the l3 and and l4 offset properly set.
+ * the l3 and and l4 offset properly set.  Performs fragment reassembly with
+ * the help of ipf_preprocess_conntrack().
  *
  * If 'commit' is true, the packets are allowed to create new entries in the
  * connection tables.  'setmark', if not NULL, should point to a two
@@ -1307,11 +1311,14 @@ conntrack_execute(struct conntrack *ct, struct 
dp_packet_batch *pkt_batch,
   const struct nat_action_info_t *nat_action_info,
   long long now)
 {
+ipf_preprocess_conntrack(pkt_batch, now, dl_type, zone, ct->hash_basis);
+
 struct dp_packet *packet;
 struct conn_lookup_ctx ctx;
 
 DP_PACKET_BATCH_FOR_EACH (i, packet, pkt_batch) {
-if (!conn_key_extract(ct, packet, dl_type, , zone)) {
+if (packet->md.ct_state == CS_INVALID
+|| !conn_key_extract(ct, packet, dl_type, , zone)) {
 packet->md.ct_state = CS_INVALID;
 write_ct_md(packet, zone, NULL, NULL, NULL);
 continue;
@@ -1320,6 +1327,8 @@ conntrack_execute(struct conntrack *ct, struct 
dp_packet_batch *pkt_batch,
 setlabel, nat_action_info, tp_src, tp_dst, helper);
 }
 
+ipf_postprocess_conntrack(pkt_batch, now, dl_type);
+
 return 0;
 }
 
diff --git a/lib/ipf.c b/lib/ipf.c
new file mode 100644
index 000..2c26e1f
--- /dev/null
+++ b/lib/ipf.c
@@ -0,0 +1,1266 @@
+/*
+ * Copyright (c) 2018 Nicira, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not 

[ovs-dev] [patch v7 4/9] conntrack: Reword conntrack_execute() description.

[Darrell Ball]

Use 'must' instead of 'should'.

Signed-off-by: Darrell Ball 
---
 lib/conntrack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index efe8a18..30941ff 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -1291,7 +1291,7 @@ process_one(struct conntrack *ct, struct dp_packet *pkt,
 }
 
 /* Sends the packets in '*pkt_batch' through the connection tracker 'ct'.  All
- * the packets should have the same 'dl_type' (IPv4 or IPv6) and should have
+ * the packets must have the same 'dl_type' (IPv4 or IPv6) and should have
  * the l3 and and l4 offset properly set.
  *
  * If 'commit' is true, the packets are allowed to create new entries in the
-- 
1.9.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [patch v7 2/9] flow: Enhance parse_ipv6_ext_hdrs.

[Darrell Ball]

Enhance the api parse_ipv6_ext_hdrs to return the
fragmentation header to be used in later patches.

Signed-off-by: Darrell Ball 
Acked-by: Justin Pettit 
---
 lib/conntrack.c |  4 ++--
 lib/flow.c  | 31 +--
 lib/flow.h  |  3 ++-
 3 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index 97fd46a..efe8a18 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -1307,7 +1307,6 @@ conntrack_execute(struct conntrack *ct, struct 
dp_packet_batch *pkt_batch,
   const struct nat_action_info_t *nat_action_info,
   long long now)
 {
-
 struct dp_packet *packet;
 struct conn_lookup_ctx ctx;
 
@@ -1555,7 +1554,8 @@ extract_l3_ipv6(struct conn_key *key, const void *data, 
size_t size,
 uint8_t nw_proto = ip6->ip6_nxt;
 uint8_t nw_frag = 0;
 
-if (!parse_ipv6_ext_hdrs(, , _proto, _frag)) {
+const struct ovs_16aligned_ip6_frag *frag_hdr;
+if (!parse_ipv6_ext_hdrs(, , _proto, _frag, _hdr)) {
 return false;
 }
 
diff --git a/lib/flow.c b/lib/flow.c
index a785e63..8c4baf0 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -453,9 +453,14 @@ invalid:
 return true;
 }
 
+/* datap points to the first extension header and advances as parsing
+ * occurs; sizep is the remaining size and is decreased accordingly.
+ * nw_proto starts as the first extension header to process and is
+ * updated as the extension headers are parsed. */
 static inline bool
 parse_ipv6_ext_hdrs__(const void **datap, size_t *sizep, uint8_t *nw_proto,
-  uint8_t *nw_frag)
+  uint8_t *nw_frag,
+  const struct ovs_16aligned_ip6_frag **frag_hdr)
 {
 while (1) {
 if (OVS_LIKELY((*nw_proto != IPPROTO_HOPOPTS)
@@ -502,17 +507,17 @@ parse_ipv6_ext_hdrs__(const void **datap, size_t *sizep, 
uint8_t *nw_proto,
 return false;
 }
 } else if (*nw_proto == IPPROTO_FRAGMENT) {
-const struct ovs_16aligned_ip6_frag *frag_hdr = *datap;
+*frag_hdr = *datap;
 
-*nw_proto = frag_hdr->ip6f_nxt;
-if (!data_try_pull(datap, sizep, sizeof *frag_hdr)) {
+*nw_proto = (*frag_hdr)->ip6f_nxt;
+if (!data_try_pull(datap, sizep, sizeof **frag_hdr)) {
 return false;
 }
 
 /* We only process the first fragment. */
-if (frag_hdr->ip6f_offlg != htons(0)) {
+if ((*frag_hdr)->ip6f_offlg != htons(0)) {
 *nw_frag = FLOW_NW_FRAG_ANY;
-if ((frag_hdr->ip6f_offlg & IP6F_OFF_MASK) != htons(0)) {
+if (((*frag_hdr)->ip6f_offlg & IP6F_OFF_MASK) != htons(0)) {
 *nw_frag |= FLOW_NW_FRAG_LATER;
 *nw_proto = IPPROTO_FRAGMENT;
 return true;
@@ -524,9 +529,11 @@ parse_ipv6_ext_hdrs__(const void **datap, size_t *sizep, 
uint8_t *nw_proto,
 
 bool
 parse_ipv6_ext_hdrs(const void **datap, size_t *sizep, uint8_t *nw_proto,
-uint8_t *nw_frag)
+uint8_t *nw_frag,
+const struct ovs_16aligned_ip6_frag **frag_hdr)
 {
-return parse_ipv6_ext_hdrs__(datap, sizep, nw_proto, nw_frag);
+return parse_ipv6_ext_hdrs__(datap, sizep, nw_proto, nw_frag,
+ frag_hdr);
 }
 
 bool
@@ -877,7 +884,9 @@ miniflow_extract(struct dp_packet *packet, struct miniflow 
*dst)
 nw_ttl = nh->ip6_hlim;
 nw_proto = nh->ip6_nxt;
 
-if (!parse_ipv6_ext_hdrs__(, , _proto, _frag)) {
+const struct ovs_16aligned_ip6_frag *frag_hdr;
+if (!parse_ipv6_ext_hdrs__(, , _proto, _frag,
+   _hdr)) {
 goto out;
 }
 } else {
@@ -1067,7 +1076,9 @@ parse_tcp_flags(struct dp_packet *packet)
 plen = ntohs(nh->ip6_plen); /* Never pull padding. */
 dp_packet_set_l2_pad_size(packet, size - plen);
 size = plen;
-if (!parse_ipv6_ext_hdrs__(, , _proto, _frag)) {
+const struct ovs_16aligned_ip6_frag *frag_hdr;
+if (!parse_ipv6_ext_hdrs__(, , _proto, _frag,
+_hdr)) {
 return 0;
 }
 nw_proto = nh->ip6_nxt;
diff --git a/lib/flow.h b/lib/flow.h
index af7b5e9..e3e30f1 100644
--- a/lib/flow.h
+++ b/lib/flow.h
@@ -130,7 +130,8 @@ void flow_compose(struct dp_packet *, const struct flow *,
 void packet_expand(struct dp_packet *, const struct flow *, size_t size);
 
 bool parse_ipv6_ext_hdrs(const void **datap, size_t *sizep, uint8_t *nw_proto,
- uint8_t *nw_frag);
+ uint8_t *nw_frag,
+ const struct ovs_16aligned_ip6_frag **frag_hdr);
 ovs_be16 parse_dl_type(const struct eth_header *data_, size_t size);
 bool parse_nsh(const void **datap, size_t *sizep, struct ovs_key_nsh *key);
 uint16_t parse_tcp_flags(struct dp_packet *packet);
-- 
1.9.1