[ovs-dev] [PATCH ovn v2] tests: Fix flaky PMUTD flows test.
Add missing sync calls to make sure that the flows are present and
strip the statistics from the flows. Also make sure that we have
configured tunnel keys so it doesn't change between invocations
and remove loads of the CT zones.
Fixes: 3faadc76ad71 ("northd: Fix pmtud for non routed traffic.")
Signed-off-by: Ales Musil
---
v2: Make sure we do not flake on changes of CT zones.
---
tests/ovn-controller.at | 51 +++--
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
index fc50b6ff8..f5b335a8e 100644
--- a/tests/ovn-controller.at
+++ b/tests/ovn-controller.at
@@ -3024,10 +3024,13 @@ ovs-vsctl add-br br-phys
ovn_attach n1 br-phys 192.168.0.1
check ovn-nbctl ls-add ls1 \
+-- set logical_switch ls1 other-config:requested-tnl-key=1 \
-- lsp-add ls1 lsp1 \
-- lsp-set-addresses lsp1 "00:00:00:00:00:01 192.168.1.1" \
+-- set logical_switch_port lsp1 options:requested-tnl-key=1 \
-- lsp-add ls1 lsp2 \
--- lsp-set-addresses lsp2 "00:00:00:00:00:02 192.168.1.2"
+-- lsp-set-addresses lsp2 "00:00:00:00:00:02 192.168.1.2" \
+-- set logical_switch_port lsp2 options:requested-tnl-key=2
as hv1
check ovs-vsctl \
@@ -3036,39 +3039,43 @@ check ovs-vsctl \
-- add-port br-int vif2 \
-- set Interface vif2 external_ids:iface-id=lsp2
+wait_for_ports_up
+check ovn-nbctl --wait=hv sync
+
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=OFTABLE_CT_ZONE_LOOKUP | \
- sed -e 's/cookie=0x.*, duration=.*, table/cookie=??, duration=??,
table/' | \
- sed -e
's/actions=load:0x.*->NXM_NX_REG13/actions=load:0x?->NXM_NX_REG13/' | \
- grep -v NXST_FLOW |sort], [0], [dnl
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=0 actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=100,reg14=0x1,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=100,reg14=0x2,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
+ sed -e 's/load:0x[[0-9]]\+/load:0x?/g' | grep -v NXST_FLOW | \
+ awk '{print $7, $8}' | sort], [0], [dnl
+priority=0 actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
+priority=100,reg14=0x1,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x?->NXM_NX_REG11[[]],load:0x?->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
+priority=100,reg14=0x2,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x?->NXM_NX_REG11[[]],load:0x?->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
])
check ovn-nbctl lsp-add ls1 lsp3 \
--- lsp-set-addresses lsp3 "00:00:00:00:00:03 192.168.1.3"
+-- lsp-set-addresses lsp3 "00:00:00:00:00:03 192.168.1.3" \
+-- set logical_switch_port lsp3 options:requested-tnl-key=3
check ovs-vsctl \
-- add-port br-int vif3 \
-- set Interface vif3 external_ids:iface-id=lsp3
+wait_for_ports_up
+check ovn-nbctl --wait=hv sync
+
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=OFTABLE_CT_ZONE_LOOKUP | \
- sed -e 's/cookie=0x.*, duration=.*, table/cookie=??, duration=??,
table/' | \
- sed -e
's/actions=load:0x.*->NXM_NX_REG13/actions=load:0x?->NXM_NX_REG13/' | \
- grep -v NXST_FLOW |sort], [0], [dnl
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=0 actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=100,reg14=0x1,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=100,reg14=0x2,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=100,reg14=0x3,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
+ sed -e 's/load:0x[[0-9]]\+/load:0x?/g' | grep -v NXST_FLOW | \
+ awk '{print $7, $8}' | sort], [0], [dnl
+priority=0 actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
+priority=100,reg14=0x1,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[
Re: [ovs-dev] [PATCH ovn] tests: Fix flaky PMUTD flows test.
On Tue, Jun 4, 2024 at 2:55 PM Xavier Simonart wrote:
> Hi Ales
>
> On Tue, Jun 4, 2024 at 2:36 PM Ales Musil wrote:
>
>>
>>
>> On Tue, Jun 4, 2024 at 2:19 PM Xavier Simonart
>> wrote:
>>
>>> Hi Ales
>>>
>>> Thanks for the patch.
>>>
>>
>> Hi Xavier,
>>
>> thank you for the review.
>>
>>
>>> On Fri, May 31, 2024 at 2:52 PM Ales Musil wrote:
>>>
>>>> Add missing sync calls to make sure that the flows are present and
>>>> strip the statistics from the flows.
>>>>
>>>> Fixes: 3faadc76ad71 ("northd: Fix pmtud for non routed traffic.")
>>>> Signed-off-by: Ales Musil
>>>> ---
>>>> tests/ovn-controller.at | 42 +++--
>>>> 1 file changed, 24 insertions(+), 18 deletions(-)
>>>>
>>>> diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
>>>> index fc50b6ff8..3d3825cb8 100644
>>>> --- a/tests/ovn-controller.at
>>>> +++ b/tests/ovn-controller.at
>>>> @@ -3036,13 +3036,16 @@ check ovs-vsctl \
>>>> -- add-port br-int vif2 \
>>>> -- set Interface vif2 external_ids:iface-id=lsp2
>>>>
>>>> +wait_for_ports_up
>>>> +check ovn-nbctl --wait=hv sync
>>>> +
>>>> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int
>>>> table=OFTABLE_CT_ZONE_LOOKUP | \
>>>> - sed -e 's/cookie=0x.*, duration=.*, table/cookie=??,
>>>> duration=??, table/' | \
>>>>sed -e
>>>> 's/actions=load:0x.*->NXM_NX_REG13/actions=load:0x?->NXM_NX_REG13/' | \
>>>> - grep -v NXST_FLOW |sort], [0], [dnl
>>>> - cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0,
>>>> n_bytes=0, idle_age=0, priority=0
>>>> actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>>>> - cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0,
>>>> n_bytes=0, idle_age=0, priority=100,reg14=0x1,metadata=0x1
>>>> actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>>>> - cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0,
>>>> n_bytes=0, idle_age=0, priority=100,reg14=0x2,metadata=0x1
>>>> actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>>>> + grep -v NXST_FLOW | \
>>>> + awk '{print $7, $8}' | sort], [0], [dnl
>>>> +priority=0 actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>>>> +priority=100,reg14=0x1,metadata=0x1
>>>> actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>>>> +priority=100,reg14=0x2,metadata=0x1
>>>> actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>>>> ])
>>>>
>>>> In addition to your change, I have seen a different kind of failure for
>>> this test: on some systems, the test always fails because ct_zones id are
>>> different, and hence reg11 and reg12 are filled with different values.
>>> I think that this happens depending on whether the system uses murmur or
>>> crc for hashing.
>>> Hence, I think we should also sed/replace the values loaded in reg11 and
>>> reg12 as we do for reg13.
>>> Same comment applies to the similar checks below.
>>> I have such a system where tests are failing. So, if it's easier for
>>> you, let me know if you'd like me to apply a further patch, or test your
>>> changes, or provide access to the system.
>>>
>>
>> It makes sense, I agree that we should replace all loads and the reg
>> values, which makes me wonder if it isn't actually better to just count the
>> flows instead WDYT?
>>
> In fact, I was wondering about almost the opposite (:-)) - we could query
> the ct-zone-list to find out the zone_id and check whether the flows are
> exactly what we expect. But then I found that to be really overkill.
> So, I think that checking the flows (w/ zone-id hidden) seemed a correct
> trade-off. Also, it makes the test easier to understand (we know what we
> expect), and make debugging easier if the test fails.
> WDYT?
>
I'll do that in v2. Thanks
>
>>
>>>
>>> check ovn-nbctl lsp-
Re: [ovs-dev] [PATCH ovn] tests: Fix flaky PMUTD flows test.
On Tue, Jun 4, 2024 at 2:19 PM Xavier Simonart wrote:
> Hi Ales
>
> Thanks for the patch.
>
Hi Xavier,
thank you for the review.
> On Fri, May 31, 2024 at 2:52 PM Ales Musil wrote:
>
>> Add missing sync calls to make sure that the flows are present and
>> strip the statistics from the flows.
>>
>> Fixes: 3faadc76ad71 ("northd: Fix pmtud for non routed traffic.")
>> Signed-off-by: Ales Musil
>> ---
>> tests/ovn-controller.at | 42 +++--
>> 1 file changed, 24 insertions(+), 18 deletions(-)
>>
>> diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
>> index fc50b6ff8..3d3825cb8 100644
>> --- a/tests/ovn-controller.at
>> +++ b/tests/ovn-controller.at
>> @@ -3036,13 +3036,16 @@ check ovs-vsctl \
>> -- add-port br-int vif2 \
>> -- set Interface vif2 external_ids:iface-id=lsp2
>>
>> +wait_for_ports_up
>> +check ovn-nbctl --wait=hv sync
>> +
>> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int
>> table=OFTABLE_CT_ZONE_LOOKUP | \
>> - sed -e 's/cookie=0x.*, duration=.*, table/cookie=??,
>> duration=??, table/' | \
>>sed -e
>> 's/actions=load:0x.*->NXM_NX_REG13/actions=load:0x?->NXM_NX_REG13/' | \
>> - grep -v NXST_FLOW |sort], [0], [dnl
>> - cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0,
>> n_bytes=0, idle_age=0, priority=0
>> actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>> - cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0,
>> n_bytes=0, idle_age=0, priority=100,reg14=0x1,metadata=0x1
>> actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>> - cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0,
>> n_bytes=0, idle_age=0, priority=100,reg14=0x2,metadata=0x1
>> actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>> + grep -v NXST_FLOW | \
>> + awk '{print $7, $8}' | sort], [0], [dnl
>> +priority=0 actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>> +priority=100,reg14=0x1,metadata=0x1
>> actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>> +priority=100,reg14=0x2,metadata=0x1
>> actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>> ])
>>
>> In addition to your change, I have seen a different kind of failure for
> this test: on some systems, the test always fails because ct_zones id are
> different, and hence reg11 and reg12 are filled with different values.
> I think that this happens depending on whether the system uses murmur or
> crc for hashing.
> Hence, I think we should also sed/replace the values loaded in reg11 and
> reg12 as we do for reg13.
> Same comment applies to the similar checks below.
> I have such a system where tests are failing. So, if it's easier for you,
> let me know if you'd like me to apply a further patch, or test your
> changes, or provide access to the system.
>
It makes sense, I agree that we should replace all loads and the reg
values, which makes me wonder if it isn't actually better to just count the
flows instead WDYT?
>
> check ovn-nbctl lsp-add ls1 lsp3 \
>> @@ -3051,24 +3054,27 @@ check ovs-vsctl \
>> -- add-port br-int vif3 \
>> -- set Interface vif3 external_ids:iface-id=lsp3
>>
>> +wait_for_ports_up
>> +check ovn-nbctl --wait=hv sync
>> +
>> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int
>> table=OFTABLE_CT_ZONE_LOOKUP | \
>> - sed -e 's/cookie=0x.*, duration=.*, table/cookie=??,
>> duration=??, table/' | \
>>sed -e
>> 's/actions=load:0x.*->NXM_NX_REG13/actions=load:0x?->NXM_NX_REG13/' | \
>> - grep -v NXST_FLOW |sort], [0], [dnl
>> - cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0,
>> n_bytes=0, idle_age=0, priority=0
>> actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>> - cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0,
>> n_bytes=0, idle_age=0, priority=100,reg14=0x1,metadata=0x1
>> actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
>> - cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0,
>> n_bytes=0, idle_age=0, priority=100,reg14=0x2,metadata=0x1
>> actions=load:0x?->NXM_NX_REG13[[0
Re: [ovs-dev] [PATCH] ofproto: Add upcall/dump-ufid-rules command to map UFIDs to OpenFlow.
fd6c5ea6..47bbde35e5d3 100644
> --- a/tests/ofproto-dpif.at
> +++ b/tests/ofproto-dpif.at
> @@ -12136,3 +12136,42 @@ AT_CHECK([test 1 = `ovs-ofctl parse-pcap
> p2-tx.pcap | wc -l`])
>
> OVS_VSWITCHD_STOP
> AT_CLEANUP
> +
> +AT_SETUP([ofproto-dpif - dump-ufid-rules])
> +OVS_VSWITCHD_START(
> +[add-port br0 p1 \
> + -- set bridge br0 datapath-type=dummy \
> + -- set interface p1 type=dummy-pmd \
> + -- add-port br0 p2 \
> + -- set interface p2 type=dummy-pmd
> +], [], [], [DUMMY_NUMA])
> +
> +dnl Add some OpenFlow rules and groups.
> +AT_DATA([groups.txt], [dnl
> +
> group_id=1,type=select,selection_method=dp_hash,bucket=bucket_id:0,weight:100,actions=ct(commit,table=2,nat(dst=20.0.0.2))
> +])
> +AT_DATA([flows.txt], [dnl
>
> +table=0,priority=100,cookie=0x12345678,in_port=p1,ip,nw_dst=10.0.0.2,actions=resubmit(,1)
> +table=1,priority=200,actions=group:1
> +table=2,actions=p2
> +])
> +AT_CHECK([ovs-ofctl add-groups br0 groups.txt])
> +AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
> +
> +AT_CHECK([ovs-appctl netdev-dummy/receive p1
> 'ipv4(src=10.0.0.1,dst=10.0.0.2,proto=6),tcp(src=1,dst=2)'])
> +
> +OVS_WAIT_UNTIL_EQUAL([ovs-appctl dpctl/dump-flows | sed 's/.*core:
> [[0-9]]*//' | sort], [
> +recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=10.0.0.2,frag=no),
> packets:0, bytes:0, used:never, actions:hash(l4(0)),recirc(0x1)
> +recirc_id(0x1),dp_hash(0xfbe73382/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no),
> packets:0, bytes:0, used:never,
> actions:ct(commit,nat(dst=20.0.0.2)),recirc(0x2)
> +recirc_id(0x2),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no),
> packets:0, bytes:0, used:never, actions:2])
> +
> +ufids=$(ovs-appctl dpctl/dump-flows -m | match_ufid)
> +AT_CHECK([for ufid in $ufids; do ovs-appctl upcall/dump-ufid-rules $ufid
> pmd=0; done | sort], [0], [dnl
> +cookie=0x0, table=1 priority=200,actions=group:1
> +cookie=0x0, table=2 actions=output:1
> +cookie=0x12345678, table=0
> priority=100,ip,in_port=2,nw_dst=10.0.0.2,actions=resubmit(,1)
>
> +group_id=1,selection_method=dp_hash,bucket=bucket_id:0,weight:100,actions=ct(commit,table=2,nat(dst=20.0.0.2))
> +])
> +
> +OVS_VSWITCHD_STOP
> +AT_CLEANUP
> diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
> index c22fb3c79c3f..a5997902c09c 100644
> --- a/tests/ofproto-macros.at
> +++ b/tests/ofproto-macros.at
> @@ -140,6 +140,10 @@ strip_ufid () {
> s/ufid:[[-0-9a-f]]* //'
> }
>
> +match_ufid () {
> +grep -oE 'ufid:[[-0-9a-f]]+' | sort -u
> +}
> +
> # Strips packets: and bytes: from output
> strip_stats () {
> sed 's/packets:[[0-9]]*/packets:0/
> --
> 2.44.0
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
Looks good to me, thanks.
Reviewed-by: Ales Musil
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn v4] Text respresntations for drop sampling.
P_LEN, \
> STAGE, PRIORITY, MATCH, ACTIONS, \
> STAGE_HINT, LFLOW_REF) \
> lflow_table_add_lflow(LFLOW_TABLE, NULL, DP_BITMAP, DP_BITMAP_LEN,
> STAGE, \
>PRIORITY, MATCH, ACTIONS, NULL, NULL,
> STAGE_HINT, \
> - OVS_SOURCE_LOCATOR, LFLOW_REF)
> + OVS_SOURCE_LOCATOR, NULL, LFLOW_REF)
>
> #define ovn_lflow_add_default_drop(LFLOW_TABLE, OD, STAGE, LFLOW_REF) \
> lflow_table_add_lflow_default_drop(LFLOW_TABLE, OD, STAGE, \
> @@ -126,13 +127,19 @@ void lflow_table_add_lflow_default_drop(struct
> lflow_table *,
>STAGE_HINT, LFLOW_REF) \
> lflow_table_add_lflow(LFLOW_TABLE, OD, NULL, 0, STAGE, PRIORITY,
> MATCH, \
>ACTIONS, IN_OUT_PORT, NULL, STAGE_HINT, \
> - OVS_SOURCE_LOCATOR, LFLOW_REF)
> + OVS_SOURCE_LOCATOR, NULL, LFLOW_REF)
>
> #define ovn_lflow_add(LFLOW_TABLE, OD, STAGE, PRIORITY, MATCH, ACTIONS, \
>LFLOW_REF) \
> lflow_table_add_lflow(LFLOW_TABLE, OD, NULL, 0, STAGE, PRIORITY,
> MATCH, \
>ACTIONS, NULL, NULL, NULL, OVS_SOURCE_LOCATOR, \
> - LFLOW_REF)
> + NULL, LFLOW_REF)
> +
> +#define ovn_lflow_add_with_desc(LFLOW_TABLE, OD, STAGE, PRIORITY, MATCH, \
> +DESCRIPTION, LFLOW_REF) \
> +lflow_table_add_lflow(LFLOW_TABLE, OD, NULL, 0, STAGE, PRIORITY,
> MATCH, \
> + debug_drop_action(), NULL, NULL, NULL, \
> + OVS_SOURCE_LOCATOR, DESCRIPTION, LFLOW_REF)
>
> #define ovn_lflow_metered(LFLOW_TABLE, OD, STAGE, PRIORITY, MATCH,
> ACTIONS, \
>CTRL_METER, LFLOW_REF) \
> @@ -186,4 +193,4 @@ dec_ovn_dp_group_ref(struct hmap *dp_groups, struct
> ovn_dp_group *dpg)
> }
> }
>
> -#endif /* LFLOW_MGR_H */
> \ No newline at end of file
> +#endif /* LFLOW_MGR_H */
> diff --git a/northd/northd.c b/northd/northd.c
> index a78cbcd53..dfb2a1cd0 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -8743,8 +8743,9 @@ build_lswitch_lflows_l2_unknown(struct ovn_datapath
> *od,
>"outport = \""MC_UNKNOWN "\"; output;",
>lflow_ref);
> } else {
> -ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_UNKNOWN, 50,
> - "outport == \"none\"", debug_drop_action(),
> +ovn_lflow_add_with_desc(lflows, od, S_SWITCH_IN_L2_UNKNOWN, 50,
> + "outport == \"none\"",
> + "No L2 destination",
>lflow_ref);
> }
> ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_UNKNOWN, 0, "1",
> diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema
> index b6c051ae6..dc3384d29 100644
> --- a/ovn-sb.ovsschema
> +++ b/ovn-sb.ovsschema
> @@ -1,7 +1,7 @@
> {
> "name": "OVN_Southbound",
> "version": "20.34.0",
> -"cksum": "2786607656 31376",
> +"cksum": "3752487770 31501",
> "tables": {
> "SB_Global": {
> "columns": {
> @@ -116,7 +116,9 @@
> "min": 0, "max": 1}},
> "external_ids": {
> "type": {"key": "string", "value": "string",
> - "min": 0, "max": "unlimited"}}},
> + "min": 0, "max": "unlimited"}},
> +"flow_desc": {"type": {"key": {"type": "string"},
> + "min": 0, "max": 1}}},
> "isRoot": true},
> "Logical_DP_Group": {
> "columns": {
> diff --git a/ovn-sb.xml b/ovn-sb.xml
> index 507a0b571..496c5a242 100644
> --- a/ovn-sb.xml
> +++ b/ovn-sb.xml
> @@ -2913,6 +2913,11 @@ tcp.flags = RST;
>ovn-controller.
>
>
> +
> + Human-readable explanation of the flow, this is optional and used
> + to provide context for the given flow.
> +
> +
>
>Human-readable name for this flow's stage in the pipeline.
>
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index f3ffb4a6d..fc9abdeaf 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -12439,6 +12439,21 @@ AT_CHECK([grep -e "DHCP_RELAY_" lflows | sed
> 's/table=../table=??/'], [0], [dnl
> AT_CLEANUP
> ])
>
> +OVN_FOR_EACH_NORTHD_NO_HV([
> +AT_SETUP([check for flow_desc])
> +ovn_start
> +
> +check ovn-nbctl -- set NB_Global . options:debug_drop_collector_set="123"
> +ovn-nbctl ls-add ls1
> +
> +check ovn-nbctl --wait=hv sync
> +
> +flow_desc=$(fetch_column Logical_flow flow_desc match='"outport ==
> \"none\""')
> +AT_CHECK([test "$flow_desc" != ""])
> +
> +AT_CLEANUP
> +])
> +
> AT_SETUP([NB_Global and SB_Global incremental processing])
>
> ovn_start
> --
> 2.42.0
>
>
Looks good to me, thanks!
Acked-by: Ales Musil
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn] utilties: Allow ovn-detrace to run on ovs-ofctl dump-flows output.
The ovs-ofctl dump-flows output is slightly different from oproto/trace
cookie 0xXXX vs. cookie=0xXXX. Update the regex that it also matches
on the equals case. This allows us to run ovn-detrace against the
ovs-ofctl dump-flows output.
Also provide simple, partially hardcoded test case for ovn-detrace.
Signed-off-by: Ales Musil
---
tests/automake.mk | 3 +-
tests/ovn-util.at | 108
tests/testsuite.at | 1 +
utilities/ovn-debug.c | 18 ++
utilities/ovn_detrace.py.in | 5 +-
5 files changed, 132 insertions(+), 3 deletions(-)
create mode 100644 tests/ovn-util.at
diff --git a/tests/automake.mk b/tests/automake.mk
index 1fdc89835..3899c9e80 100644
--- a/tests/automake.mk
+++ b/tests/automake.mk
@@ -45,7 +45,8 @@ TESTSUITE_AT = \
tests/ovn-lflow-cache.at \
tests/ovn-lflow-conj-ids.at \
tests/ovn-ipsec.at \
- tests/ovn-vif-plug.at
+ tests/ovn-vif-plug.at \
+ tests/ovn-util.at
SYSTEM_DPDK_TESTSUITE_AT = \
tests/system-dpdk-testsuite.at \
diff --git a/tests/ovn-util.at b/tests/ovn-util.at
new file mode 100644
index 0..fd3282548
--- /dev/null
+++ b/tests/ovn-util.at
@@ -0,0 +1,108 @@
+AT_SETUP([ovn-detrace - simple scenario])
+AT_SKIP_IF([test $HAVE_SCAPY = no])
+ovn_start
+net_add n1
+
+sim_add hv1
+as hv1
+ovs-vsctl add-br br-phys
+ovn_attach n1 br-phys 192.168.0.1
+ovs-vsctl -- add-port br-int vm0 -- \
+set interface vm0 external-ids:iface-id=vm0
+
+ovs-vsctl -- add-port br-int vm1 -- \
+set interface vm1 external-ids:iface-id=vm1
+
+ovn-nbctl ls-add ls \
+-- set logical_switch ls other-config:requested-tnl-key=1
+
+ovn-nbctl lsp-add ls vm0 \
+-- lsp-set-addresses vm0 "f0:00:00:01:01:00 192.168.1.10" \
+-- set logical_switch_port vm0 options:requested-tnl-key=10
+ovn-nbctl lsp-add ls vm1 \
+-- lsp-set-addresses vm1 "f0:00:00:01:01:01 192.168.1.11" \
+-- set logical_switch_port vm1 options:requested-tnl-key=11
+
+# Allow some time for ovn-northd and ovn-controller to catch up.
+wait_for_ports_up
+check ovn-nbctl --wait=hv sync
+
+ingress_table=$(ovn-debug lflow-stage-to-ltable ls_in_check_port_sec)
+egress_table=$(ovn-debug lflow-stage-to-ltable ls_out_apply_port_sec)
+dp_uuid=$(fetch_column datapath _uuid external_ids:name=ls)
+pb_vm0=$(ovn-debug uuid-to-cookie $(fetch_column port_binding _uuid \
+logical_port=vm0))
+pb_vm1=$(ovn-debug uuid-to-cookie $(fetch_column port_binding _uuid \
+logical_port=vm1))
+ingress=$(ovn-debug uuid-to-cookie $(fetch_column logical_flow _uuid \
+table_id=$ingress_table pipeline=ingress match="1"))
+egress=$(ovn-debug uuid-to-cookie $(fetch_column logical_flow _uuid \
+table_id=$egress_table pipeline=egress match="1"))
+
+cat << EOF > trace
+0. in_port=1, priority 100, cookie $pb_vm0
+set_field:0x4/0x->reg13
+set_field:0x1->reg11
+set_field:0x1->reg12
+set_field:0x1->metadata
+set_field:0x1->reg14
+set_field:0/0x->reg13
+resubmit(,??)
+8. metadata=0x1, priority 50, cookie $ingress
+set_field:0/0x1000->reg10
+resubmit(,??)
+51. metadata=0x1, priority 0, cookie $egress
+resubmit(,??)
+65. reg15=0x2,metadata=0x1, priority 100, cookie $pb_vm1
+output:2
+EOF
+
+AT_CHECK_UNQUOTED([cat trace | $PYTHON
$top_srcdir/utilities/ovn_detrace.py.in], [0], [dnl
+0. in_port=1, priority 100, cookie $pb_vm0
+set_field:0x4/0x->reg13
+set_field:0x1->reg11
+set_field:0x1->reg12
+set_field:0x1->metadata
+set_field:0x1->reg14
+set_field:0/0x->reg13
+resubmit(,??)
+ * Logical datapath: "ls" ($dp_uuid)
+ * Port Binding: logical_port "vm0", tunnel_key 10, chassis-name "hv1",
chassis-str "hv1"
+8. metadata=0x1, priority 50, cookie $ingress
+set_field:0/0x1000->reg10
+resubmit(,??)
+ * Logical datapaths:
+ * "ls" ($dp_uuid) [[ingress]]
+ * Logical flow: table=$ingress_table (ls_in_check_port_sec), priority=50,
match=(1), actions=(reg0[[15]] = check_in_port_sec(); next;)
+51. metadata=0x1, priority 0, cookie $egress
+resubmit(,??)
+ * Logical datapaths:
+ * "ls" ($dp_uuid) [[egress]]
+ * Logical flow: table=$egress_table (ls_out_apply_port_sec), priority=0,
match=(1), actions=(output;)
+65. reg15=0x2,metadata=0x1, priority 100, cookie $pb_vm1
+output:2
+ * Logical datapath: "ls" ($dp_uuid)
+ * Port Binding: logical_port "vm1", tunnel_key 11, chassis-name "hv1",
chassis-str "hv1"
+
+])
+
+ovs-ofctl dump-flows br-int table=$(ovn-debug lflow-stage-to-oftable
ls_in_check_port_sec),cookie=$ingress/0x >> flows
+ovs-ofctl dump-flows br-int table=$(ovn-debug lflow-stage-to-oftable
ls_out_apply_port_sec),cookie=$egress/0x >> flows
+
+AT_CHECK_UNQUOTED([cat flows | awk '{print $1, $7, $8}' | grep -v "NXST_FLOW"
| \
+ sed -e
Re: [ovs-dev] [PATCH ovn v3] text respresntations for drop sampling.
R, LFLOW_REF)
> + OVS_SOURCE_LOCATOR, NULL, LFLOW_REF)
>
> #define ovn_lflow_add_with_dp_group(LFLOW_TABLE, DP_BITMAP,
> DP_BITMAP_LEN, \
> STAGE, PRIORITY, MATCH, ACTIONS, \
> STAGE_HINT, LFLOW_REF) \
> lflow_table_add_lflow(LFLOW_TABLE, NULL, DP_BITMAP, DP_BITMAP_LEN,
> STAGE, \
>PRIORITY, MATCH, ACTIONS, NULL, NULL,
> STAGE_HINT, \
> - OVS_SOURCE_LOCATOR, LFLOW_REF)
> + OVS_SOURCE_LOCATOR, NULL, LFLOW_REF)
>
> #define ovn_lflow_add_default_drop(LFLOW_TABLE, OD, STAGE, LFLOW_REF) \
> lflow_table_add_lflow_default_drop(LFLOW_TABLE, OD, STAGE, \
> @@ -126,13 +127,19 @@ void lflow_table_add_lflow_default_drop(struct
> lflow_table *,
>STAGE_HINT, LFLOW_REF) \
> lflow_table_add_lflow(LFLOW_TABLE, OD, NULL, 0, STAGE, PRIORITY,
> MATCH, \
>ACTIONS, IN_OUT_PORT, NULL, STAGE_HINT, \
> - OVS_SOURCE_LOCATOR, LFLOW_REF)
> + OVS_SOURCE_LOCATOR, NULL, LFLOW_REF)
>
> #define ovn_lflow_add(LFLOW_TABLE, OD, STAGE, PRIORITY, MATCH, ACTIONS, \
>LFLOW_REF) \
> lflow_table_add_lflow(LFLOW_TABLE, OD, NULL, 0, STAGE, PRIORITY,
> MATCH, \
>ACTIONS, NULL, NULL, NULL, OVS_SOURCE_LOCATOR, \
> - LFLOW_REF)
> + NULL, LFLOW_REF)
> +
> +#define ovn_lflow_add_with_desc(LFLOW_TABLE, OD, STAGE, PRIORITY, MATCH, \
> +DESCRIPTION, LFLOW_REF) \
> +lflow_table_add_lflow(LFLOW_TABLE, OD, NULL, 0, STAGE, PRIORITY,
> MATCH, \
> + debug_drop_action(), NULL, NULL, NULL, \
> + OVS_SOURCE_LOCATOR, DESCRIPTION, LFLOW_REF)
>
> #define ovn_lflow_metered(LFLOW_TABLE, OD, STAGE, PRIORITY, MATCH,
> ACTIONS, \
>CTRL_METER, LFLOW_REF) \
> @@ -186,4 +193,4 @@ dec_ovn_dp_group_ref(struct hmap *dp_groups, struct
> ovn_dp_group *dpg)
> }
> }
>
> -#endif /* LFLOW_MGR_H */
> \ No newline at end of file
> +#endif /* LFLOW_MGR_H */
> diff --git a/northd/northd.c b/northd/northd.c
> index 495b838fc..7a262066d 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -8743,8 +8743,9 @@ build_lswitch_lflows_l2_unknown(struct ovn_datapath
> *od,
>"outport = \""MC_UNKNOWN "\"; output;",
>lflow_ref);
> } else {
> -ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_UNKNOWN, 50,
> - "outport == \"none\"", debug_drop_action(),
> +ovn_lflow_add_with_desc(lflows, od, S_SWITCH_IN_L2_UNKNOWN, 50,
> + "outport == \"none\"",
> + "No L2 destination",
>lflow_ref);
> }
> ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_UNKNOWN, 0, "1",
> diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema
> index b6c051ae6..dc3384d29 100644
> --- a/ovn-sb.ovsschema
> +++ b/ovn-sb.ovsschema
> @@ -1,7 +1,7 @@
> {
> "name": "OVN_Southbound",
> "version": "20.34.0",
> -"cksum": "2786607656 31376",
> +"cksum": "3752487770 31501",
> "tables": {
> "SB_Global": {
> "columns": {
> @@ -116,7 +116,9 @@
> "min": 0, "max": 1}},
> "external_ids": {
> "type": {"key": "string", "value": "string",
> - "min": 0, "max": "unlimited"}}},
> + "min": 0, "max": "unlimited"}},
> +"flow_desc": {"type": {"key": {"type": "string"},
> + "min": 0, "max": 1}}},
> "isRoot": true},
> "Logical_DP_Group": {
> "columns": {
> diff --git a/ovn-sb.xml b/ovn-sb.xml
> index 507a0b571..496c5a242 100644
> --- a/ovn-sb.xml
> +++ b/ovn-sb.xml
> @@ -2913,6 +2913,11 @@ tcp.flags = RST;
>ovn-controller.
>
>
> +
> + Human-readable explanation of the flow, this is optional and used
> + to provide context for the given flow.
> +
> +
>
>Human-readable name for this flow's stage in the pipeline.
>
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index 7f579630c..751fee36a 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -12419,6 +12419,22 @@ AT_CHECK([grep -e "DHCP_RELAY_" lflows | sed
> 's/table=../table=??/'], [0], [dnl
> AT_CLEANUP
> ])
>
> +OVN_FOR_EACH_NORTHD_NO_HV([
> +AT_SETUP([check for flow_desc])
> +ovn_start
> +
> +check ovn-nbctl -- set NB_Global .
> options:debug_drop_collector_set="123" \
> + -- set NB_Global . options:debug_drop_domain_id="1"
>
The description is not depending on the debug_drop being set, so we either
propagate it to DB only when the debug_drop is configured or remove those
two lines from the test.
> +ovn-nbctl ls-add ls1
> +
> +check ovn-nbctl --wait=hv sync
> +
> +flow_desc=$(fetch_column Logical_flow flow_desc match='"outport ==
> \"none\""')
> +AT_CHECK([test "$flow_desc" != ""])
> +
> +AT_CLEANUP
> +])
> +
> AT_SETUP([NB_Global and SB_Global incremental processing])
>
> ovn_start
> --
> 2.42.0
>
>
Thanks,
Ales
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn] tests: Fix flaky PMUTD flows test.
Add missing sync calls to make sure that the flows are present and
strip the statistics from the flows.
Fixes: 3faadc76ad71 ("northd: Fix pmtud for non routed traffic.")
Signed-off-by: Ales Musil
---
tests/ovn-controller.at | 42 +++--
1 file changed, 24 insertions(+), 18 deletions(-)
diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
index fc50b6ff8..3d3825cb8 100644
--- a/tests/ovn-controller.at
+++ b/tests/ovn-controller.at
@@ -3036,13 +3036,16 @@ check ovs-vsctl \
-- add-port br-int vif2 \
-- set Interface vif2 external_ids:iface-id=lsp2
+wait_for_ports_up
+check ovn-nbctl --wait=hv sync
+
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=OFTABLE_CT_ZONE_LOOKUP | \
- sed -e 's/cookie=0x.*, duration=.*, table/cookie=??, duration=??,
table/' | \
sed -e
's/actions=load:0x.*->NXM_NX_REG13/actions=load:0x?->NXM_NX_REG13/' | \
- grep -v NXST_FLOW |sort], [0], [dnl
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=0 actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=100,reg14=0x1,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=100,reg14=0x2,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
+ grep -v NXST_FLOW | \
+ awk '{print $7, $8}' | sort], [0], [dnl
+priority=0 actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
+priority=100,reg14=0x1,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
+priority=100,reg14=0x2,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
])
check ovn-nbctl lsp-add ls1 lsp3 \
@@ -3051,24 +3054,27 @@ check ovs-vsctl \
-- add-port br-int vif3 \
-- set Interface vif3 external_ids:iface-id=lsp3
+wait_for_ports_up
+check ovn-nbctl --wait=hv sync
+
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=OFTABLE_CT_ZONE_LOOKUP | \
- sed -e 's/cookie=0x.*, duration=.*, table/cookie=??, duration=??,
table/' | \
sed -e
's/actions=load:0x.*->NXM_NX_REG13/actions=load:0x?->NXM_NX_REG13/' | \
- grep -v NXST_FLOW |sort], [0], [dnl
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=0 actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=100,reg14=0x1,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=100,reg14=0x2,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=100,reg14=0x3,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
+ grep -v NXST_FLOW | \
+ awk '{print $7, $8}' | sort], [0], [dnl
+priority=0 actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
+priority=100,reg14=0x1,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
+priority=100,reg14=0x2,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
+priority=100,reg14=0x3,metadata=0x1
actions=load:0x?->NXM_NX_REG13[[0..15]],load:0x2->NXM_NX_REG11[[]],load:0x1->NXM_NX_REG12[[]],resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
])
-check ovn-nbctl lsp-del lsp3
+check ovn-nbctl --wait=hv lsp-del lsp3
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=OFTABLE_CT_ZONE_LOOKUP | \
- sed -e 's/cookie=0x.*, duration=.*, table/cookie=??, duration=??,
table/' | \
- sed -e
's/actions=load:0x.*->NXM_NX_REG13/actions=load:0x?->NXM_NX_REG13/' |
- grep -v NXST_FLOW |sort], [0], [dnl
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_packets=0, n_bytes=0,
idle_age=0, priority=0 actions=resubmit(,OFTABLE_LOG_INGRESS_PIPELINE)
- cookie=??, duration=??, table=OFTABLE_CT_ZONE_LOOKUP, n_pa
[ovs-dev] [PATCH ovn v2 2/3] nb: Add support for match and priority in NAT.
Add support for match and priority in NAT table. This allows to define
NAT that has extra match condition to have more fine-grained control
over the final NAT rule application. At the same time it allows for
NAT rules that would be considered as duplicates otherwise e.g.
multiple SNATs with same logical IP, but different external IP. Also,
when the match is specified allow addition of priority to order the
NAT rule valuation as needed.
Signed-off-by: Ales Musil
---
v2: Rebase on top of current main.
---
ovn-nb.ovsschema | 8 +-
ovn-nb.xml| 15 +++
tests/ovn-nbctl.at| 220 +++---
utilities/ovn-nbctl.8.xml | 14 ++-
utilities/ovn-nbctl.c | 189
5 files changed, 307 insertions(+), 139 deletions(-)
diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema
index 10ce50b25..e3c4aff9d 100644
--- a/ovn-nb.ovsschema
+++ b/ovn-nb.ovsschema
@@ -1,7 +1,7 @@
{
"name": "OVN_Northbound",
-"version": "7.3.1",
-"cksum": "3899022625 35372",
+"version": "7.4.0",
+"cksum": "1908497390 35615",
"tables": {
"NB_Global": {
"columns": {
@@ -524,6 +524,10 @@
"refType": "weak"},
"min": 0,
"max": 1}},
+"priority": {"type": {"key": {"type": "integer",
+ "minInteger": 0,
+ "maxInteger": 32767}}},
+"match": {"type": "string"},
"options": {"type": {"key": "string", "value": "string",
"min": 0, "max": "unlimited"}},
"external_ids": {
diff --git a/ovn-nb.xml b/ovn-nb.xml
index 7bc77da68..ed5ad5b1a 100644
--- a/ovn-nb.xml
+++ b/ovn-nb.xml
@@ -3935,6 +3935,21 @@ or
+
+ The packets that the NAT rules should match, in addition to the match
+ that is created based on the NAT type, in the same expression
+ language used for the column in the OVN
+ Southbound database's
+ table. This allows for more fine-grained control over the NAT rule.
+
+
+
+ The NAT rule's priority. Rules with numerically higher priority
+ take precedence over those with lower. The priority is taken into
+ account only if the match is defined.
+
+
Indicates if a dnat_and_snat rule should lead to connection
tracking state or not.
diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at
index 5248e6c76..19c83a4a5 100644
--- a/tests/ovn-nbctl.at
+++ b/tests/ovn-nbctl.at
@@ -625,15 +625,15 @@ AT_CHECK([ovn-nbctl lr-nat-add lr0 dnat_and_snat fd01::1
fd11::2])
AT_CHECK([ovn-nbctl lr-nat-add lr0 dnat_and_snat 30.0.0.2 192.168.1.3 lp0
00:00:00:01:02:03])
AT_CHECK([ovn-nbctl lr-nat-add lr0 dnat_and_snat fd01::2 fd11::3 lp0
00:00:00:01:02:03])
AT_CHECK([ovn-nbctl lr-nat-list lr0], [0], [dnl
-TYPE GATEWAY_PORT EXTERNAL_IPEXTERNAL_PORT
LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT
-dnat 30.0.0.1
192.168.1.2
-dnat fd01::1
fd11::2
-dnat_and_snat 30.0.0.1
192.168.1.2
-dnat_and_snat 30.0.0.2
192.168.1.3 00:00:00:01:02:03lp0
-dnat_and_snat fd01::1
fd11::2
-dnat_and_snat fd01::2
fd11::3 00:00:00:01:02:03lp0
-snat 30.0.0.1
192.168.1.0/24
-snat fd01::1
fd11::/64
+TYPE GATEWAY_PORT MATCH EXTERNAL_IP
EXTERNAL_PORTLOGICAL_IP EXTERNAL_MAC LOGICAL_PORT
+dnat 30.0.0.1
192.168.1.2
+dnat fd01::1
fd11::2
+dnat_and_snat30.0.0.1
192.168.1.2
+dnat_and_snat30.0.0.2
192.168.1.3 00:00:00:01:02:03lp0
+dnat_and_snatfd01::1
fd11
[ovs-dev] [PATCH ovn v2 3/3] northd: Use the NAT match column.
Use the newly added NAT match and priority column in logical flows.
This allows to differentiate between various scenarios and more
fine-grained control over the resulting translation. The flows with
the extra match have higher priority than regular flows as the
flows without match are subset of the flows with match, the priority
is calculated as 300 + priority column.
Reported-at: https://issues.redhat.com/browse/FDP-433
Signed-off-by: Ales Musil
---
v2: Rebase on top of current main.
Fix the common zone issue noticed by Mark.
---
northd/northd.c | 29 +++--
northd/ovn-northd.8.xml | 31 +
tests/ovn-northd.at | 79
tests/system-ovn.at | 272
4 files changed, 404 insertions(+), 7 deletions(-)
diff --git a/northd/northd.c b/northd/northd.c
index c5f69f469..8e5642c57 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -11566,10 +11566,17 @@ lrouter_dnat_and_snat_is_stateless(const struct
nbrec_nat *nat)
!strcmp(nat->type, "dnat_and_snat");
}
+#define NAT_PRIORITY_MATCH_OFFSET 300
+
static inline uint16_t
-lrouter_nat_get_priority(const struct ovn_datapath *od, bool is_dnat,
+lrouter_nat_get_priority(const struct ovn_datapath *od,
+ const struct nbrec_nat *nat, bool is_dnat,
uint16_t prefix_len)
{
+if (nat->match[0]) {
+return NAT_PRIORITY_MATCH_OFFSET + nat->priority;
+}
+
if (is_dnat) {
return 100;
}
@@ -11631,7 +11638,7 @@ lrouter_nat_add_ext_ip_match(const struct ovn_datapath
*od,
*
*/
uint16_t priority =
-lrouter_nat_get_priority(od, is_src, cidr_bits) + 2;
+lrouter_nat_get_priority(od, nat, is_src, cidr_bits) + 2;
ds_clone(_exempt, match);
ds_put_format(_exempt, " && ip%s.%s == $%s",
@@ -14600,6 +14607,7 @@ build_lrouter_in_dnat_flow(struct lflow_table *lflows,
const char *nat_action = lrouter_use_common_zone(od)
? "ct_dnat_in_czone"
: "ct_dnat";
+uint16_t priority = lrouter_nat_get_priority(od, nat, true, cidr_bits);
ds_put_format(match, "ip && ip%c.dst == %s", is_v6 ? '6' : '4',
nat->external_ip);
@@ -14646,8 +14654,11 @@ build_lrouter_in_dnat_flow(struct lflow_table *lflows,
ds_put_format(actions, ");");
}
-ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT,
-lrouter_nat_get_priority(od, true, cidr_bits),
+if (nat->match[0]) {
+ds_put_format(match, " && (%s)", nat->match);
+}
+
+ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, priority,
ds_cstr(match), ds_cstr(actions),
>header_, lflow_ref);
}
@@ -14772,6 +14783,10 @@ build_lrouter_out_snat_match(struct lflow_table
*lflows,
is_v6, is_reverse, cidr_bits,
lflow_ref);
}
+
+if (nat->match[0]) {
+ds_put_format(match, " && (%s)", nat->match);
+}
}
static void
@@ -14790,7 +14805,7 @@ build_lrouter_out_snat_stateless_flow(struct
lflow_table *lflows,
ds_clear(actions);
-uint16_t priority = lrouter_nat_get_priority(od, false, cidr_bits);
+uint16_t priority = lrouter_nat_get_priority(od, nat, false, cidr_bits);
build_lrouter_out_snat_match(lflows, od, nat, match, distributed_nat,
cidr_bits, is_v6, l3dgw_port, lflow_ref,
false);
@@ -14825,7 +14840,7 @@ build_lrouter_out_snat_in_czone_flow(struct lflow_table
*lflows,
ds_clear(actions);
-uint16_t priority = lrouter_nat_get_priority(od, false, cidr_bits);
+uint16_t priority = lrouter_nat_get_priority(od, nat, false, cidr_bits);
struct ds zone_actions = DS_EMPTY_INITIALIZER;
build_lrouter_out_snat_match(lflows, od, nat, match, distributed_nat,
@@ -14884,7 +14899,7 @@ build_lrouter_out_snat_flow(struct lflow_table *lflows,
ds_clear(actions);
-uint16_t priority = lrouter_nat_get_priority(od, false, cidr_bits);
+uint16_t priority = lrouter_nat_get_priority(od, nat, false, cidr_bits);
build_lrouter_out_snat_match(lflows, od, nat, match, distributed_nat,
cidr_bits, is_v6, l3dgw_port, lflow_ref,
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index 973e8718e..3deaaa142 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -3794,6 +3794,23 @@ next;
exempted_ext_ips.
+
+ For each configuration in the OVN Northbound database, that asks
+ to change the destination IP address of a packet from A
+ to B, match M and priority P,
+
[ovs-dev] [PATCH ovn v2 0/3] Arbitrary match for NAT
This series adds the ability to have extra match per NAT, this allows the CMS to have more fine-grained control over the NAT action. At the same time it allows to have "duplicate" NATs e.g. multiple SNATs for the same logical_ip as well as multiple DNATs for the same external_ip. There is also priority in addition to the match which controls the evaluation order of the NAT with match, as the priority can be used only in combination with match. Ales Musil (3): nothd: Unify the priority calculation for NAT flows. nb: Add support for match and priority in NAT. northd: Use the NAT match column. northd/northd.c | 97 +++--- northd/ovn-northd.8.xml | 31 + ovn-nb.ovsschema | 8 +- ovn-nb.xml| 15 +++ tests/ovn-nbctl.at| 220 +- tests/ovn-northd.at | 79 +++ tests/system-ovn.at | 272 ++ utilities/ovn-nbctl.8.xml | 14 +- utilities/ovn-nbctl.c | 189 -- 9 files changed, 736 insertions(+), 189 deletions(-) -- 2.45.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn v2 1/3] nothd: Unify the priority calculation for NAT flows.
The priority calculation was scattered in multiple places which
could result in errors when the code is being updated. Move it
to common function that makes it very clear how is the priority
calculated.
Signed-off-by: Ales Musil
Acked-by: Mark Michelson
---
v2: Rebase on top of current main.
Add ack from Mark.
---
northd/northd.c | 82 +++--
1 file changed, 32 insertions(+), 50 deletions(-)
diff --git a/northd/northd.c b/northd/northd.c
index a78cbcd53..c5f69f469 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -11566,6 +11566,25 @@ lrouter_dnat_and_snat_is_stateless(const struct
nbrec_nat *nat)
!strcmp(nat->type, "dnat_and_snat");
}
+static inline uint16_t
+lrouter_nat_get_priority(const struct ovn_datapath *od, bool is_dnat,
+ uint16_t prefix_len)
+{
+if (is_dnat) {
+return 100;
+}
+
+/* The priority here is calculated such that the
+ * nat->logical_ip with the longest mask gets a higher
+ * priority. */
+uint16_t priority = prefix_len + 1;
+if (!od->is_gw_router && od->n_l3dgw_ports) {
+priority += 128;
+}
+
+return priority;
+}
+
/* Handles the match criteria and actions in logical flow
* based on external ip based NAT rule filter.
*
@@ -11596,7 +11615,6 @@ lrouter_nat_add_ext_ip_match(const struct ovn_datapath
*od,
} else if (exempted_ext_ips) {
struct ds match_exempt = DS_EMPTY_INITIALIZER;
enum ovn_stage stage = is_src ? S_ROUTER_IN_DNAT : S_ROUTER_OUT_SNAT;
-uint16_t priority;
/* Priority of logical flows corresponding to exempted_ext_ips is
* +2 of the corresponding regular NAT rule.
@@ -11612,17 +11630,8 @@ lrouter_nat_add_ext_ip_match(const struct ovn_datapath
*od,
* lr_out_snat...priority=161, match=(..), action=(ct_snat();)
*
*/
-if (is_src) {
-/* S_ROUTER_IN_DNAT uses priority 100 */
-priority = 100 + 2;
-} else {
-/* S_ROUTER_OUT_SNAT uses priority (mask + 1 + 128 + 1) */
-priority = cidr_bits + 3;
-
-if (!od->is_gw_router) {
-priority += 128;
- }
-}
+uint16_t priority =
+lrouter_nat_get_priority(od, is_src, cidr_bits) + 2;
ds_clone(_exempt, match);
ds_put_format(_exempt, " && ip%s.%s == $%s",
@@ -14637,7 +14646,8 @@ build_lrouter_in_dnat_flow(struct lflow_table *lflows,
ds_put_format(actions, ");");
}
-ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, 100,
+ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT,
+lrouter_nat_get_priority(od, true, cidr_bits),
ds_cstr(match), ds_cstr(actions),
>header_, lflow_ref);
}
@@ -14780,25 +14790,14 @@ build_lrouter_out_snat_stateless_flow(struct
lflow_table *lflows,
ds_clear(actions);
-/* The priority here is calculated such that the
- * nat->logical_ip with the longest mask gets a higher
- * priority. */
-uint16_t priority = cidr_bits + 1;
-
+uint16_t priority = lrouter_nat_get_priority(od, false, cidr_bits);
build_lrouter_out_snat_match(lflows, od, nat, match, distributed_nat,
cidr_bits, is_v6, l3dgw_port, lflow_ref,
false);
-if (!od->is_gw_router) {
-/* Distributed router. */
-if (od->n_l3dgw_ports) {
-priority += 128;
-}
-
-if (distributed_nat) {
-ds_put_format(actions, "eth.src = "ETH_ADDR_FMT"; ",
- ETH_ADDR_ARGS(mac));
-}
+if (!od->is_gw_router && distributed_nat) {
+ds_put_format(actions, "eth.src = "ETH_ADDR_FMT"; ",
+ ETH_ADDR_ARGS(mac));
}
ds_put_format(actions, "ip%c.src=%s; next;",
@@ -14826,20 +14825,13 @@ build_lrouter_out_snat_in_czone_flow(struct
lflow_table *lflows,
ds_clear(actions);
-/* The priority here is calculated such that the
- * nat->logical_ip with the longest mask gets a higher
- * priority. */
-uint16_t priority = cidr_bits + 1;
+uint16_t priority = lrouter_nat_get_priority(od, false, cidr_bits);
struct ds zone_actions = DS_EMPTY_INITIALIZER;
build_lrouter_out_snat_match(lflows, od, nat, match, distributed_nat,
cidr_bits, is_v6, l3dgw_port,
lflow_ref, false);
-if (od->n_l3dgw_ports) {
-priority += 128;
-}
-
if (distributed_nat) {
ds_put_format(actions, "eth.src = "ETH_ADDR_FMT"; ",
ETH_ADDR_ARGS(mac));
@@ -14892,26 +14884,16 @@ build_lrouter_out_snat_flow(s
[ovs-dev] [PATCH ovn v2] northd: Fix the match not being cleared inside the loop.
The match wasn't cleared which led to matches being appended together
and the ovn-controller failed to parse them.
Fixes: 3faadc76ad71 ("northd: Fix pmtud for non routed traffic.")
Signed-off-by: Ales Musil
---
northd/northd.c | 3 ++-
tests/ovn-northd.at | 24 ++--
2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/northd/northd.c b/northd/northd.c
index 495b838fc..a78cbcd53 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -11989,9 +11989,9 @@ build_lswitch_icmp_packet_toobig_admin_flows(
{
ovs_assert(op->nbsp);
-ds_clear(match);
if (!lsp_is_router(op->nbsp)) {
for (size_t i = 0; i < op->n_lsp_addrs; i++) {
+ds_clear(match);
ds_put_format(match,
"((ip4 && icmp4.type == 3 && icmp4.code == 4) ||"
" (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&"
@@ -12011,6 +12011,7 @@ build_lswitch_icmp_packet_toobig_admin_flows(
return;
}
+ds_clear(match);
if (peer->od->is_gw_router) {
ds_put_format(match,
"((ip4 && icmp4.type == 3 && icmp4.code == 4) ||"
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 7f579630c..f3ffb4a6d 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -8752,8 +8752,8 @@ ovn_strip_lflows ], [0], [dnl
table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast),
action=(reg0[[15]] = 0; next;)
])
-check ovn-nbctl lsp-add sw0 sw0p1 -- lsp-set-addresses sw0p1
"00:00:00:00:00:01"
-check ovn-nbctl lsp-add sw0 sw0p2 -- lsp-set-addresses sw0p2
"00:00:00:00:00:02"
+check ovn-nbctl lsp-add sw0 sw0p1 -- lsp-set-addresses sw0p1
"00:00:00:00:00:01" "00:00:00:00:01:01"
+check ovn-nbctl lsp-add sw0 sw0p2 -- lsp-set-addresses sw0p2
"00:00:00:00:00:02" "00:00:00:00:02:02"
check ovn-nbctl --wait=sb lsp-add sw0 localnetport -- lsp-set-type
localnetport localnet
ovn-sbctl dump-flows sw0 > sw0flows
@@ -8768,11 +8768,15 @@ ovn_strip_lflows ], [0], [dnl
table=??(ls_in_check_port_sec), priority=105 , match=(((ip4 && icmp4.type
== 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
flags.tunnel_rx == 1), action=(drop;)
table=??(ls_in_check_port_sec), priority=110 , match=(((ip4 && icmp4.type
== 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
eth.src == 00:00:00:00:00:01 && outport == "sw0p1" &&
!is_chassis_resident("sw0p1") && flags.tunnel_rx == 1), action=(outport <->
inport; next;)
table=??(ls_in_check_port_sec), priority=110 , match=(((ip4 && icmp4.type
== 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
eth.src == 00:00:00:00:00:02 && outport == "sw0p2" &&
!is_chassis_resident("sw0p2") && flags.tunnel_rx == 1), action=(outport <->
inport; next;)
+ table=??(ls_in_check_port_sec), priority=110 , match=(((ip4 && icmp4.type
== 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
eth.src == 00:00:00:00:01:01 && outport == "sw0p1" &&
!is_chassis_resident("sw0p1") && flags.tunnel_rx == 1), action=(outport <->
inport; next;)
+ table=??(ls_in_check_port_sec), priority=110 , match=(((ip4 && icmp4.type
== 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
eth.src == 00:00:00:00:02:02 && outport == "sw0p2" &&
!is_chassis_resident("sw0p2") && flags.tunnel_rx == 1), action=(outport <->
inport; next;)
table=??(ls_in_check_port_sec), priority=50 , match=(1),
action=(reg0[[15]] = check_in_port_sec(); next;)
table=??(ls_in_l2_lkup ), priority=0, match=(1), action=(outport =
get_fdb(eth.dst); next;)
table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
$svc_monitor_mac && (tcp || icmp || icmp6)), action=(handle_svc_check(inport);)
table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:00:01), action=(outport = "sw0p1"; output;)
table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:00:02), action=(outport = "sw0p2"; output;)
+ table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:01:01), action=(outport = "sw0p1"; output;)
+ table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:02:02), action=(outport = "sw0p2"; output;)
table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(o
Re: [ovs-dev] [PATCH ovn] northd: Fix the match not being cleared inside the loop.
On Wed, May 29, 2024 at 9:31 AM Dumitru Ceara wrote:
> On 5/29/24 09:03, Ales Musil wrote:
> > The match wasn't cleared which led to matches being appended together
> > and the ovn-controller failed to parse them.
> >
> > Fixes: 3faadc76ad71 ("northd: Fix pmtud for non routed traffic.")
> > Signed-off-by: Ales Musil
> > ---
>
> Thanks, Ales, for the fix, it looks correct to me.
>
> Can we also add a small unit test in ovn-northd.at?
>
I have updated one of the existing tests to include this scenario in v2.
>
> Regards,
> Dumitru
>
> > northd/northd.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/northd/northd.c b/northd/northd.c
> > index 495b838fc..a78cbcd53 100644
> > --- a/northd/northd.c
> > +++ b/northd/northd.c
> > @@ -11989,9 +11989,9 @@ build_lswitch_icmp_packet_toobig_admin_flows(
> > {
> > ovs_assert(op->nbsp);
> >
> > -ds_clear(match);
> > if (!lsp_is_router(op->nbsp)) {
> > for (size_t i = 0; i < op->n_lsp_addrs; i++) {
> > +ds_clear(match);
> > ds_put_format(match,
> >"((ip4 && icmp4.type == 3 && icmp4.code == 4)
> ||"
> >" (ip6 && icmp6.type == 2 && icmp6.code ==
> 0)) &&"
> > @@ -12011,6 +12011,7 @@ build_lswitch_icmp_packet_toobig_admin_flows(
> > return;
> > }
> >
> > +ds_clear(match);
> > if (peer->od->is_gw_router) {
> > ds_put_format(match,
> >"((ip4 && icmp4.type == 3 && icmp4.code == 4) ||"
>
>
Thanks,
Ales
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn 3/3] northd: Use the NAT match column.
On Tue, May 28, 2024 at 9:59 PM Mark Michelson wrote:
> Hi Ales,
>
> I have some nitpicky findings on this. I think they can be fixed when
> the patch is merged, so
>
> Acked-by: Mark Michelson
>
> See below for my findings/questions.
>
Hi Mark,
thank you for the review.
> On 5/3/24 03:26, Ales Musil wrote:
> > Use the newly added NAT match and priority column in logical flows.
> > This allows to differentiate between various scenarios and more
> > fine-grained control over the resulting translation. The flows with
> > the extra match have higher priority than regular flows as the
> > flows without match are subset of the flows with match, the priority
> > is calculated as 300 + priority column.
> >
> > Reported-at: https://issues.redhat.com/browse/FDP-433
> > Signed-off-by: Ales Musil
> > ---
> > northd/northd.c | 31 +++--
> > northd/ovn-northd.8.xml | 31 +
> > tests/ovn-northd.at | 79
> > tests/system-ovn.at | 272
> > 4 files changed, 406 insertions(+), 7 deletions(-)
> >
> > diff --git a/northd/northd.c b/northd/northd.c
> > index a883c3e08..a7e8c34c1 100644
> > --- a/northd/northd.c
> > +++ b/northd/northd.c
> > @@ -11544,9 +11544,14 @@ lrouter_dnat_and_snat_is_stateless(const struct
> nbrec_nat *nat)
> > }
> >
> > static inline uint16_t
> > -lrouter_nat_get_priority(const struct ovn_datapath *od, bool is_dnat,
> > +lrouter_nat_get_priority(const struct ovn_datapath *od,
> > + const struct nbrec_nat *nat, bool is_dnat,
> >uint16_t prefix_len)
> > {
> > +if (nat->match[0]) {
> > +return 300 + nat->priority;
>
> I suggest making the 300 offset a constant, just in case there is ever a
> need to reference it in a different context.
>
I will have to post v2 anyway so make this constant as suggested.
>
> > +}
> > +
> > if (is_dnat) {
> > return 100;
> > }
> > @@ -11608,7 +11613,7 @@ lrouter_nat_add_ext_ip_match(const struct
> ovn_datapath *od,
> >*
> >*/
> > uint16_t priority =
> > -lrouter_nat_get_priority(od, is_src, cidr_bits) + 2;
> > +lrouter_nat_get_priority(od, nat, is_src, cidr_bits) +
> 2;
> >
> > ds_clone(_exempt, match);
> > ds_put_format(_exempt, " && ip%s.%s == $%s",
> > @@ -14561,6 +14566,7 @@ build_lrouter_in_dnat_flow(struct lflow_table
> *lflows,
> > const char *nat_action = lrouter_use_common_zone(od)
> >? "ct_dnat_in_czone"
> >: "ct_dnat";
> > +uint16_t priority = lrouter_nat_get_priority(od, nat, true,
> cidr_bits);
> >
> > ds_put_format(match, "ip && ip%c.dst == %s", is_v6 ? '6' : '4',
> > nat->external_ip);
> > @@ -14607,8 +14613,11 @@ build_lrouter_in_dnat_flow(struct lflow_table
> *lflows,
> > ds_put_format(actions, ");");
> > }
> >
> > -ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT,
> > -lrouter_nat_get_priority(od, true,
> cidr_bits),
> > +if (!lrouter_use_common_zone(od) && nat->match[0]) {
>
> Question: Why is the custom match only applied if the common zone is not
> being used?
>
Thank you for the question, there is no reason why it should be excluded. I
did consider that in the initial version however that shifted slightly
during the development and this remained.
In the process I have discovered there was another issue with the direct
access so that should be fixed as well in v2.
>
> > +ds_put_format(match, " && (%s)", nat->match);
> > +}
> > +
> > +ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, priority,
> > ds_cstr(match), ds_cstr(actions),
> > >header_, lflow_ref);
> > }
> > @@ -14751,7 +14760,7 @@ build_lrouter_out_snat_stateless_flow(struct
> lflow_table *lflows,
> >
> > ds_clear(actions);
> >
> > -uint16_t priority = lrouter_nat_get_priority(od, false, cidr_bits);
> > +uint16_t priority = lrouter_nat_get_priority(od, nat, false,
> cidr_bits);
> > build_lrouter_out_snat_match(lflows, od, nat, match,
> distributed_nat,
> >cidr_bits, is_v6, l3dgw_port,
> l
[ovs-dev] [PATCH ovn] northd: Fix the match not being cleared inside the loop.
The match wasn't cleared which led to matches being appended together
and the ovn-controller failed to parse them.
Fixes: 3faadc76ad71 ("northd: Fix pmtud for non routed traffic.")
Signed-off-by: Ales Musil
---
northd/northd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/northd/northd.c b/northd/northd.c
index 495b838fc..a78cbcd53 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -11989,9 +11989,9 @@ build_lswitch_icmp_packet_toobig_admin_flows(
{
ovs_assert(op->nbsp);
-ds_clear(match);
if (!lsp_is_router(op->nbsp)) {
for (size_t i = 0; i < op->n_lsp_addrs; i++) {
+ds_clear(match);
ds_put_format(match,
"((ip4 && icmp4.type == 3 && icmp4.code == 4) ||"
" (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&"
@@ -12011,6 +12011,7 @@ build_lswitch_icmp_packet_toobig_admin_flows(
return;
}
+ds_clear(match);
if (peer->od->is_gw_router) {
ds_put_format(match,
"((ip4 && icmp4.type == 3 && icmp4.code == 4) ||"
--
2.45.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn 2/3] nb: Add support for match and priority in NAT.
On Tue, May 28, 2024 at 9:52 PM Mark Michelson wrote:
> Thanks Ales, I have just one question about this.
>
>
Hi Mark,
thank you for the review.
>
> I noticed that you have updated the output of `ovn-nbctl lr-nat-list` to
> include the match if it is configured. I'm curious if there is any
> utility in printing the priority as well?
>
>
I was thinking about that, however the output seems to be pretty crowded as
is, so I'm not really sure whether it is a good idea. If others disagree I
can include it.
>
> On 5/3/24 03:26, Ales Musil wrote:
> > Add support for match and priority in NAT table. This allows to define
> > NAT that has extra match condition to have more fine-grained control
> > over the final NAT rule application. At the same time it allows for
> > NAT rules that would be considered as duplicates otherwise e.g.
> > multiple SNATs with same logical IP, but different external IP. Also,
> > when the match is specified allow addition of priority to order the
> > NAT rule valuation as needed.
> >
> > Signed-off-by: Ales Musil
> > ---
> > ovn-nb.ovsschema | 8 +-
> > ovn-nb.xml| 15 +++
> > tests/ovn-nbctl.at| 220 +++---
> > utilities/ovn-nbctl.8.xml | 14 ++-
> > utilities/ovn-nbctl.c | 189
> > 5 files changed, 307 insertions(+), 139 deletions(-)
> >
> > diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema
> > index 10ce50b25..e3c4aff9d 100644
> > --- a/ovn-nb.ovsschema
> > +++ b/ovn-nb.ovsschema
> > @@ -1,7 +1,7 @@
> > {
> > "name": "OVN_Northbound",
> > -"version": "7.3.1",
> > -"cksum": "3899022625 35372",
> > +"version": "7.4.0",
> > +"cksum": "1908497390 35615",
> > "tables": {
> > "NB_Global": {
> > "columns": {
> > @@ -524,6 +524,10 @@
> >"refType": "weak"},
> >"min": 0,
> >"max": 1}},
> > +"priority": {"type": {"key": {"type": "integer",
> > + "minInteger": 0,
> > + "maxInteger": 32767}}},
> > +"match": {"type": "string"},
> > "options": {"type": {"key": "string", "value":
> "string",
> >"min": 0, "max": "unlimited"}},
> > "external_ids": {
> > diff --git a/ovn-nb.xml b/ovn-nb.xml
> > index 5cb6ba640..fbad5f124 100644
> > --- a/ovn-nb.xml
> > +++ b/ovn-nb.xml
> > @@ -3924,6 +3924,21 @@ or
> >
> >
> >
> > +
> > + The packets that the NAT rules should match, in addition to the
> match
> > + that is created based on the NAT type, in the same expression
> > + language used for the > + db="OVN_Southbound"/> column in the OVN
> > + Southbound database's db="OVN_Southbound"/>
> > + table. This allows for more fine-grained control over the NAT
> rule.
> > +
> > +
> > +
> > + The NAT rule's priority. Rules with numerically higher priority
> > + take precedence over those with lower. The priority is taken into
> > + account only if the match is defined.
> > +
> > +
> >
> > Indicates if a dnat_and_snat rule should lead to connection
> > tracking state or not.
> > diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at
> > index 5248e6c76..19c83a4a5 100644
> > --- a/tests/ovn-nbctl.at
> > +++ b/tests/ovn-nbctl.at
> > @@ -625,15 +625,15 @@ AT_CHECK([ovn-nbctl lr-nat-add lr0 dnat_and_snat
> fd01::1 fd11::2])
> > AT_CHECK([ovn-nbctl lr-nat-add lr0 dnat_and_snat 30.0.0.2 192.168.1.3
> lp0 00:00:00:01:02:03])
> > AT_CHECK([ovn-nbctl lr-nat-add lr0 dnat_and_snat fd01::2 fd11::3 lp0
> 00:00:00:01:02:03])
> > AT_CHECK([ovn-nbctl lr-nat-list lr0], [0], [dnl
> > -TYPE GATEWAY_PORT EXTERNAL_IP
> EXTERNAL_PORTLOGICAL_IP EXTERNAL_MAC LOGICAL_PORT
> > -dnat
Re: [ovs-dev] [PATCH ovn v2 2/4] controller: Further encapsulate the CT zone handling.
On Mon, May 27, 2024 at 9:00 AM Ales Musil wrote:
> Move more code into the new ct-zone module and encapsulate
> functionality that is strictly related to CT zone handling.
>
> Signed-off-by: Ales Musil
> ---
> controller/ct-zone.c| 156 +---
> controller/ct-zone.h| 8 +-
> controller/ovn-controller.c | 49 ++-
> 3 files changed, 118 insertions(+), 95 deletions(-)
>
> diff --git a/controller/ct-zone.c b/controller/ct-zone.c
> index 96084fd9e..16452bc2d 100644
> --- a/controller/ct-zone.c
> +++ b/controller/ct-zone.c
> @@ -27,6 +27,11 @@ ct_zone_restore(const struct
> sbrec_datapath_binding_table *dp_table,
> static void ct_zone_add_pending(struct shash *pending_ct_zones,
> enum ct_zone_pending_state state,
> int zone, bool add, const char *name);
> +static int ct_zone_get_snat(const struct sbrec_datapath_binding *dp);
> +static bool ct_zone_assign_unused(struct ct_zone_ctx *ctx,
> + const char *zone_name, int *scan_start);
> +static bool ct_zone_remove(struct ct_zone_ctx *ctx,
> + struct simap_node *ct_zone);
>
> void
> ct_zones_restore(struct ct_zone_ctx *ctx,
> @@ -82,47 +87,6 @@ ct_zones_restore(struct ct_zone_ctx *ctx,
> }
> }
>
> -bool
> -ct_zone_assign_unused(struct ct_zone_ctx *ctx, const char *zone_name,
> - int *scan_start)
> -{
> -/* We assume that there are 64K zones and that we own them all. */
> -int zone = bitmap_scan(ctx->bitmap, 0, *scan_start, MAX_CT_ZONES + 1);
> -if (zone == MAX_CT_ZONES + 1) {
> -static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
> -VLOG_WARN_RL(, "exhausted all ct zones");
> -return false;
> -}
> -
> -*scan_start = zone + 1;
> -
> -ct_zone_add_pending(>pending, CT_ZONE_OF_QUEUED,
> -zone, true, zone_name);
> -
> -bitmap_set1(ctx->bitmap, zone);
> -simap_put(>current, zone_name, zone);
> -return true;
> -}
> -
> -bool
> -ct_zone_remove(struct ct_zone_ctx *ctx, const char *name)
> -{
> -struct simap_node *ct_zone = simap_find(>current, name);
> -if (!ct_zone) {
> -return false;
> -}
> -
> -VLOG_DBG("removing ct zone %"PRId32" for '%s'", ct_zone->data,
> - ct_zone->name);
> -
> -ct_zone_add_pending(>pending, CT_ZONE_OF_QUEUED,
> -ct_zone->data, false, ct_zone->name);
> -bitmap_set0(ctx->bitmap, ct_zone->data);
> -simap_delete(>current, ct_zone);
> -
> -return true;
> -}
> -
> void
> ct_zones_update(const struct sset *local_lports,
> const struct hmap *local_datapaths, struct ct_zone_ctx
> *ctx)
> @@ -170,7 +134,7 @@ ct_zones_update(const struct sset *local_lports,
> /* Delete zones that do not exist in above sset. */
> SIMAP_FOR_EACH_SAFE (ct_zone, >current) {
> if (!sset_contains(_users, ct_zone->name)) {
> -ct_zone_remove(ctx, ct_zone->name);
> +ct_zone_remove(ctx, ct_zone);
> } else if (!simap_find(_snat_zones, ct_zone->name)) {
> bitmap_set1(unreq_snat_zones_map, ct_zone->data);
> simap_put(_snat_zones, ct_zone->name, ct_zone->data);
> @@ -276,12 +240,6 @@ ct_zones_commit(const struct ovsrec_bridge *br_int,
> }
> }
>
> -int
> -ct_zone_get_snat(const struct sbrec_datapath_binding *dp)
> -{
> -return smap_get_int(>external_ids, "snat-ct-zone", -1);
> -}
> -
> void
> ct_zones_pending_clear_commited(struct shash *pending)
> {
> @@ -295,6 +253,108 @@ ct_zones_pending_clear_commited(struct shash
> *pending)
> }
> }
>
> +/* Returns "true" when there is no need for full recompute. */
> +bool
> +ct_zone_handle_dp_update(struct ct_zone_ctx *ctx,
> + const struct sbrec_datapath_binding *dp)
> +{
> +int req_snat_zone = ct_zone_get_snat(dp);
> +if (req_snat_zone == -1) {
> +/* datapath snat ct zone is not set. This condition will also hit
> + * when CMS clears the snat-ct-zone for the logical router.
> + * In this case there is no harm in using the previosly specified
> + * snat ct zone for this datapath. Also it is hard to know
> + * if this option was cleared or if this option is never set. */
> +return true;
> +}
> +
> +const char *name = smap_get(>external_ids, "name");
> +if (!name) {
> +stat
[ovs-dev] [PATCH ovn v2 1/4] controller: Move CT zone handling into separate module.
Move the CT zone handling specific bits into it's own module. This
allows for easier changes done within the module and separates the
logic that is unrelated from ovn-controller.
Signed-off-by: Ales Musil
---
controller/automake.mk | 4 +-
controller/ct-zone.c| 377 ++
controller/ct-zone.h| 74 +++
controller/ofctrl.c | 3 +-
controller/ovn-controller.c | 392 +++-
controller/ovn-controller.h | 21 +-
controller/pinctrl.c| 2 +-
tests/ovn.at| 4 +-
8 files changed, 485 insertions(+), 392 deletions(-)
create mode 100644 controller/ct-zone.c
create mode 100644 controller/ct-zone.h
diff --git a/controller/automake.mk b/controller/automake.mk
index 1b1b3aeb1..ed93cfb3c 100644
--- a/controller/automake.mk
+++ b/controller/automake.mk
@@ -47,7 +47,9 @@ controller_ovn_controller_SOURCES = \
controller/mac-cache.h \
controller/mac-cache.c \
controller/statctrl.h \
- controller/statctrl.c
+ controller/statctrl.c \
+ controller/ct-zone.h \
+ controller/ct-zone.c
controller_ovn_controller_LDADD = lib/libovn.la $(OVS_LIBDIR)/libopenvswitch.la
man_MANS += controller/ovn-controller.8
diff --git a/controller/ct-zone.c b/controller/ct-zone.c
new file mode 100644
index 0..96084fd9e
--- /dev/null
+++ b/controller/ct-zone.c
@@ -0,0 +1,377 @@
+/* Copyright (c) 2024, Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include
+
+#include "ct-zone.h"
+#include "local_data.h"
+#include "openvswitch/vlog.h"
+
+VLOG_DEFINE_THIS_MODULE(ct_zone);
+
+static void
+ct_zone_restore(const struct sbrec_datapath_binding_table *dp_table,
+struct ct_zone_ctx *ctx, const char *name, int zone);
+static void ct_zone_add_pending(struct shash *pending_ct_zones,
+enum ct_zone_pending_state state,
+int zone, bool add, const char *name);
+
+void
+ct_zones_restore(struct ct_zone_ctx *ctx,
+ const struct ovsrec_open_vswitch_table *ovs_table,
+ const struct sbrec_datapath_binding_table *dp_table,
+ const struct ovsrec_bridge *br_int)
+{
+memset(ctx->bitmap, 0, sizeof ctx->bitmap);
+bitmap_set1(ctx->bitmap, 0); /* Zone 0 is reserved. */
+
+struct shash_node *pending_node;
+SHASH_FOR_EACH (pending_node, >pending) {
+struct ct_zone_pending_entry *ctpe = pending_node->data;
+
+if (ctpe->add) {
+ct_zone_restore(dp_table, ctx, pending_node->name, ctpe->zone);
+}
+}
+
+const struct ovsrec_open_vswitch *cfg;
+cfg = ovsrec_open_vswitch_table_first(ovs_table);
+if (!cfg) {
+return;
+}
+
+if (!br_int) {
+/* If the integration bridge hasn't been defined, assume that
+ * any existing ct-zone definitions aren't valid. */
+return;
+}
+
+struct smap_node *node;
+SMAP_FOR_EACH (node, _int->external_ids) {
+if (strncmp(node->key, "ct-zone-", 8)) {
+continue;
+}
+
+const char *user = node->key + 8;
+if (!user[0]) {
+continue;
+}
+
+if (shash_find(>pending, user)) {
+continue;
+}
+
+unsigned int zone;
+if (!str_to_uint(node->value, 10, )) {
+continue;
+}
+
+ct_zone_restore(dp_table, ctx, user, zone);
+}
+}
+
+bool
+ct_zone_assign_unused(struct ct_zone_ctx *ctx, const char *zone_name,
+ int *scan_start)
+{
+/* We assume that there are 64K zones and that we own them all. */
+int zone = bitmap_scan(ctx->bitmap, 0, *scan_start, MAX_CT_ZONES + 1);
+if (zone == MAX_CT_ZONES + 1) {
+static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
+VLOG_WARN_RL(, "exhausted all ct zones");
+return false;
+}
+
+*scan_start = zone + 1;
+
+ct_zone_add_pending(>pending, CT_ZONE_OF_QUEUED,
+zone, true, zone_name);
+
+bitmap_set1(ctx->bitmap, zone);
+simap_put(>current, zone_name, zone);
+return true;
+}
+
+bool
+ct_zone_remove(struct ct_zone_ctx *ctx, const char *name)
+{
+struct simap_node *ct_zone = simap_find(>current, name);
+if (!ct_zone)
[ovs-dev] [PATCH ovn v2 3/4] controller: Prepare structure around CT zone limiting.
In order to be able to store CT limits for specified zone, store the
zone inside separate struct instead of simap. This allows to add
the addition of limit without chaning the whole infrastructure again.
This is a preparation step for the CT zone limits.
Signed-off-by: Ales Musil
---
v2: Fix NULL ptr deref.
---
controller/ct-zone.c| 171 +---
controller/ct-zone.h| 13 ++-
controller/ofctrl.c | 2 +-
controller/ovn-controller.c | 17 ++--
controller/physical.c | 17 ++--
controller/physical.h | 2 +-
6 files changed, 129 insertions(+), 93 deletions(-)
diff --git a/controller/ct-zone.c b/controller/ct-zone.c
index 16452bc2d..8ee575cb5 100644
--- a/controller/ct-zone.c
+++ b/controller/ct-zone.c
@@ -26,12 +26,14 @@ ct_zone_restore(const struct sbrec_datapath_binding_table
*dp_table,
struct ct_zone_ctx *ctx, const char *name, int zone);
static void ct_zone_add_pending(struct shash *pending_ct_zones,
enum ct_zone_pending_state state,
-int zone, bool add, const char *name);
+struct ct_zone *zone, bool add,
+const char *name);
static int ct_zone_get_snat(const struct sbrec_datapath_binding *dp);
static bool ct_zone_assign_unused(struct ct_zone_ctx *ctx,
const char *zone_name, int *scan_start);
-static bool ct_zone_remove(struct ct_zone_ctx *ctx,
- struct simap_node *ct_zone);
+static bool ct_zone_remove(struct ct_zone_ctx *ctx, const char *name);
+static void ct_zone_add(struct ct_zone_ctx *ctx, const char *name,
+uint16_t zone, bool set_pending);
void
ct_zones_restore(struct ct_zone_ctx *ctx,
@@ -47,7 +49,8 @@ ct_zones_restore(struct ct_zone_ctx *ctx,
struct ct_zone_pending_entry *ctpe = pending_node->data;
if (ctpe->add) {
-ct_zone_restore(dp_table, ctx, pending_node->name, ctpe->zone);
+ct_zone_restore(dp_table, ctx, pending_node->name,
+ctpe->ct_zone.zone);
}
}
@@ -91,7 +94,6 @@ void
ct_zones_update(const struct sset *local_lports,
const struct hmap *local_datapaths, struct ct_zone_ctx *ctx)
{
-struct simap_node *ct_zone;
int scan_start = 1;
const char *user;
struct sset all_users = SSET_INITIALIZER(_users);
@@ -132,12 +134,14 @@ ct_zones_update(const struct sset *local_lports,
}
/* Delete zones that do not exist in above sset. */
-SIMAP_FOR_EACH_SAFE (ct_zone, >current) {
-if (!sset_contains(_users, ct_zone->name)) {
-ct_zone_remove(ctx, ct_zone);
-} else if (!simap_find(_snat_zones, ct_zone->name)) {
-bitmap_set1(unreq_snat_zones_map, ct_zone->data);
-simap_put(_snat_zones, ct_zone->name, ct_zone->data);
+struct shash_node *node;
+SHASH_FOR_EACH_SAFE (node, >current) {
+struct ct_zone *ct_zone = node->data;
+if (!sset_contains(_users, node->name)) {
+ct_zone_remove(ctx, node->name);
+} else if (!simap_find(_snat_zones, node->name)) {
+bitmap_set1(unreq_snat_zones_map, ct_zone->zone);
+simap_put(_snat_zones, node->name, ct_zone->zone);
}
}
@@ -152,7 +156,7 @@ ct_zones_update(const struct sset *local_lports,
struct simap_node *unreq_node;
SIMAP_FOR_EACH_SAFE (unreq_node, _snat_zones) {
if (unreq_node->data == snat_req_node->data) {
-simap_find_and_delete(>current, unreq_node->name);
+ct_zone_remove(ctx, unreq_node->name);
simap_delete(_snat_zones, unreq_node);
}
}
@@ -163,26 +167,12 @@ ct_zones_update(const struct sset *local_lports,
bitmap_set0(unreq_snat_zones_map, snat_req_node->data);
}
-struct simap_node *node = simap_find(>current,
- snat_req_node->name);
-if (node) {
-if (node->data != snat_req_node->data) {
-/* Zone request has changed for this node. delete old entry and
- * create new one*/
-ct_zone_add_pending(>pending, CT_ZONE_OF_QUEUED,
-snat_req_node->data, true,
-snat_req_node->name);
-bitmap_set0(ctx->bitmap, node->data);
-}
-bitmap_set1(ctx->bitmap, snat_req_node->data);
-node->data = snat_req_node->data;
-} else {
-ct_zone_add_pending(>pending, CT_ZONE_OF_QUEUED,
-snat_req_node->data, true,
-snat_req_no
[ovs-dev] [PATCH ovn v2 2/4] controller: Further encapsulate the CT zone handling.
Move more code into the new ct-zone module and encapsulate
functionality that is strictly related to CT zone handling.
Signed-off-by: Ales Musil
---
controller/ct-zone.c| 156 +---
controller/ct-zone.h| 8 +-
controller/ovn-controller.c | 49 ++-
3 files changed, 118 insertions(+), 95 deletions(-)
diff --git a/controller/ct-zone.c b/controller/ct-zone.c
index 96084fd9e..16452bc2d 100644
--- a/controller/ct-zone.c
+++ b/controller/ct-zone.c
@@ -27,6 +27,11 @@ ct_zone_restore(const struct sbrec_datapath_binding_table
*dp_table,
static void ct_zone_add_pending(struct shash *pending_ct_zones,
enum ct_zone_pending_state state,
int zone, bool add, const char *name);
+static int ct_zone_get_snat(const struct sbrec_datapath_binding *dp);
+static bool ct_zone_assign_unused(struct ct_zone_ctx *ctx,
+ const char *zone_name, int *scan_start);
+static bool ct_zone_remove(struct ct_zone_ctx *ctx,
+ struct simap_node *ct_zone);
void
ct_zones_restore(struct ct_zone_ctx *ctx,
@@ -82,47 +87,6 @@ ct_zones_restore(struct ct_zone_ctx *ctx,
}
}
-bool
-ct_zone_assign_unused(struct ct_zone_ctx *ctx, const char *zone_name,
- int *scan_start)
-{
-/* We assume that there are 64K zones and that we own them all. */
-int zone = bitmap_scan(ctx->bitmap, 0, *scan_start, MAX_CT_ZONES + 1);
-if (zone == MAX_CT_ZONES + 1) {
-static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
-VLOG_WARN_RL(, "exhausted all ct zones");
-return false;
-}
-
-*scan_start = zone + 1;
-
-ct_zone_add_pending(>pending, CT_ZONE_OF_QUEUED,
-zone, true, zone_name);
-
-bitmap_set1(ctx->bitmap, zone);
-simap_put(>current, zone_name, zone);
-return true;
-}
-
-bool
-ct_zone_remove(struct ct_zone_ctx *ctx, const char *name)
-{
-struct simap_node *ct_zone = simap_find(>current, name);
-if (!ct_zone) {
-return false;
-}
-
-VLOG_DBG("removing ct zone %"PRId32" for '%s'", ct_zone->data,
- ct_zone->name);
-
-ct_zone_add_pending(>pending, CT_ZONE_OF_QUEUED,
-ct_zone->data, false, ct_zone->name);
-bitmap_set0(ctx->bitmap, ct_zone->data);
-simap_delete(>current, ct_zone);
-
-return true;
-}
-
void
ct_zones_update(const struct sset *local_lports,
const struct hmap *local_datapaths, struct ct_zone_ctx *ctx)
@@ -170,7 +134,7 @@ ct_zones_update(const struct sset *local_lports,
/* Delete zones that do not exist in above sset. */
SIMAP_FOR_EACH_SAFE (ct_zone, >current) {
if (!sset_contains(_users, ct_zone->name)) {
-ct_zone_remove(ctx, ct_zone->name);
+ct_zone_remove(ctx, ct_zone);
} else if (!simap_find(_snat_zones, ct_zone->name)) {
bitmap_set1(unreq_snat_zones_map, ct_zone->data);
simap_put(_snat_zones, ct_zone->name, ct_zone->data);
@@ -276,12 +240,6 @@ ct_zones_commit(const struct ovsrec_bridge *br_int,
}
}
-int
-ct_zone_get_snat(const struct sbrec_datapath_binding *dp)
-{
-return smap_get_int(>external_ids, "snat-ct-zone", -1);
-}
-
void
ct_zones_pending_clear_commited(struct shash *pending)
{
@@ -295,6 +253,108 @@ ct_zones_pending_clear_commited(struct shash *pending)
}
}
+/* Returns "true" when there is no need for full recompute. */
+bool
+ct_zone_handle_dp_update(struct ct_zone_ctx *ctx,
+ const struct sbrec_datapath_binding *dp)
+{
+int req_snat_zone = ct_zone_get_snat(dp);
+if (req_snat_zone == -1) {
+/* datapath snat ct zone is not set. This condition will also hit
+ * when CMS clears the snat-ct-zone for the logical router.
+ * In this case there is no harm in using the previosly specified
+ * snat ct zone for this datapath. Also it is hard to know
+ * if this option was cleared or if this option is never set. */
+return true;
+}
+
+const char *name = smap_get(>external_ids, "name");
+if (!name) {
+static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1);
+VLOG_ERR_RL(, "Missing name for datapath '"UUID_FMT"' skipping"
+"zone check.", UUID_ARGS(>header_.uuid));
+return true;
+}
+
+/* Check if the requested snat zone has changed for the datapath
+ * or not. If so, then fall back to full recompute of
+ * ct_zone engine. */
+char *snat_dp_zone_key = alloc_nat_zone_key(name, "snat");
+struct simap_node *simap_node =
+simap_find(>current, snat_dp_zone_key);
+free(snat_dp_zone_key);
+if (!simap_node || simap_node-&
[ovs-dev] [PATCH ovn v2 4/4] controller, northd: Add support for CT zone limits.
Add support for limitng the CT zone usage per Ls, LR or LSP.
When the limit is configured on logical switch it will also implicitly
set limits for all ports in that logical switch. The port configuration
can be overwritten individually and has priority over the whole logical
switch configuration.
The value 0 means unlimited, when the value is not specified it is
derived from OvS default CT limit specified for given OvS datapath.
Reported-at: https://bugzilla.redhat.com/2189924
Signed-off-by: Ales Musil
---
NEWS| 3 +
controller/ct-zone.c| 170
controller/ct-zone.h| 12 ++-
controller/ovn-controller.c | 25 +-
lib/ovn-util.c | 17
lib/ovn-util.h | 3 +
northd/northd.c | 8 ++
ovn-nb.xml | 29 ++
tests/ovn-controller.at | 99 +
9 files changed, 345 insertions(+), 21 deletions(-)
diff --git a/NEWS b/NEWS
index 81c958f9a..e0465a34f 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,9 @@ Post v24.03.0
MAC addresses configured on the LSP with "unknown", are learnt via the
OVN native FDB.
- Add support for ovsdb-server `--config-file` option in ovn-ctl.
+ - Add support for CT zone limit that can be specified per LR
+(options:ct-zone-limit), LS (other_config:ct-zone-limit) or LSP
+(options:ct-zone-limit).
OVN v24.03.0 - 01 Mar 2024
--
diff --git a/controller/ct-zone.c b/controller/ct-zone.c
index 8ee575cb5..259d423bb 100644
--- a/controller/ct-zone.c
+++ b/controller/ct-zone.c
@@ -34,6 +34,17 @@ static bool ct_zone_assign_unused(struct ct_zone_ctx *ctx,
static bool ct_zone_remove(struct ct_zone_ctx *ctx, const char *name);
static void ct_zone_add(struct ct_zone_ctx *ctx, const char *name,
uint16_t zone, bool set_pending);
+static void ct_zone_limits_sync_per_dp(struct ct_zone_ctx *ctx,
+ const struct sbrec_datapath_binding *dp,
+ const char *name,
+ struct ovsdb_idl_index *pb_by_dp);
+static void ct_zone_limit_sync(struct ct_zone_ctx *ctx, const char *name,
+ int64_t limit);
+static int64_t ct_zone_get_dp_limit(const struct sbrec_datapath_binding *dp);
+static int64_t ct_zone_get_pb_limit(const struct sbrec_port_binding *pb);
+static int64_t ct_zone_limit_normalize(int64_t limit);
+static struct ovsrec_ct_zone *
+ct_zone_find_ovsrec(const struct ovsrec_datapath *dp, uint16_t zone_id);
void
ct_zones_restore(struct ct_zone_ctx *ctx,
@@ -195,11 +206,14 @@ ct_zones_update(const struct sset *local_lports,
void
ct_zones_commit(const struct ovsrec_bridge *br_int,
+const struct ovsrec_datapath *ovs_dp,
+struct ovsdb_idl_txn *ovs_idl_txn,
struct shash *pending_ct_zones)
{
struct shash_node *iter;
SHASH_FOR_EACH (iter, pending_ct_zones) {
struct ct_zone_pending_entry *ctzpe = iter->data;
+struct ct_zone *ct_zone = >ct_zone;
/* The transaction is open, so any pending entries in the
* CT_ZONE_DB_QUEUED must be sent and any in CT_ZONE_DB_QUEUED
@@ -211,7 +225,7 @@ ct_zones_commit(const struct ovsrec_bridge *br_int,
char *user_str = xasprintf("ct-zone-%s", iter->name);
if (ctzpe->add) {
-char *zone_str = xasprintf("%"PRIu16, ctzpe->ct_zone.zone);
+char *zone_str = xasprintf("%"PRIu16, ct_zone->zone);
struct smap_node *node =
smap_get_node(_int->external_ids, user_str);
if (!node || strcmp(node->value, zone_str)) {
@@ -226,6 +240,19 @@ ct_zones_commit(const struct ovsrec_bridge *br_int,
}
free(user_str);
+struct ovsrec_ct_zone *ovs_zone =
+ct_zone_find_ovsrec(ovs_dp, ct_zone->zone);
+if ((!ctzpe->add || ct_zone->limit < 0) && ovs_zone) {
+ovsrec_datapath_update_ct_zones_delkey(ovs_dp, ct_zone->zone);
+} else if (ctzpe->add && ct_zone->limit >= 0) {
+if (!ovs_zone) {
+ovs_zone = ovsrec_ct_zone_insert(ovs_idl_txn);
+ovsrec_datapath_update_ct_zones_setkey(ovs_dp, ct_zone->zone,
+ ovs_zone);
+}
+ovsrec_ct_zone_set_limit(ovs_zone, _zone->limit, 1);
+}
+
ctzpe->state = CT_ZONE_DB_SENT;
}
}
@@ -246,8 +273,19 @@ ct_zones_pending_clear_commited(struct shash *pending)
/* Returns "true" when there is no need for full recompute. */
bool
ct_zone_handle_dp_update(struct ct_zone_ctx *ctx,
- const struct sbrec_datapath_binding *dp)
+ const struct sbrec_datapath_bindin
[ovs-dev] [PATCH ovn v2 0/4] Add ability to limit CT entries per LS/LR/LSP
Add ability that allows to set CT limits per logical switch, logical router or logical switch port. When the limit is applied to logical switch it will be implicitly set for all logical ports in the logical switch. This can be overwritten individually per port. To achieve this there is a small refactor of the CT zone handling logic which allows us to get the zone limiting more easily. Ales Musil (4): controller: Move CT zone handling into separate module. controller: Further encapsulate the CT zone handling. controller: Prepare structure around CT zone limiting. controller, northd: Add support for CT zone limits. NEWS| 3 + controller/automake.mk | 4 +- controller/ct-zone.c| 604 controller/ct-zone.h| 89 ++ controller/ofctrl.c | 5 +- controller/ovn-controller.c | 451 +++ controller/ovn-controller.h | 21 +- controller/physical.c | 17 +- controller/physical.h | 2 +- controller/pinctrl.c| 2 +- lib/ovn-util.c | 17 + lib/ovn-util.h | 3 + northd/northd.c | 8 + ovn-nb.xml | 29 ++ tests/ovn-controller.at | 99 ++ tests/ovn.at| 4 +- 16 files changed, 917 insertions(+), 441 deletions(-) create mode 100644 controller/ct-zone.c create mode 100644 controller/ct-zone.h -- 2.45.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn 4/4] controller, northd: Add support for CT zone limits.
Add support for limitng the CT zone usage per Ls, LR or LSP.
When the limit is configured on logical switch it will also implicitly
set limits for all ports in that logical switch. The port configuration
can be overwritten individually and has priority over the whole logical
switch configuration.
The value 0 means unlimited, when the value is not specified it is
derived from OvS default CT limit specified for given OvS datapath.
Reported-at: https://bugzilla.redhat.com/2189924
Signed-off-by: Ales Musil
---
NEWS| 3 +
controller/ct-zone.c| 170
controller/ct-zone.h| 12 ++-
controller/ovn-controller.c | 25 +-
lib/ovn-util.c | 17
lib/ovn-util.h | 3 +
northd/northd.c | 8 ++
ovn-nb.xml | 29 ++
tests/ovn-controller.at | 99 +
9 files changed, 345 insertions(+), 21 deletions(-)
diff --git a/NEWS b/NEWS
index 81c958f9a..e0465a34f 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,9 @@ Post v24.03.0
MAC addresses configured on the LSP with "unknown", are learnt via the
OVN native FDB.
- Add support for ovsdb-server `--config-file` option in ovn-ctl.
+ - Add support for CT zone limit that can be specified per LR
+(options:ct-zone-limit), LS (other_config:ct-zone-limit) or LSP
+(options:ct-zone-limit).
OVN v24.03.0 - 01 Mar 2024
--
diff --git a/controller/ct-zone.c b/controller/ct-zone.c
index 6065cbfe6..259d423bb 100644
--- a/controller/ct-zone.c
+++ b/controller/ct-zone.c
@@ -34,6 +34,17 @@ static bool ct_zone_assign_unused(struct ct_zone_ctx *ctx,
static bool ct_zone_remove(struct ct_zone_ctx *ctx, const char *name);
static void ct_zone_add(struct ct_zone_ctx *ctx, const char *name,
uint16_t zone, bool set_pending);
+static void ct_zone_limits_sync_per_dp(struct ct_zone_ctx *ctx,
+ const struct sbrec_datapath_binding *dp,
+ const char *name,
+ struct ovsdb_idl_index *pb_by_dp);
+static void ct_zone_limit_sync(struct ct_zone_ctx *ctx, const char *name,
+ int64_t limit);
+static int64_t ct_zone_get_dp_limit(const struct sbrec_datapath_binding *dp);
+static int64_t ct_zone_get_pb_limit(const struct sbrec_port_binding *pb);
+static int64_t ct_zone_limit_normalize(int64_t limit);
+static struct ovsrec_ct_zone *
+ct_zone_find_ovsrec(const struct ovsrec_datapath *dp, uint16_t zone_id);
void
ct_zones_restore(struct ct_zone_ctx *ctx,
@@ -195,11 +206,14 @@ ct_zones_update(const struct sset *local_lports,
void
ct_zones_commit(const struct ovsrec_bridge *br_int,
+const struct ovsrec_datapath *ovs_dp,
+struct ovsdb_idl_txn *ovs_idl_txn,
struct shash *pending_ct_zones)
{
struct shash_node *iter;
SHASH_FOR_EACH (iter, pending_ct_zones) {
struct ct_zone_pending_entry *ctzpe = iter->data;
+struct ct_zone *ct_zone = >ct_zone;
/* The transaction is open, so any pending entries in the
* CT_ZONE_DB_QUEUED must be sent and any in CT_ZONE_DB_QUEUED
@@ -211,7 +225,7 @@ ct_zones_commit(const struct ovsrec_bridge *br_int,
char *user_str = xasprintf("ct-zone-%s", iter->name);
if (ctzpe->add) {
-char *zone_str = xasprintf("%"PRIu16, ctzpe->ct_zone.zone);
+char *zone_str = xasprintf("%"PRIu16, ct_zone->zone);
struct smap_node *node =
smap_get_node(_int->external_ids, user_str);
if (!node || strcmp(node->value, zone_str)) {
@@ -226,6 +240,19 @@ ct_zones_commit(const struct ovsrec_bridge *br_int,
}
free(user_str);
+struct ovsrec_ct_zone *ovs_zone =
+ct_zone_find_ovsrec(ovs_dp, ct_zone->zone);
+if ((!ctzpe->add || ct_zone->limit < 0) && ovs_zone) {
+ovsrec_datapath_update_ct_zones_delkey(ovs_dp, ct_zone->zone);
+} else if (ctzpe->add && ct_zone->limit >= 0) {
+if (!ovs_zone) {
+ovs_zone = ovsrec_ct_zone_insert(ovs_idl_txn);
+ovsrec_datapath_update_ct_zones_setkey(ovs_dp, ct_zone->zone,
+ ovs_zone);
+}
+ovsrec_ct_zone_set_limit(ovs_zone, _zone->limit, 1);
+}
+
ctzpe->state = CT_ZONE_DB_SENT;
}
}
@@ -246,8 +273,19 @@ ct_zones_pending_clear_commited(struct shash *pending)
/* Returns "true" when there is no need for full recompute. */
bool
ct_zone_handle_dp_update(struct ct_zone_ctx *ctx,
- const struct sbrec_datapath_binding *dp)
+ const struct sbrec_datapath_bindin
[ovs-dev] [PATCH ovn 1/4] controller: Move CT zone handling into separate module.
Move the CT zone handling specific bits into it's own module. This
allows for easier changes done within the module and separates the
logic that is unrelated from ovn-controller.
Signed-off-by: Ales Musil
---
controller/automake.mk | 4 +-
controller/ct-zone.c| 377 ++
controller/ct-zone.h| 74 +++
controller/ofctrl.c | 3 +-
controller/ovn-controller.c | 392 +++-
controller/ovn-controller.h | 21 +-
controller/pinctrl.c| 2 +-
tests/ovn.at| 4 +-
8 files changed, 485 insertions(+), 392 deletions(-)
create mode 100644 controller/ct-zone.c
create mode 100644 controller/ct-zone.h
diff --git a/controller/automake.mk b/controller/automake.mk
index 1b1b3aeb1..ed93cfb3c 100644
--- a/controller/automake.mk
+++ b/controller/automake.mk
@@ -47,7 +47,9 @@ controller_ovn_controller_SOURCES = \
controller/mac-cache.h \
controller/mac-cache.c \
controller/statctrl.h \
- controller/statctrl.c
+ controller/statctrl.c \
+ controller/ct-zone.h \
+ controller/ct-zone.c
controller_ovn_controller_LDADD = lib/libovn.la $(OVS_LIBDIR)/libopenvswitch.la
man_MANS += controller/ovn-controller.8
diff --git a/controller/ct-zone.c b/controller/ct-zone.c
new file mode 100644
index 0..96084fd9e
--- /dev/null
+++ b/controller/ct-zone.c
@@ -0,0 +1,377 @@
+/* Copyright (c) 2024, Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include
+
+#include "ct-zone.h"
+#include "local_data.h"
+#include "openvswitch/vlog.h"
+
+VLOG_DEFINE_THIS_MODULE(ct_zone);
+
+static void
+ct_zone_restore(const struct sbrec_datapath_binding_table *dp_table,
+struct ct_zone_ctx *ctx, const char *name, int zone);
+static void ct_zone_add_pending(struct shash *pending_ct_zones,
+enum ct_zone_pending_state state,
+int zone, bool add, const char *name);
+
+void
+ct_zones_restore(struct ct_zone_ctx *ctx,
+ const struct ovsrec_open_vswitch_table *ovs_table,
+ const struct sbrec_datapath_binding_table *dp_table,
+ const struct ovsrec_bridge *br_int)
+{
+memset(ctx->bitmap, 0, sizeof ctx->bitmap);
+bitmap_set1(ctx->bitmap, 0); /* Zone 0 is reserved. */
+
+struct shash_node *pending_node;
+SHASH_FOR_EACH (pending_node, >pending) {
+struct ct_zone_pending_entry *ctpe = pending_node->data;
+
+if (ctpe->add) {
+ct_zone_restore(dp_table, ctx, pending_node->name, ctpe->zone);
+}
+}
+
+const struct ovsrec_open_vswitch *cfg;
+cfg = ovsrec_open_vswitch_table_first(ovs_table);
+if (!cfg) {
+return;
+}
+
+if (!br_int) {
+/* If the integration bridge hasn't been defined, assume that
+ * any existing ct-zone definitions aren't valid. */
+return;
+}
+
+struct smap_node *node;
+SMAP_FOR_EACH (node, _int->external_ids) {
+if (strncmp(node->key, "ct-zone-", 8)) {
+continue;
+}
+
+const char *user = node->key + 8;
+if (!user[0]) {
+continue;
+}
+
+if (shash_find(>pending, user)) {
+continue;
+}
+
+unsigned int zone;
+if (!str_to_uint(node->value, 10, )) {
+continue;
+}
+
+ct_zone_restore(dp_table, ctx, user, zone);
+}
+}
+
+bool
+ct_zone_assign_unused(struct ct_zone_ctx *ctx, const char *zone_name,
+ int *scan_start)
+{
+/* We assume that there are 64K zones and that we own them all. */
+int zone = bitmap_scan(ctx->bitmap, 0, *scan_start, MAX_CT_ZONES + 1);
+if (zone == MAX_CT_ZONES + 1) {
+static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
+VLOG_WARN_RL(, "exhausted all ct zones");
+return false;
+}
+
+*scan_start = zone + 1;
+
+ct_zone_add_pending(>pending, CT_ZONE_OF_QUEUED,
+zone, true, zone_name);
+
+bitmap_set1(ctx->bitmap, zone);
+simap_put(>current, zone_name, zone);
+return true;
+}
+
+bool
+ct_zone_remove(struct ct_zone_ctx *ctx, const char *name)
+{
+struct simap_node *ct_zone = simap_find(>current, name);
+if (!ct_zone)
[ovs-dev] [PATCH ovn 3/4] controller: Prepare structure around CT zone limiting.
In order to be able to store CT limits for specified zone, store the
zone inside separate struct instead of simap. This allows to add
the addition of limit without chaning the whole infrastructure again.
This is a preparation step for the CT zone limits.
Signed-off-by: Ales Musil
---
controller/ct-zone.c| 171 +---
controller/ct-zone.h| 13 ++-
controller/ofctrl.c | 2 +-
controller/ovn-controller.c | 17 ++--
controller/physical.c | 17 ++--
controller/physical.h | 2 +-
6 files changed, 129 insertions(+), 93 deletions(-)
diff --git a/controller/ct-zone.c b/controller/ct-zone.c
index 16452bc2d..6065cbfe6 100644
--- a/controller/ct-zone.c
+++ b/controller/ct-zone.c
@@ -26,12 +26,14 @@ ct_zone_restore(const struct sbrec_datapath_binding_table
*dp_table,
struct ct_zone_ctx *ctx, const char *name, int zone);
static void ct_zone_add_pending(struct shash *pending_ct_zones,
enum ct_zone_pending_state state,
-int zone, bool add, const char *name);
+struct ct_zone *zone, bool add,
+const char *name);
static int ct_zone_get_snat(const struct sbrec_datapath_binding *dp);
static bool ct_zone_assign_unused(struct ct_zone_ctx *ctx,
const char *zone_name, int *scan_start);
-static bool ct_zone_remove(struct ct_zone_ctx *ctx,
- struct simap_node *ct_zone);
+static bool ct_zone_remove(struct ct_zone_ctx *ctx, const char *name);
+static void ct_zone_add(struct ct_zone_ctx *ctx, const char *name,
+uint16_t zone, bool set_pending);
void
ct_zones_restore(struct ct_zone_ctx *ctx,
@@ -47,7 +49,8 @@ ct_zones_restore(struct ct_zone_ctx *ctx,
struct ct_zone_pending_entry *ctpe = pending_node->data;
if (ctpe->add) {
-ct_zone_restore(dp_table, ctx, pending_node->name, ctpe->zone);
+ct_zone_restore(dp_table, ctx, pending_node->name,
+ctpe->ct_zone.zone);
}
}
@@ -91,7 +94,6 @@ void
ct_zones_update(const struct sset *local_lports,
const struct hmap *local_datapaths, struct ct_zone_ctx *ctx)
{
-struct simap_node *ct_zone;
int scan_start = 1;
const char *user;
struct sset all_users = SSET_INITIALIZER(_users);
@@ -132,12 +134,14 @@ ct_zones_update(const struct sset *local_lports,
}
/* Delete zones that do not exist in above sset. */
-SIMAP_FOR_EACH_SAFE (ct_zone, >current) {
-if (!sset_contains(_users, ct_zone->name)) {
-ct_zone_remove(ctx, ct_zone);
-} else if (!simap_find(_snat_zones, ct_zone->name)) {
-bitmap_set1(unreq_snat_zones_map, ct_zone->data);
-simap_put(_snat_zones, ct_zone->name, ct_zone->data);
+struct shash_node *node;
+SHASH_FOR_EACH_SAFE (node, >current) {
+struct ct_zone *ct_zone = node->data;
+if (!sset_contains(_users, node->name)) {
+ct_zone_remove(ctx, node->name);
+} else if (!simap_find(_snat_zones, node->name)) {
+bitmap_set1(unreq_snat_zones_map, ct_zone->zone);
+simap_put(_snat_zones, node->name, ct_zone->zone);
}
}
@@ -152,7 +156,7 @@ ct_zones_update(const struct sset *local_lports,
struct simap_node *unreq_node;
SIMAP_FOR_EACH_SAFE (unreq_node, _snat_zones) {
if (unreq_node->data == snat_req_node->data) {
-simap_find_and_delete(>current, unreq_node->name);
+ct_zone_remove(ctx, unreq_node->name);
simap_delete(_snat_zones, unreq_node);
}
}
@@ -163,26 +167,12 @@ ct_zones_update(const struct sset *local_lports,
bitmap_set0(unreq_snat_zones_map, snat_req_node->data);
}
-struct simap_node *node = simap_find(>current,
- snat_req_node->name);
-if (node) {
-if (node->data != snat_req_node->data) {
-/* Zone request has changed for this node. delete old entry and
- * create new one*/
-ct_zone_add_pending(>pending, CT_ZONE_OF_QUEUED,
-snat_req_node->data, true,
-snat_req_node->name);
-bitmap_set0(ctx->bitmap, node->data);
-}
-bitmap_set1(ctx->bitmap, snat_req_node->data);
-node->data = snat_req_node->data;
-} else {
-ct_zone_add_pending(>pending, CT_ZONE_OF_QUEUED,
-snat_req_node->data, true,
-snat_req_node->name);
-
[ovs-dev] [PATCH ovn 2/4] controller: Further encapsulate the CT zone handling.
Move more code into the new ct-zone module and encapsulate
functionality that is strictly related to CT zone handling.
Signed-off-by: Ales Musil
---
controller/ct-zone.c| 156 +---
controller/ct-zone.h| 8 +-
controller/ovn-controller.c | 49 ++-
3 files changed, 118 insertions(+), 95 deletions(-)
diff --git a/controller/ct-zone.c b/controller/ct-zone.c
index 96084fd9e..16452bc2d 100644
--- a/controller/ct-zone.c
+++ b/controller/ct-zone.c
@@ -27,6 +27,11 @@ ct_zone_restore(const struct sbrec_datapath_binding_table
*dp_table,
static void ct_zone_add_pending(struct shash *pending_ct_zones,
enum ct_zone_pending_state state,
int zone, bool add, const char *name);
+static int ct_zone_get_snat(const struct sbrec_datapath_binding *dp);
+static bool ct_zone_assign_unused(struct ct_zone_ctx *ctx,
+ const char *zone_name, int *scan_start);
+static bool ct_zone_remove(struct ct_zone_ctx *ctx,
+ struct simap_node *ct_zone);
void
ct_zones_restore(struct ct_zone_ctx *ctx,
@@ -82,47 +87,6 @@ ct_zones_restore(struct ct_zone_ctx *ctx,
}
}
-bool
-ct_zone_assign_unused(struct ct_zone_ctx *ctx, const char *zone_name,
- int *scan_start)
-{
-/* We assume that there are 64K zones and that we own them all. */
-int zone = bitmap_scan(ctx->bitmap, 0, *scan_start, MAX_CT_ZONES + 1);
-if (zone == MAX_CT_ZONES + 1) {
-static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
-VLOG_WARN_RL(, "exhausted all ct zones");
-return false;
-}
-
-*scan_start = zone + 1;
-
-ct_zone_add_pending(>pending, CT_ZONE_OF_QUEUED,
-zone, true, zone_name);
-
-bitmap_set1(ctx->bitmap, zone);
-simap_put(>current, zone_name, zone);
-return true;
-}
-
-bool
-ct_zone_remove(struct ct_zone_ctx *ctx, const char *name)
-{
-struct simap_node *ct_zone = simap_find(>current, name);
-if (!ct_zone) {
-return false;
-}
-
-VLOG_DBG("removing ct zone %"PRId32" for '%s'", ct_zone->data,
- ct_zone->name);
-
-ct_zone_add_pending(>pending, CT_ZONE_OF_QUEUED,
-ct_zone->data, false, ct_zone->name);
-bitmap_set0(ctx->bitmap, ct_zone->data);
-simap_delete(>current, ct_zone);
-
-return true;
-}
-
void
ct_zones_update(const struct sset *local_lports,
const struct hmap *local_datapaths, struct ct_zone_ctx *ctx)
@@ -170,7 +134,7 @@ ct_zones_update(const struct sset *local_lports,
/* Delete zones that do not exist in above sset. */
SIMAP_FOR_EACH_SAFE (ct_zone, >current) {
if (!sset_contains(_users, ct_zone->name)) {
-ct_zone_remove(ctx, ct_zone->name);
+ct_zone_remove(ctx, ct_zone);
} else if (!simap_find(_snat_zones, ct_zone->name)) {
bitmap_set1(unreq_snat_zones_map, ct_zone->data);
simap_put(_snat_zones, ct_zone->name, ct_zone->data);
@@ -276,12 +240,6 @@ ct_zones_commit(const struct ovsrec_bridge *br_int,
}
}
-int
-ct_zone_get_snat(const struct sbrec_datapath_binding *dp)
-{
-return smap_get_int(>external_ids, "snat-ct-zone", -1);
-}
-
void
ct_zones_pending_clear_commited(struct shash *pending)
{
@@ -295,6 +253,108 @@ ct_zones_pending_clear_commited(struct shash *pending)
}
}
+/* Returns "true" when there is no need for full recompute. */
+bool
+ct_zone_handle_dp_update(struct ct_zone_ctx *ctx,
+ const struct sbrec_datapath_binding *dp)
+{
+int req_snat_zone = ct_zone_get_snat(dp);
+if (req_snat_zone == -1) {
+/* datapath snat ct zone is not set. This condition will also hit
+ * when CMS clears the snat-ct-zone for the logical router.
+ * In this case there is no harm in using the previosly specified
+ * snat ct zone for this datapath. Also it is hard to know
+ * if this option was cleared or if this option is never set. */
+return true;
+}
+
+const char *name = smap_get(>external_ids, "name");
+if (!name) {
+static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1);
+VLOG_ERR_RL(, "Missing name for datapath '"UUID_FMT"' skipping"
+"zone check.", UUID_ARGS(>header_.uuid));
+return true;
+}
+
+/* Check if the requested snat zone has changed for the datapath
+ * or not. If so, then fall back to full recompute of
+ * ct_zone engine. */
+char *snat_dp_zone_key = alloc_nat_zone_key(name, "snat");
+struct simap_node *simap_node =
+simap_find(>current, snat_dp_zone_key);
+free(snat_dp_zone_key);
+if (!simap_node || simap_node-&
[ovs-dev] [PATCH ovn 0/4] Add ability to limit CT entries per LS/LR/LSP
Add ability that allows to set CT limits per logical switch, logical router or logical switch port. When the limit is applied to logical switch it will be implicitly set for all logical ports in the logical switch. This can be overwritten individually per port. To achieve this there is a small refactor of the CT zone handling logic which allows us to get the zone limiting more easily. Ales Musil (4): controller: Move CT zone handling into separate module. controller: Further encapsulate the CT zone handling. controller: Prepare structure around CT zone limiting. controller, northd: Add support for CT zone limits. NEWS| 3 + controller/automake.mk | 4 +- controller/ct-zone.c| 604 controller/ct-zone.h| 89 ++ controller/ofctrl.c | 5 +- controller/ovn-controller.c | 451 +++ controller/ovn-controller.h | 21 +- controller/physical.c | 17 +- controller/physical.h | 2 +- controller/pinctrl.c| 2 +- lib/ovn-util.c | 17 + lib/ovn-util.h | 3 + northd/northd.c | 8 + ovn-nb.xml | 29 ++ tests/ovn-controller.at | 99 ++ tests/ovn.at| 4 +- 16 files changed, 917 insertions(+), 441 deletions(-) create mode 100644 controller/ct-zone.c create mode 100644 controller/ct-zone.h -- 2.45.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn] tests: Ignore ovs-vswitchd received packet on unknown port.
On Wed, May 22, 2024 at 9:59 AM Frode Nordahl wrote: > > > On Wed, May 22, 2024 at 9:48 AM Ales Musil wrote: > >> >> >> On Mon, May 20, 2024 at 8:56 PM Frode Nordahl >> wrote: >> >>> The ovs-vswitchd daemon may in some situations, typically during >>> teardown, log a warning level message 'received packet on unknown >>> port ...'. >>> >>> Ignore this message. >>> >>> Reported-at: https://launchpad.net/bugs/2066194 >>> Signed-off-by: Frode Nordahl >>> >> >> Hi Frode, >> >> thank you for the fix, I have one concern, could we potentially hide some >> bug by ignoring this message? >> I know that during teardown it's harmful because the port might be >> already gone. >> > > Hello, Ales, Thank you for taking the time to review! > > That is a good question, I did indeed have the same thought, but the way > the macros are currently laid out this was the only place to do it. Adding > it to this specific test also feels wrong as it appears this message could > potentially be emitted for every test given the right conditions. > > For this specific failure it appears to me that the message is benign, but > we never know what else might crop up in the future. > > What would you think about performing the log check prior to teardown as > opposed to after teardown as we do now? Or perhaps we could do both with > different sets of ignored lists? > > Actually looking at the list that we already have there is already "receive tunnel port not found" which feels to be similar to this. Having two separate sets might work out, however we would need to check in the second call for the same stuff + some extra, but from this point of view it might be safer. > > -- > Frode Nordahl > > >> --- >>> tests/ovn-macros.at | 1 + >>> 1 file changed, 1 insertion(+) >>> >>> diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at >>> index 32ab3b69f..3606b5fe3 100644 >>> --- a/tests/ovn-macros.at >>> +++ b/tests/ovn-macros.at >>> @@ -101,6 +101,7 @@ m4_define([OVN_CLEANUP_SBOX],[ >>> /receive tunnel port not found*/d >>> /Failed to locate tunnel to reach main chassis/d >>> /Transaction causes multiple rows.*MAC_Binding/d >>> +/received packet on unknown port/d >>> " $sbox]) >>> ]) >>> >>> -- >>> 2.43.0 >>> >>> ___ >>> dev mailing list >>> d...@openvswitch.org >>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>> >>> >> Thanks, >> Ales >> -- >> >> Ales Musil >> >> Senior Software Engineer - OVN Core >> >> Red Hat EMEA <https://www.redhat.com> >> >> amu...@redhat.com >> <https://red.ht/sig> >> > Thanks, Ales -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> amu...@redhat.com <https://red.ht/sig> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn] controller: Store src_mac, src_ip in svc_monitor struct.
DER_LEN);
> }
>
> @@ -8327,24 +8334,18 @@ svc_monitor_send_udp_health_check(struct rconn
> *swconn,
>struct svc_monitor *svc_mon,
>ovs_be16 udp_src)
> {
> -struct eth_addr eth_src;
> -eth_addr_from_string(svc_mon->sb_svc_mon->src_mac, _src);
> -
> uint64_t packet_stub[128 / 8];
> struct dp_packet packet;
> dp_packet_use_stub(, packet_stub, sizeof packet_stub);
>
> if (svc_mon->is_ip6) {
> -struct in6_addr ip6_src;
> -ipv6_parse(svc_mon->sb_svc_mon->src_ip, _src);
> -pinctrl_compose_ipv6(, eth_src, svc_mon->ea,
> - _src, _mon->ip, IPPROTO_UDP,
> +pinctrl_compose_ipv6(, svc_mon->src_mac, svc_mon->ea,
> + _mon->src_ip, _mon->ip, IPPROTO_UDP,
> 63, UDP_HEADER_LEN + 8);
> } else {
> -ovs_be32 ip4_src;
> -ip_parse(svc_mon->sb_svc_mon->src_ip, _src);
> -pinctrl_compose_ipv4(, eth_src, svc_mon->ea,
> - ip4_src,
> in6_addr_get_mapped_ipv4(_mon->ip),
> +pinctrl_compose_ipv4(, svc_mon->src_mac, svc_mon->ea,
> + in6_addr_get_mapped_ipv4(_mon->src_ip),
> + in6_addr_get_mapped_ipv4(_mon->ip),
> IPPROTO_UDP, 63, UDP_HEADER_LEN + 8);
> }
>
> --
> 2.44.0
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
Other than that it looks good, feel free to add "Acked-by: Ales Musil <
amu...@redhat.com>" to v2.
Thanks,
Ales
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn] ovn-nbctl: Show bfd option man for lr-policy-add command.
On Mon, May 20, 2024 at 5:22 PM Lorenzo Bianconi <
lorenzo.bianc...@redhat.com> wrote:
> Add missing bfd option in ovn-nbctl manual for lr-policy-add command
>
> Fixes: 62d5491c0155 ("northd: Add BFD support for ECMP route policy.")
> Signed-off-by: Lorenzo Bianconi
> ---
> utilities/ovn-nbctl.8.xml | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/utilities/ovn-nbctl.8.xml b/utilities/ovn-nbctl.8.xml
> index ea2b201a5..340312b38 100644
> --- a/utilities/ovn-nbctl.8.xml
> +++ b/utilities/ovn-nbctl.8.xml
> @@ -1095,7 +1095,8 @@
> Logical Router Policy Commands
>
>
> - [--may-exist]lr-policy-add
> + [--may-exist] [--bfd]
> + lr-policy-add
>router priority match
>action [nexthop[,nexthop,...]]
>[options key=value]]
> --
> 2.45.1
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
Looks good to me, thanks.
Acked-by: Ales Musil
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn] tests: Ignore ovs-vswitchd received packet on unknown port.
On Mon, May 20, 2024 at 8:56 PM Frode Nordahl wrote: > The ovs-vswitchd daemon may in some situations, typically during > teardown, log a warning level message 'received packet on unknown > port ...'. > > Ignore this message. > > Reported-at: https://launchpad.net/bugs/2066194 > Signed-off-by: Frode Nordahl > Hi Frode, thank you for the fix, I have one concern, could we potentially hide some bug by ignoring this message? I know that during teardown it's harmful because the port might be already gone. --- > tests/ovn-macros.at | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at > index 32ab3b69f..3606b5fe3 100644 > --- a/tests/ovn-macros.at > +++ b/tests/ovn-macros.at > @@ -101,6 +101,7 @@ m4_define([OVN_CLEANUP_SBOX],[ > /receive tunnel port not found*/d > /Failed to locate tunnel to reach main chassis/d > /Transaction causes multiple rows.*MAC_Binding/d > +/received packet on unknown port/d > " $sbox]) > ]) > > -- > 2.43.0 > > ___ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > Thanks, Ales -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> amu...@redhat.com <https://red.ht/sig> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn 0/4] Inclusive language changes for OVN code.
On Tue, May 7, 2024 at 10:16 PM Mark Michelson wrote: > There is a growing movement to be more inclusive in the language used in > code and its documentation. > > For this task, the following site was used to find a list of words that > should be avoided: https://inclusivenaming.org/word-lists/ . > > Each of their tier 1, tier 2, and tier 3 words were searched in the code > and replaced as necessary. > > Each commit is focused around the replacement of a single word from the > word lists. In each case, the commit message will explain if there are > any exceptions where the word was not replaced. > > There are some words you will find in the linked word list that are not > addressed at all in these commits: > > * "segregate": This words appears only in an old NEWS entry. Changing > this would be more odd than leaving it alone. Considering this is a > tier 3 word on the linked word list, I opted to leave it as-is. > * "man-in-the-middle": This appears in all ovn-*ctl utility manpages. > However, this is generated from an included file in the ovs submodule. > Therefore, changing this in OVN would require a change in OVS instead. > > The rest of the words in the list that are not addressed in this series > do not appear anywhere in the OVN repository, as far as I could find. > > Mark Michelson (4): > Inclusive language substitutions: "abort". > Inclusive language substitutions: "master". > Inclusive language substitutions: "blacklist/whitelist". > Inclusive language substitutions: "sanity-check". > > .ci/dpdk-prepare.sh| 2 +- > Documentation/topics/high-availability.rst | 2 +- > NEWS | 4 ++ > controller/chassis.c | 2 +- > controller/ha-chassis.c| 2 +- > controller/ovn-controller.8.xml| 4 +- > controller/ovn-controller.c| 6 +-- > ic/ovn-ic.c| 23 + > lib/inc-proc-eng.c | 38 +++--- > lib/inc-proc-eng.h | 12 ++--- > northd/inc-proc-northd.c | 4 +- > ovn-architecture.7.xml | 2 +- > ovn-nb.xml | 12 ++--- > ovn-sb.xml | 8 +-- > tests/ofproto-macros.at| 4 +- > tests/ovn-controller-vtep.at | 2 +- > tests/ovn-ic.at| 32 ++-- > tests/ovn-northd.at| 60 +++--- > tests/ovn-performance.at | 4 +- > tests/ovn.at | 14 ++--- > tests/ovs-macros.at| 4 +- > tests/system-kmod-macros.at| 4 +- > tests/system-userspace-macros.at | 4 +- > utilities/ovn-appctl.8.xml | 4 +- > utilities/ovn-nbctl.c | 2 +- > 25 files changed, 131 insertions(+), 124 deletions(-) > > -- > 2.44.0 > > ___ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > The whole series looks good to me, thanks! Acked-by: Ales Musil -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> amu...@redhat.com <https://red.ht/sig> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH] [Patch ovn] text respresntations for drop sampling.
t; MATCH, \
>ACTIONS, IN_OUT_PORT, NULL, STAGE_HINT, \
> - OVS_SOURCE_LOCATOR, LFLOW_REF)
> + OVS_SOURCE_LOCATOR, NULL, LFLOW_REF)
>
> #define ovn_lflow_add(LFLOW_TABLE, OD, STAGE, PRIORITY, MATCH, ACTIONS, \
>LFLOW_REF) \
> lflow_table_add_lflow(LFLOW_TABLE, OD, NULL, 0, STAGE, PRIORITY,
> MATCH, \
>ACTIONS, NULL, NULL, NULL, OVS_SOURCE_LOCATOR, \
> - LFLOW_REF)
> + NULL, LFLOW_REF)
> +
> +#define ovn_lflow_add_with_desc(LFLOW_TABLE, OD, STAGE, PRIORITY, MATCH, \
> +DESCRIPTION, LFLOW_REF) \
> +lflow_table_add_lflow(LFLOW_TABLE, OD, NULL, 0, STAGE, PRIORITY,
> MATCH, \
> + debug_drop_action(), NULL, NULL, NULL, \
> + OVS_SOURCE_LOCATOR, DESCRIPTION, LFLOW_REF)
>
> #define ovn_lflow_metered(LFLOW_TABLE, OD, STAGE, PRIORITY, MATCH,
> ACTIONS, \
>CTRL_METER, LFLOW_REF) \
> @@ -186,4 +193,4 @@ dec_ovn_dp_group_ref(struct hmap *dp_groups, struct
> ovn_dp_group *dpg)
> }
> }
>
> -#endif /* LFLOW_MGR_H */
> \ No newline at end of file
> +#endif /* LFLOW_MGR_H */
> diff --git a/northd/northd.c b/northd/northd.c
> index 0cabda7ea..14be8347f 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -8733,8 +8733,9 @@ build_lswitch_lflows_l2_unknown(struct ovn_datapath
> *od,
>"outport = \""MC_UNKNOWN "\"; output;",
>lflow_ref);
> } else {
> -ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_UNKNOWN, 50,
> - "outport == \"none\"", debug_drop_action(),
> +ovn_lflow_add_with_desc(lflows, od, S_SWITCH_IN_L2_UNKNOWN, 50,
> + "outport == \"none\"",
> + "NO L2 DEST",
>
Maybe a personal preference, but it doesn't feel right being all capital.
>lflow_ref);
> }
> ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_UNKNOWN, 0, "1",
> diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema
> index b6c051ae6..dc3384d29 100644
> --- a/ovn-sb.ovsschema
> +++ b/ovn-sb.ovsschema
> @@ -1,7 +1,7 @@
> {
> "name": "OVN_Southbound",
> "version": "20.34.0",
> -"cksum": "2786607656 31376",
> +"cksum": "3752487770 31501",
> "tables": {
> "SB_Global": {
> "columns": {
> @@ -116,7 +116,9 @@
> "min": 0, "max": 1}},
> "external_ids": {
> "type": {"key": "string", "value": "string",
> - "min": 0, "max": "unlimited"}}},
> + "min": 0, "max": "unlimited"}},
> +"flow_desc": {"type": {"key": {"type": "string"},
> + "min": 0, "max": 1}}},
> "isRoot": true},
> "Logical_DP_Group": {
> "columns": {
> diff --git a/ovn-sb.xml b/ovn-sb.xml
> index 507a0b571..93a57cd06 100644
> --- a/ovn-sb.xml
> +++ b/ovn-sb.xml
> @@ -2913,6 +2913,11 @@ tcp.flags = RST;
>ovn-controller.
>
>
> +
> + Human-readable explanation of the flow, this is optional and used
> + provide context for the given flow.
> +
> +
>
>Human-readable name for this flow's stage in the pipeline.
>
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index 680d96675..2adc2a529 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -12371,6 +12371,22 @@ AT_CHECK([grep -e "DHCP_RELAY_" lflows | sed
> 's/table=../table=??/'], [0], [dnl
> AT_CLEANUP
> ])
>
> +OVN_FOR_EACH_NORTHD_NO_HV([
> +AT_SETUP([check for flow_desc])
> +ovn_start
> +
> +check ovn-nbctl -- set NB_Global .
> options:debug_drop_collector_set="123" \
> + -- set NB_Global . options:debug_drop_domain_id="1"
> +check ovn-nbctl --wait=hv sync
>
The sync should be after the ls-add otherwise the test might be flaky on
slower systems.
+
> +ovn-nbctl ls-add ls1
> +
> +flow_desc=$(fetch_column Logical_flow flow_desc match='"outport ==
> \"none\""')
> +AT_CHECK([test "$flow_desc" != ""])
> +
> +AT_CLEANUP
> +])
> +
> AT_SETUP([NB_Global and SB_Global incremental processing])
>
> ovn_start
> --
> 2.42.0
>
>
Thanks,
Ales
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn v2] northd: Fix an issue wrt mac binding aging.
old], [0], [dnl > "2" > ]) > @@ -34566,12 +34583,12 @@ send_garp hv1 ext1 10 # belong to > 192.168.10.0/24 > send_garp hv2 ext2 20 # belong to 192.168.10.20/32 > send_garp hv2 ext2 65 # belong to 192.168.10.64/26 > > -OVS_WAIT_UNTIL([ovn-sbctl list mac_binding | grep -q "192.168.10.10"]) > -OVS_WAIT_UNTIL([ovn-sbctl list mac_binding | grep -q "192.168.10.20"]) > -OVS_WAIT_UNTIL([ovn-sbctl list mac_binding | grep -q "192.168.10.65"]) > +wait_row_count mac_binding 2 ip="192.168.10.10" > +wait_row_count mac_binding 2 ip="192.168.10.20" > +wait_row_count mac_binding 2 ip="192.168.10.65" > > OVS_WAIT_UNTIL([ > -test "0" = "$(ovn-sbctl list mac_binding | grep -c '192.168.10.10')" > +test "1" = "$(ovn-sbctl list mac_binding | grep -c '192.168.10.10')" > ]) > # The other two should remain because the corresponding prefixes have > threshold 0 > AT_CHECK([ovn-sbctl list mac_binding | grep -q "192.168.10.20"]) > @@ -34579,9 +34596,9 @@ AT_CHECK([ovn-sbctl list mac_binding | grep -q > "192.168.10.65"]) > check ovn-sbctl --all destroy mac_binding > > # Set the aging threshold mixed with IPv6 prefixes and default threshold > -check ovn-nbctl set logical_router gw > options:mac_binding_age_threshold="2; > 192.168.10.64/26:0;ff00:1234::/32:888;ff00::abcd:1" > +check ovn-nbctl set logical_router gw-1 > options:mac_binding_age_threshold="2; > 192.168.10.64/26:0;ff00:1234::/32:888;ff00::abcd:1" > check ovn-nbctl --wait=sb sync > -uuid=$(fetch_column datapath _uuid external_ids:name=gw) > +uuid=$(fetch_column datapath _uuid external_ids:name=gw-1) > AT_CHECK([ovn-sbctl get datapath $uuid > external_ids:mac_binding_age_threshold], [0], [dnl > "1" > ]) > @@ -34594,15 +34611,15 @@ OVS_WAIT_UNTIL([ovn-sbctl list mac_binding | > grep -q "192.168.10.10"]) > OVS_WAIT_UNTIL([ovn-sbctl list mac_binding | grep -q "192.168.10.65"]) > > OVS_WAIT_UNTIL([ > -test "0" = "$(ovn-sbctl list mac_binding | grep -c '192.168.10.10')" > +test "1" = "$(ovn-sbctl list mac_binding | grep -c '192.168.10.10')" > ]) > AT_CHECK([ovn-sbctl list mac_binding | grep -q "192.168.10.65"]) > check ovn-sbctl --all destroy mac_binding > > # Set the aging threshold with invalid format > -check ovn-nbctl set logical_router gw > options:mac_binding_age_threshold="1;abc/26:0" > +check ovn-nbctl set logical_router gw-1 > options:mac_binding_age_threshold="1;abc/26:0" > check ovn-nbctl --wait=sb sync > -uuid=$(fetch_column datapath _uuid external_ids:name=gw) > +uuid=$(fetch_column datapath _uuid external_ids:name=gw-1) > AT_CHECK([ovn-sbctl get datapath $uuid > external_ids:mac_binding_age_threshold], [1], [ignore], [ignore]) > > # Send GARP to populate MAC binding table records > @@ -34612,6 +34629,34 @@ OVS_WAIT_UNTIL([ovn-sbctl list mac_binding | grep > -q "192.168.10.10"]) > # The record is not deleted > sleep 5 > AT_CHECK([ovn-sbctl list mac_binding | grep -q "192.168.10.10"]) > +check ovn-sbctl --all destroy mac_binding > + > +# Set the aging threshold on both routers and ensure that they are aged > out of both the routers > +AT_CHECK([ovn-nbctl set logical_router gw-1 > options:mac_binding_age_threshold=5]) > +AT_CHECK([ovn-nbctl set logical_router gw-2 > options:mac_binding_age_threshold=5]) > +check ovn-nbctl --wait=sb sync > +uuid=$(fetch_column datapath _uuid external_ids:name=gw-1) > +AT_CHECK([ovn-sbctl get datapath $uuid > external_ids:mac_binding_age_threshold], [0], [dnl > +"5" > +]) > +uuid=$(fetch_column datapath _uuid external_ids:name=gw-2) > +AT_CHECK([ovn-sbctl get datapath $uuid > external_ids:mac_binding_age_threshold], [0], [dnl > +"5" > +]) > + > +# Send GARP to populate MAC binding table records > +send_garp hv1 ext1 10 # belong to 192.168.10.0/24 > +send_garp hv2 ext2 20 # belong to 192.168.10.20/32 > + > +wait_row_count mac_binding 2 ip="192.168.10.10" > +wait_row_count mac_binding 2 ip="192.168.10.20" > + > +OVS_WAIT_UNTIL([ > +test "0" = "$(ovn-sbctl list mac_binding | grep -c '192.168.10.10')" > +]) > +OVS_WAIT_UNTIL([ > +test "0" = "$(ovn-sbctl list mac_binding | grep -c '192.168.10.20')" > +]) > > OVN_CLEANUP([hv1], [hv2]) > AT_CLEANUP > -- > 2.22.3 > ___ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > Looks good to me, thanks. Acked-by: Ales Musil -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> amu...@redhat.com <https://red.ht/sig> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn 0/5] Fix I+P versus recompute differences.
On Tue, Apr 23, 2024 at 1:54 PM Xavier Simonart wrote: > Comparing I+P flows versus flows after recompute highlighted a few > issues. > > Xavier Simonart (5): > controller: Fix iface-id-ver handling. > controller: Nonvif related lports handling. > controller: Fix deletion of container parent port. > controller: Handle postponed ports claims. > controller: Handle postponed ports release. > > controller/binding.c | 68 ++--- > controller/physical.c | 3 +- > tests/ovn.at | 115 -- > 3 files changed, 174 insertions(+), 12 deletions(-) > > -- > 2.31.1 > > ___ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > The whole series looks good to me, thanks. Acked-by: Ales Musil -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> amu...@redhat.com <https://red.ht/sig> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn 0/7] Bump of CI Ubuntu and Fedora versions
On Thu, May 16, 2024 at 5:57 PM Numan Siddique wrote: > On Tue, May 14, 2024 at 4:41 AM Ales Musil wrote: > > > > The series is pretty small however it is required for the > > bump to Ubuntu 24.04 and Fedora 40. Both have newer GCC and > > Clang which brought up some issues that needed to be fixed. > > > > The series also includes fix for weekly runs to use Fedora > > because the cache string wasn't specific enough. > > > > Ales Musil (7): > > ci: Pin Fedora version for the build-rpm job. > > ovs: Bump the submodule to the tip of branch-3.3. > > ci: Update the Ubuntu container to 24.04. > > tests: Replace wget with curl for failing commands. > > ci: Add missing packages to run Fedora image in GH CI. > > ci: Make sure that we are using proper image. > > ci: Bump the Fedora container to 40. > > Thanks for the patch series. > > I applied this patch series to the main. Before applying I removed > "dnf update" from .ci/linux-build.sh as per > the comments in the patch 5. > Thank you, would you mind backporting only the first patch to 24.03? > > Thanks > Numan > > > > > .ci/linux-build.sh | 3 +++ > > .github/workflows/test.yml | 7 --- > > ovs| 2 +- > > tests/system-ovn.at| 15 +++ > > utilities/containers/fedora/Dockerfile | 3 ++- > > utilities/containers/ubuntu/Dockerfile | 11 ++- > > 6 files changed, 27 insertions(+), 14 deletions(-) > > > > -- > > 2.44.0 > > > > ___ > > dev mailing list > > d...@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > Thanks, Ales -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> amu...@redhat.com <https://red.ht/sig> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn] northd: Fix an issue wrt mac binding aging.
_MAC_CACHE_USE,
> priority=100,ip,reg14=${port_key_2},metadata=${dp_key_2},dl_src=00:00:00:00:10:10,nw_src=192.168.10.10
> actions=drop
> + table=OFTABLE_MAC_CACHE_USE,
> priority=100,ip,reg14=${port_key_2},metadata=${dp_key_2},dl_src=00:00:00:00:10:20,nw_src=192.168.10.20
> actions=drop
> +])
>
> # Test CIDR-based threshold configuration
> -check ovn-nbctl set logical_router gw options:mac_binding_age_threshold="
> 192.168.10.0/255.255.255.0:2;192.168.10.64/26:0;192.168.10.20:0"
> +check ovn-nbctl set logical_router gw-1
> options:mac_binding_age_threshold="
> 192.168.10.0/255.255.255.0:2;192.168.10.64/26:0;192.168.10.20:0"
> check ovn-nbctl --wait=sb sync
> -uuid=$(fetch_column datapath _uuid external_ids:name=gw)
> +uuid=$(fetch_column datapath _uuid external_ids:name=gw-1)
> AT_CHECK([ovn-sbctl get datapath $uuid
> external_ids:mac_binding_age_threshold], [0], [dnl
> "2"
> ])
> @@ -34566,12 +34583,12 @@ send_garp hv1 ext1 10 # belong to
> 192.168.10.0/24
> send_garp hv2 ext2 20 # belong to 192.168.10.20/32
> send_garp hv2 ext2 65 # belong to 192.168.10.64/26
>
> -OVS_WAIT_UNTIL([ovn-sbctl list mac_binding | grep -q "192.168.10.10"])
> -OVS_WAIT_UNTIL([ovn-sbctl list mac_binding | grep -q "192.168.10.20"])
> -OVS_WAIT_UNTIL([ovn-sbctl list mac_binding | grep -q "192.168.10.65"])
> +wait_row_count mac_binding 2 ip="192.168.10.10"
> +wait_row_count mac_binding 2 ip="192.168.10.20"
> +wait_row_count mac_binding 2 ip="192.168.10.65"
>
> OVS_WAIT_UNTIL([
> -test "0" = "$(ovn-sbctl list mac_binding | grep -c '192.168.10.10')"
> +test "1" = "$(ovn-sbctl list mac_binding | grep -c '192.168.10.10')"
> ])
> # The other two should remain because the corresponding prefixes have
> threshold 0
> AT_CHECK([ovn-sbctl list mac_binding | grep -q "192.168.10.20"])
> @@ -34579,9 +34596,9 @@ AT_CHECK([ovn-sbctl list mac_binding | grep -q
> "192.168.10.65"])
> check ovn-sbctl --all destroy mac_binding
>
> # Set the aging threshold mixed with IPv6 prefixes and default threshold
> -check ovn-nbctl set logical_router gw
> options:mac_binding_age_threshold="2;
> 192.168.10.64/26:0;ff00:1234::/32:888;ff00::abcd:1"
> +check ovn-nbctl set logical_router gw-1
> options:mac_binding_age_threshold="2;
> 192.168.10.64/26:0;ff00:1234::/32:888;ff00::abcd:1"
> check ovn-nbctl --wait=sb sync
> -uuid=$(fetch_column datapath _uuid external_ids:name=gw)
> +uuid=$(fetch_column datapath _uuid external_ids:name=gw-1)
> AT_CHECK([ovn-sbctl get datapath $uuid
> external_ids:mac_binding_age_threshold], [0], [dnl
> "1"
> ])
> @@ -34594,15 +34611,15 @@ OVS_WAIT_UNTIL([ovn-sbctl list mac_binding |
> grep -q "192.168.10.10"])
> OVS_WAIT_UNTIL([ovn-sbctl list mac_binding | grep -q "192.168.10.65"])
>
> OVS_WAIT_UNTIL([
> -test "0" = "$(ovn-sbctl list mac_binding | grep -c '192.168.10.10')"
> +test "1" = "$(ovn-sbctl list mac_binding | grep -c '192.168.10.10')"
> ])
> AT_CHECK([ovn-sbctl list mac_binding | grep -q "192.168.10.65"])
> check ovn-sbctl --all destroy mac_binding
>
> # Set the aging threshold with invalid format
> -check ovn-nbctl set logical_router gw
> options:mac_binding_age_threshold="1;abc/26:0"
> +check ovn-nbctl set logical_router gw-1
> options:mac_binding_age_threshold="1;abc/26:0"
> check ovn-nbctl --wait=sb sync
> -uuid=$(fetch_column datapath _uuid external_ids:name=gw)
> +uuid=$(fetch_column datapath _uuid external_ids:name=gw-1)
> AT_CHECK([ovn-sbctl get datapath $uuid
> external_ids:mac_binding_age_threshold], [1], [ignore], [ignore])
>
> # Send GARP to populate MAC binding table records
> @@ -34613,6 +34630,24 @@ OVS_WAIT_UNTIL([ovn-sbctl list mac_binding | grep
> -q "192.168.10.10"])
> sleep 5
> AT_CHECK([ovn-sbctl list mac_binding | grep -q "192.168.10.10"])
>
> +# Set the aging threshold on both routers and ensure that they are aged
> out of both the routers
> +AT_CHECK([ovn-nbctl set logical_router gw-1
> options:mac_binding_age_threshold=5])
> +AT_CHECK([ovn-nbctl set logical_router gw-2
> options:mac_binding_age_threshold=5])
> +
> +# Send GARP to populate MAC binding table records
> +send_garp hv1 ext1 10 # belong to 192.168.10.0/24
> +send_garp hv2 ext2 20 # belong to 192.168.10.20/32
> +
> +wait_row_count mac_binding 2 ip="192.168.10.10"
> +wait_row_count mac_binding 2 ip="192.168.10.20"
> +
> +OVS_WAIT_UNTIL([
> +test "0" = "$(ovn-sbctl list mac_binding | grep -c '192.168.10.10')"
> +])
> +OVS_WAIT_UNTIL([
> +test "0" = "$(ovn-sbctl list mac_binding | grep -c '192.168.10.20')"
> +])
> +
> OVN_CLEANUP([hv1], [hv2])
> AT_CLEANUP
> ])
> --
> 2.22.3
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
Thanks,
Ales
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn 5/7] ci: Add missing packages to run Fedora image in GH CI.
On Tue, May 14, 2024 at 3:19 PM Ilya Maximets wrote: > On 5/14/24 10:38, Ales Musil wrote: > > There were two things missing for the Fedora builds, 32-bit > > version of glibc to allows the -m32 compilation on Fedora > > and numactl-devel package. > > > > Signed-off-by: Ales Musil > > --- > > .ci/linux-build.sh | 3 +++ > > utilities/containers/fedora/Dockerfile | 1 + > > 2 files changed, 4 insertions(+) > > > > diff --git a/.ci/linux-build.sh b/.ci/linux-build.sh > > index 78f17f8bd..12966f532 100755 > > --- a/.ci/linux-build.sh > > +++ b/.ci/linux-build.sh > > @@ -83,6 +83,9 @@ function configure_gcc() > > # do it directly because gcc-multilib is not available > > # for arm64 > > sudo apt update && sudo apt install -y gcc-multilib > > +elif which dnf; then > > +# Install equivalent of gcc-multilib for Fedora. > > +sudo dnf -y update && sudo dnf -y install glibc-devel.i686 > > dnf always refreshes package cache. 'dnf update' will actually update > all the packages to the latest versions. I'm not sure it is an intended > behavior here. > Yeah good point, we shouldn't update the packages just install the missing one. So only the install part is needed, I'll wait for other reviews before posting v2. > > > fi > > fi > > } > > diff --git a/utilities/containers/fedora/Dockerfile > b/utilities/containers/fedora/Dockerfile > > index 9b8386aae..d40a7b31f 100755 > > --- a/utilities/containers/fedora/Dockerfile > > +++ b/utilities/containers/fedora/Dockerfile > > @@ -28,6 +28,7 @@ RUN dnf -y update \ > > libtool \ > > net-tools \ > > nmap-ncat \ > > +numactl-devel \ > > openssl \ > > openssl-devel \ > > procps-ng \ > > Thanks, Ales -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> amu...@redhat.com <https://red.ht/sig> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn 5/7] ci: Add missing packages to run Fedora image in GH CI.
There were two things missing for the Fedora builds, 32-bit version of glibc to allows the -m32 compilation on Fedora and numactl-devel package. Signed-off-by: Ales Musil --- .ci/linux-build.sh | 3 +++ utilities/containers/fedora/Dockerfile | 1 + 2 files changed, 4 insertions(+) diff --git a/.ci/linux-build.sh b/.ci/linux-build.sh index 78f17f8bd..12966f532 100755 --- a/.ci/linux-build.sh +++ b/.ci/linux-build.sh @@ -83,6 +83,9 @@ function configure_gcc() # do it directly because gcc-multilib is not available # for arm64 sudo apt update && sudo apt install -y gcc-multilib +elif which dnf; then +# Install equivalent of gcc-multilib for Fedora. +sudo dnf -y update && sudo dnf -y install glibc-devel.i686 fi fi } diff --git a/utilities/containers/fedora/Dockerfile b/utilities/containers/fedora/Dockerfile index 9b8386aae..d40a7b31f 100755 --- a/utilities/containers/fedora/Dockerfile +++ b/utilities/containers/fedora/Dockerfile @@ -28,6 +28,7 @@ RUN dnf -y update \ libtool \ net-tools \ nmap-ncat \ +numactl-devel \ openssl \ openssl-devel \ procps-ng \ -- 2.44.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn 7/7] ci: Bump the Fedora container to 40.
Now that all failures were resolved for Fedora 40 we can bump the version in the container. Signed-off-by: Ales Musil --- utilities/containers/fedora/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utilities/containers/fedora/Dockerfile b/utilities/containers/fedora/Dockerfile index d40a7b31f..019e9f138 100755 --- a/utilities/containers/fedora/Dockerfile +++ b/utilities/containers/fedora/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/fedora/fedora:39 +FROM quay.io/fedora/fedora:40 ARG CONTAINERS_PATH -- 2.44.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn 4/7] tests: Replace wget with curl for failing commands.
wget2 has a bug and doesn't return proper exit code on error [0].
Replace wget with curl in places where we expect exit code to
be different from 0.
[0] https://gitlab.com/gnuwget/wget2/-/issues/652
Signed-off-by: Ales Musil
---
tests/system-ovn.at| 15 +++
utilities/containers/ubuntu/Dockerfile | 1 +
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/tests/system-ovn.at b/tests/system-ovn.at
index 86fd240d2..f49330a1e 100644
--- a/tests/system-ovn.at
+++ b/tests/system-ovn.at
@@ -1439,7 +1439,7 @@ OVS_START_L7([bar3], [http])
check ovn-nbctl --apply-after-lb acl-add foo from-lport 1002 "ip4 && ip4.dst
== {172.16.1.2,172.16.1.3,172.16.1.4} && ct.new" drop
check ovn-nbctl --wait=hv sync
-AT_CHECK([ip netns exec foo1 wget 30.0.0.1 -t 3 -T 1], [4], [ignore], [ignore])
+AT_CHECK([ip netns exec foo1 curl 30.0.0.1 --retry 3 --max-time 1], [28],
[ignore], [ignore])
AT_CHECK([ovs-appctl dpctl/flush-conntrack])
@@ -1603,7 +1603,7 @@ ovn-nbctl --reject lb-add lb3 30.0.0.10:80 ""
ovn-nbctl ls-lb-add foo lb3
# Filter reset segments
NETNS_START_TCPDUMP([foo1], [-c 1 -neei foo1 ip[[33:1]]=0x14], [rst])
-NS_CHECK_EXEC([foo1], [wget -q 30.0.0.10],[4])
+NS_CHECK_EXEC([foo1], [curl 30.0.0.10 -s --retry 3 --max-time 1], [7])
OVS_WAIT_UNTIL([
n_reset=$(cat rst.tcpdump | wc -l)
@@ -4627,7 +4627,7 @@ NS_CHECK_EXEC([sw1-p1], [kill $(cat $pid_file)])
NETNS_START_TCPDUMP([sw0-p2], [-c 1 -neei sw0-p2 ip[[33:1]]=0x14], [rst])
OVS_WAIT_UNTIL([test 2 = `ovn-sbctl --bare --columns status find \
service_monitor protocol=tcp | sed '/^$/d' | grep offline | wc -l`])
-NS_CHECK_EXEC([sw0-p2], [wget 10.0.0.10 -v -o wget$i.log],[4])
+NS_CHECK_EXEC([sw0-p2], [curl 10.0.0.10 -v > curl$i.log 2>&1],[7])
OVS_WAIT_UNTIL([
n_reset=$(cat rst.tcpdump | wc -l)
@@ -9770,7 +9770,7 @@ OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-groups
br-int | \
grep 'nat(dst=192.168.2.2:80)'])
# should not dnat so will not be able to connect
-AT_CHECK([ip netns exec foo1 wget 30.30.30.30 -t 3 -T 1], [4], [ignore],
[ignore])
+AT_CHECK([ip netns exec foo1 curl 30.30.30.30 --retry 3 --max-time 1], [28],
[ignore], [ignore])
# check conntrack zone has no tcp entry
AT_CHECK([ovs-appctl dpctl/dump-conntrack zone=$zone_id | \
@@ -9840,14 +9840,14 @@ ovn-nbctl lsp-add bar rp-bar -- set Logical_Switch_Port
rp-bar \
# Logical port 'foo1' in switch 'foo'.
ADD_NAMESPACES(foo1)
ADD_VETH(foo1, foo1, br-int, "fd11::2/64", "f0:00:00:01:02:03", \
- "fd11::1")
+ "fd11::1", "nodad")
ovn-nbctl lsp-add foo foo1 \
-- lsp-set-addresses foo1 "f0:00:00:01:02:03 fd11::2"
# Logical port 'bar1' in switch 'bar'.
ADD_NAMESPACES(bar1)
ADD_VETH(bar1, bar1, br-int, "fd12::2/64", "f0:00:00:01:02:05", \
-"fd12::1")
+ "fd12::1", "nodad")
ovn-nbctl lsp-add bar bar1 \
-- lsp-set-addresses bar1 "f0:00:00:01:02:05 fd12::2"
@@ -9864,7 +9864,6 @@ grep 'nat(dst=\[[fd12::2\]]:80)'])
zone_id=$(ovn-appctl -t ovn-controller ct-zone-list | grep foo1 | cut -d ' '
-f2)
OVS_START_L7([bar1], [http6])
-
AT_CHECK([ip netns exec foo1 wget http://[[fd12::2]] -t 3 -T 1], [0],
[ignore], [ignore])
# check conntrack zone has tcp entry
@@ -9915,7 +9914,7 @@ OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-groups
br-int | \
grep 'nat(dst=\[[fd12::2\]]:80)'])
# should not dnat so will not be able to connect
-AT_CHECK([ip netns exec foo1 wget http://[[fd30::2]] -t 3 -T 1], [4],
[ignore], [ignore])
+AT_CHECK([ip netns exec foo1 curl http://[[fd30::2]] --retry 3 --max-time 1],
[28], [ignore], [ignore])
#
# check conntrack zone has no tcp entry
AT_CHECK([ovs-appctl dpctl/dump-conntrack zone=$zone_id | \
diff --git a/utilities/containers/ubuntu/Dockerfile
b/utilities/containers/ubuntu/Dockerfile
index c1ff711c5..ce7ce16c6 100755
--- a/utilities/containers/ubuntu/Dockerfile
+++ b/utilities/containers/ubuntu/Dockerfile
@@ -11,6 +11,7 @@ RUN apt update -y \
automake \
bc \
clang \
+curl \
ethtool \
gcc \
git \
--
2.44.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn 6/7] ci: Make sure that we are using proper image.
The container image for scheduled jobs was supposed to be Fedora,
however there was already Ubuntu image in the cache. Make sure
the cache is distinguished also by the event name.
Signed-off-by: Ales Musil
---
.github/workflows/test.yml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 22e4d339d..efe2dac25 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -131,7 +131,7 @@ jobs:
uses: actions/cache@v4
with:
path: /tmp/image.tar
- key: ${{ github.sha }}
+ key: ${{ github.sha }}/${{ github.event_name }}
build-linux:
needs: [build-dpdk, prepare-container]
@@ -212,10 +212,11 @@ jobs:
key: ${{ needs.build-dpdk.outputs.dpdk_key }}
- name: image cache
+ id: image_cache
uses: actions/cache@v4
with:
path: /tmp/image.tar
-key: ${{ github.sha }}
+key: ${{ github.sha }}/${{ github.event_name }}
# XXX This should be removed when native crun >=1.9.1
- name: update crun script
--
2.44.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn 0/7] Bump of CI Ubuntu and Fedora versions
The series is pretty small however it is required for the bump to Ubuntu 24.04 and Fedora 40. Both have newer GCC and Clang which brought up some issues that needed to be fixed. The series also includes fix for weekly runs to use Fedora because the cache string wasn't specific enough. Ales Musil (7): ci: Pin Fedora version for the build-rpm job. ovs: Bump the submodule to the tip of branch-3.3. ci: Update the Ubuntu container to 24.04. tests: Replace wget with curl for failing commands. ci: Add missing packages to run Fedora image in GH CI. ci: Make sure that we are using proper image. ci: Bump the Fedora container to 40. .ci/linux-build.sh | 3 +++ .github/workflows/test.yml | 7 --- ovs| 2 +- tests/system-ovn.at| 15 +++ utilities/containers/fedora/Dockerfile | 3 ++- utilities/containers/ubuntu/Dockerfile | 11 ++- 6 files changed, 27 insertions(+), 14 deletions(-) -- 2.44.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn 3/7] ci: Update the Ubuntu container to 24.04.
The Ubuntu 24.04 marks the Python installation as externally managed this prevents pip from installing system-wide packages. Set the PIP_BREAK_SYSTEM_PACKAGES env variable that allows pip to ignore this and install the packages anyway. At the same time the Python Babel fails to detect timezone when it is just set to UTC. Setting it to Etc/UTC fixes the issue: ValueError: ZoneInfo keys may not be absolute paths, got: /UTC Signed-off-by: Ales Musil --- utilities/containers/ubuntu/Dockerfile | 10 +- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/utilities/containers/ubuntu/Dockerfile b/utilities/containers/ubuntu/Dockerfile index ac1e6a5bf..c1ff711c5 100755 --- a/utilities/containers/ubuntu/Dockerfile +++ b/utilities/containers/ubuntu/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.hub.docker.com/library/ubuntu:22.04 +FROM registry.hub.docker.com/library/ubuntu:24.04 ARG CONTAINERS_PATH @@ -37,6 +37,7 @@ RUN apt update -y \ selinux-policy-dev \ sudo \ tcpdump \ +tzdata \ wget \ && \ apt autoremove \ @@ -73,6 +74,10 @@ WORKDIR /workspace COPY $CONTAINERS_PATH/py-requirements.txt /tmp/py-requirements.txt +# Ubuntu 24.04 marks the Python installation as externally managed, allow pip +# to install the packages despite that. +ENV PIP_BREAK_SYSTEM_PACKAGES 1 + # Update and install pip dependencies RUN python3 -m pip install --upgrade pip \ && \ @@ -80,4 +85,7 @@ RUN python3 -m pip install --upgrade pip \ && \ python3 -m pip install -r /tmp/py-requirements.txt +# The Python Babel fails to detect timezone when it is set to UTC only. +ENV TZ Etc/UTC + CMD ["/sbin/init"] -- 2.44.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn 2/7] ovs: Bump the submodule to the tip of branch-3.3.
The branch-3.3 includes fixes that are required for Fedora 40
and Ubuntu 24.04 bump.
cf461fe282c9 ("conntrack: Do not use {0} to initialize unions.")
4756bf4baf1e ("ofproto-dpif-trace: Fix access to an out-of-scope stack memory.")
01eca18be187 ("hash, jhash: Fix unaligned access to the hash remainder.")
4f61523c0d50 ("sparse: Add additional define for sparse on GCC >= 14.")
9a5c24d70fb6 ("sparse: Add immintrin.h header.")
3528cc6f452a ("tc: Fix -Wgnu-variable-sized-type-not-at-end warning with Clang
18.")
5814de56878f ("tests: Fix build failure with Clang 18 due to
-Wformat-truncation.")
Signed-off-by: Ales Musil
---
ovs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ovs b/ovs
index f19448b86..bf1b16364 16
--- a/ovs
+++ b/ovs
@@ -1 +1 @@
-Subproject commit f19448b8618967a108ec6f34713dd811ce1d1334
+Subproject commit bf1b16364b3f01b0ff5f2f6e76842e666226a17b
--
2.44.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn 1/7] ci: Pin Fedora version for the build-rpm job.
Keep the Fedora version pinned to 40 for the build-rpm.
Fixes: 8f18b3b6c52f ("ci: Keep the container version pinned.")
Signed-off-by: Ales Musil
---
.github/workflows/test.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 456ab5c69..22e4d339d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -315,7 +315,7 @@ jobs:
build-linux-rpm:
name: linux rpm fedora
runs-on: ubuntu-22.04
-container: fedora:latest
+container: fedora:40
timeout-minutes: 30
strategy:
--
2.44.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn v4] controller: Track individual address set constants.
On Sun, May 12, 2024 at 11:17 PM Sri kor wrote:
> Hi @num...@ovn.org @Ales Musil ,
> Currently we are on OVN 23.09. We are facing the following syntax
> error with the address_set.From the diff, looks like you address this fix.
> Is this something expected?
>
> *2024-05-11T17:35:28.694Z|153935|lflow|WARN|error parsing match "reg0[7]
> == 1 && ((ip4.src ==
> $a_781ac228_38ae_4f04_9cc1_707543df50c8_addr_set_b8f7bf7f_83b3_48bc_a0d5_bc5d55438e4a)
> && (172.27.0.0 <= ip4.dst <= 172.27.255.255) && (1 <= tcp.src <= 65535 || 1
> <= udp.src <= 65535) && (tcp.dst == 22 || udp.dst == 22) && outport ==
> @a_781ac228_38ae_4f04_9cc1_707543df50c8_pg_0ea55446_0df6_4358_8442_56893854004c)":
> Syntax error at
> `$a_781ac228_38ae_4f04_9cc1_707543df50c8_addr_set_b8f7bf7f_83b3_48bc_a0d5_bc5d55438e4a'
> expecting address set name.*
>
>
> *Here are the transaction details .*
>
> *[{Op:insert Table:ACL Row:map[action:allow-related direction:to-lport
> external_ids:{GoMap:map[crusoe_fw_rule_id:770b6929-88d1-4659-ba3b-ed84ccfd71a0
> crusoe_vpc_id:0ea55446-0df6-4358-8442-56893854004c
> customer_id:781ac228-38ae-4f04-9cc1-707543df50c8]} log:false match:(ip4.src
> ==
> $a_781ac228_38ae_4f04_9cc1_707543df50c8_addr_set_b8f7bf7f_83b3_48bc_a0d5_bc5d55438e4a)
> && (172.27.0.0 <= ip4.dst <= 172.27.255.255) && (1 <= tcp.src <= 65535 || 1
> <= udp.src <= 65535) && (tcp.dst == 22 || udp.dst == 22) && outport ==
> @a_781ac228_38ae_4f04_9cc1_707543df50c8_pg_0ea55446_0df6_4358_8442_56893854004c
> name:{GoSet:[a_781ac228_38ae_4f04_9cc1_707543df50c8_acl_770b6929_88d1_4659_b]}
> priority:2000] Rows:[] Columns:[] Mutations:[] Timeout: Where:[]
> Until: Durable: Comment: Lock:
> UUIDName:_641d4ca1_7596_4004_b577_0f34e0bab87d} {Op:mutate Table:Port_Group
> Row:map[] Rows:[] Columns:[] Mutations:[{Column:acls Mutator:insert
> Value:{GoSet:[{GoUUID:_641d4ca1_7596_4004_b577_0f34e0bab87d}]}}]
> Timeout: Where:[where column _uuid ==
> {00383922-81ce-4491-9115-6ea2dfc79aea}] Until: Durable: Comment:
> Lock: UUIDName:} {Op:mutate Table:NB_Global Row:map[] Rows:[]
> Columns:[] Mutations:[{Column:nb_cfg Mutator:+= Value:1}] Timeout:
> Where:[where column _uuid == {be2921c1-99ae-423b-a69c-a43e67d8424e}] Until:
> Durable: Comment: Lock: UUIDName:} {Op:select
> Table:NB_Global Row:map[] Rows:[] Columns:[nb_cfg] Mutations:[]
> Timeout: Where:[] Until: Durable: Comment: Lock:
> UUIDName:}]*
>
>
> *Thanks*
>
> *Srini*
>
>
Hi,
this seems to be unrelated to the patch. It looks like the controller is
not able to recognize the address set name and doesn't parse it correctly.
Is this address set present in the SB DB?
Thanks,
Ales
On Fri, May 10, 2024 at 9:43 AM Numan Siddique wrote:
>
>> On Fri, May 10, 2024 at 12:39 PM Han Zhou wrote:
>> >
>> > On Fri, May 10, 2024 at 9:23 AM Numan Siddique wrote:
>> > >
>> > > On Fri, May 10, 2024 at 2:37 AM Han Zhou wrote:
>> > > >
>> > > > On Thu, May 9, 2024 at 10:32 AM Mark Michelson > >
>> > wrote:
>> > > > >
>> > > > > On 5/7/24 02:12, Han Zhou wrote:
>> > > > > >
>> > > > > >
>> > > > > > On Mon, May 6, 2024 at 10:37 PM Ales Musil > > > > > > <mailto:amu...@redhat.com>> wrote:
>> > > > > > >
>> > > > > > >
>> > > > > > >
>> > > > > > > On Mon, May 6, 2024 at 8:41 PM Han Zhou > > > > > > <mailto:hz...@ovn.org>> wrote:
>> > > > > > >>
>> > > > > > >>
>> > > > > > >>
>> > > > > > >> On Thu, May 2, 2024 at 10:35 PM Ales Musil <
>> amu...@redhat.com
>> > > > > > <mailto:amu...@redhat.com>> wrote:
>> > > > > > >> >
>> > > > > > >> > On Thu, May 2, 2024 at 6:23 PM Han Zhou > > > > > > <mailto:hz...@ovn.org>> wrote:
>> > > > > > >> > >
>> > > > > > >> > >
>> > > > > > >> > >
>> > > > > > >> > > On Thu, May 2, 2024 at 6:29 AM Ales Musil <
>> amu...@redhat.com
>> > > > > > <mailto:amu...@redhat.com>> wrote:
>> > > > > > >> > > >
>> > > > > > >> > > > Instead of tracking address set per struct
>> > expr_constant_set
>> > >
Re: [ovs-dev] [PATCH ovn v2] ovn-controller: Initialize bitmap to zero.
On Fri, May 10, 2024 at 1:34 PM Ilya Maximets wrote:
> On 5/10/24 12:57, Ales Musil wrote:
> > The bitmap used in the update_ct_zones was uninitialized, and it could
> > contain any value besides 0. Use the bitmap_allocate() function instead,
> > to allocate the bitmap in heap rather than stack, the allocate makes sure
> > that the memory is properly zeroed.
> > This was caught by valgrind:
> >
> > Conditional jump or move depends on uninitialised value(s)
> > at 0x44074B: update_ct_zones (ovn-controller.c:812)
> > by 0x440DC9: en_ct_zones_run (ovn-controller.c:2579)
> > by 0x468BB7: engine_recompute (inc-proc-eng.c:415)
> > by 0x46954C: engine_compute (inc-proc-eng.c:454)
> > by 0x46954C: engine_run_node (inc-proc-eng.c:503)
> > by 0x46954C: engine_run (inc-proc-eng.c:528)
> > by 0x40AE9D: main (ovn-controller.c:5776)
> > Uninitialised value was created by a stack allocation
> > at 0x440313: update_ct_zones (ovn-controller.c:747)
> >
> > Fixes: f9cab11d5fab ("Allow explicit setting of the SNAT zone on a
> gateway router.")
> > Signed-off-by: Ales Musil
> > ---
> > v2: Use bitmap_allocate() instead of array on stack.
> > ---
> > controller/ovn-controller.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
> > index 453dc62fd..8ee2da2fd 100644
> > --- a/controller/ovn-controller.c
> > +++ b/controller/ovn-controller.c
> > @@ -732,7 +732,7 @@ update_ct_zones(const struct sset *local_lports,
> > const char *user;
> > struct sset all_users = SSET_INITIALIZER(_users);
> > struct simap req_snat_zones = SIMAP_INITIALIZER(_snat_zones);
> > -unsigned long unreq_snat_zones_map[BITMAP_N_LONGS(MAX_CT_ZONES)];
> > +unsigned long *unreq_snat_zones_map = bitmap_allocate(MAX_CT_ZONES);
> > struct simap unreq_snat_zones =
> SIMAP_INITIALIZER(_snat_zones);
> >
> > const char *local_lport;
> > @@ -843,6 +843,7 @@ update_ct_zones(const struct sset *local_lports,
> > simap_destroy(_snat_zones);
> > simap_destroy(_snat_zones);
> > sset_destroy(_users);
> > +free(unreq_snat_zones_map);
> > }
> >
> > static void
>
> Thanks, Ales. This change LGTM.
>
> Though I'm a bit surprised asan didn't catch this. Is this code not
> covered by tests?
>
It should be covered indirectly by a lot of tests, but there are some that
target this code specifically e.g. "resolve CT zone conflicts from ovsdb".
>
> Best regards, Ilya Maximets.
>
>
Thanks,
Ales
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn v2] ovn-controller: Initialize bitmap to zero.
The bitmap used in the update_ct_zones was uninitialized, and it could
contain any value besides 0. Use the bitmap_allocate() function instead,
to allocate the bitmap in heap rather than stack, the allocate makes sure
that the memory is properly zeroed.
This was caught by valgrind:
Conditional jump or move depends on uninitialised value(s)
at 0x44074B: update_ct_zones (ovn-controller.c:812)
by 0x440DC9: en_ct_zones_run (ovn-controller.c:2579)
by 0x468BB7: engine_recompute (inc-proc-eng.c:415)
by 0x46954C: engine_compute (inc-proc-eng.c:454)
by 0x46954C: engine_run_node (inc-proc-eng.c:503)
by 0x46954C: engine_run (inc-proc-eng.c:528)
by 0x40AE9D: main (ovn-controller.c:5776)
Uninitialised value was created by a stack allocation
at 0x440313: update_ct_zones (ovn-controller.c:747)
Fixes: f9cab11d5fab ("Allow explicit setting of the SNAT zone on a gateway
router.")
Signed-off-by: Ales Musil
---
v2: Use bitmap_allocate() instead of array on stack.
---
controller/ovn-controller.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
index 453dc62fd..8ee2da2fd 100644
--- a/controller/ovn-controller.c
+++ b/controller/ovn-controller.c
@@ -732,7 +732,7 @@ update_ct_zones(const struct sset *local_lports,
const char *user;
struct sset all_users = SSET_INITIALIZER(_users);
struct simap req_snat_zones = SIMAP_INITIALIZER(_snat_zones);
-unsigned long unreq_snat_zones_map[BITMAP_N_LONGS(MAX_CT_ZONES)];
+unsigned long *unreq_snat_zones_map = bitmap_allocate(MAX_CT_ZONES);
struct simap unreq_snat_zones = SIMAP_INITIALIZER(_snat_zones);
const char *local_lport;
@@ -843,6 +843,7 @@ update_ct_zones(const struct sset *local_lports,
simap_destroy(_snat_zones);
simap_destroy(_snat_zones);
sset_destroy(_users);
+free(unreq_snat_zones_map);
}
static void
--
2.44.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn] ovn-controller: Initialize bitmap to zero.
On Fri, May 10, 2024 at 11:23 AM Ilya Maximets wrote:
> On 5/10/24 10:44, Ales Musil wrote:
> > The bitmap used in the update_ct_zones was uninitialized and it could
> > contain any value besides 0, make sure we initialize it to 0 instead.
> > This was caught by valgrind:
> >
> > Conditional jump or move depends on uninitialised value(s)
> > at 0x44074B: update_ct_zones (ovn-controller.c:812)
> > by 0x440DC9: en_ct_zones_run (ovn-controller.c:2579)
> > by 0x468BB7: engine_recompute (inc-proc-eng.c:415)
> > by 0x46954C: engine_compute (inc-proc-eng.c:454)
> > by 0x46954C: engine_run_node (inc-proc-eng.c:503)
> > by 0x46954C: engine_run (inc-proc-eng.c:528)
> > by 0x40AE9D: main (ovn-controller.c:5776)
> > Uninitialised value was created by a stack allocation
> > at 0x440313: update_ct_zones (ovn-controller.c:747)
> >
> > Fixes: f9cab11d5fab ("Allow explicit setting of the SNAT zone on a
> gateway router.")
> > Signed-off-by: Ales Musil
> > ---
> > controller/ovn-controller.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
> > index 453dc62fd..2388a1c15 100644
> > --- a/controller/ovn-controller.c
> > +++ b/controller/ovn-controller.c
> > @@ -732,7 +732,7 @@ update_ct_zones(const struct sset *local_lports,
> > const char *user;
> > struct sset all_users = SSET_INITIALIZER(_users);
> > struct simap req_snat_zones = SIMAP_INITIALIZER(_snat_zones);
> > -unsigned long unreq_snat_zones_map[BITMAP_N_LONGS(MAX_CT_ZONES)];
> > +unsigned long unreq_snat_zones_map[BITMAP_N_LONGS(MAX_CT_ZONES)] =
> {0};
> > struct simap unreq_snat_zones =
> SIMAP_INITIALIZER(_snat_zones);
> >
> > const char *local_lport;
>
> Hi, Ales. Thanks for the fix!
>
> The issue is caused by not using a proper bitmap API. Can we just use
> the bitmap_allocate() here instead? With the amount of dynamic memory
> allocations this function does with all the hash maps adding one more
> allocation will not make any difference, but may protect from potential
> issues of not using the API / providing a bad example. Allocating 8KB
> on stack is not a particularly good thing anyway.
>
> What do you think?
>
> Best regards, Ilya Maximets.
>
>
Hi Ilya,
it is reasonable and I don't have a hard preference. I'll send v2 with
bitmap_allocate() instead.
Thanks,
Ales
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn] ovn-controller: Initialize bitmap to zero.
The bitmap used in the update_ct_zones was uninitialized and it could
contain any value besides 0, make sure we initialize it to 0 instead.
This was caught by valgrind:
Conditional jump or move depends on uninitialised value(s)
at 0x44074B: update_ct_zones (ovn-controller.c:812)
by 0x440DC9: en_ct_zones_run (ovn-controller.c:2579)
by 0x468BB7: engine_recompute (inc-proc-eng.c:415)
by 0x46954C: engine_compute (inc-proc-eng.c:454)
by 0x46954C: engine_run_node (inc-proc-eng.c:503)
by 0x46954C: engine_run (inc-proc-eng.c:528)
by 0x40AE9D: main (ovn-controller.c:5776)
Uninitialised value was created by a stack allocation
at 0x440313: update_ct_zones (ovn-controller.c:747)
Fixes: f9cab11d5fab ("Allow explicit setting of the SNAT zone on a gateway
router.")
Signed-off-by: Ales Musil
---
controller/ovn-controller.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
index 453dc62fd..2388a1c15 100644
--- a/controller/ovn-controller.c
+++ b/controller/ovn-controller.c
@@ -732,7 +732,7 @@ update_ct_zones(const struct sset *local_lports,
const char *user;
struct sset all_users = SSET_INITIALIZER(_users);
struct simap req_snat_zones = SIMAP_INITIALIZER(_snat_zones);
-unsigned long unreq_snat_zones_map[BITMAP_N_LONGS(MAX_CT_ZONES)];
+unsigned long unreq_snat_zones_map[BITMAP_N_LONGS(MAX_CT_ZONES)] = {0};
struct simap unreq_snat_zones = SIMAP_INITIALIZER(_snat_zones);
const char *local_lport;
--
2.44.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn 2/2 branch-24.03] northd, controller: Handle tunnel_key change consistently.
Currently the tunnel_key change for either LS/LR/LSP/LRP wasn't
consistent. That would lead to a situations when some old would still
be present, breaking the connection especially for already existing
FDBs and MAC bindings.
Make sure the FDB entries are up to date by removing them from DB
when there is a tunnel_key change as those entries have only tunnel_key
refrences (dp_key, port_key).
MAC bindings have references to the datapath and port name, instead of
removing those entries do recompute in the controller when we detect
tunnel_key change. This can be costly at scale, however the tunnel_key
is not expected to change constantly, in most cases it shouldn't change
at all.
Fixes: b337750e45be ("northd: Incremental processing of VIF changes in 'northd'
node.")
Fixes: 425f699e2b20 ("controller: fixed potential segfault when changing
tunnel_key and deleting ls.")
Reported-at: https://issues.redhat.com/browse/FDP-393
Acked-by: Mark Michelson
Signed-off-by: Ales Musil
Signed-off-by: Numan Siddique
(cherry picked from commit ddf051cbc6af24c303bf88970750e5c5fe285400)
---
controller/binding.c| 13 --
controller/ovn-controller.c | 27 +++
northd/northd.c | 7 +
tests/ovn.at| 52 +
4 files changed, 79 insertions(+), 20 deletions(-)
diff --git a/controller/binding.c b/controller/binding.c
index 8ac2ce3e2..0712d7030 100644
--- a/controller/binding.c
+++ b/controller/binding.c
@@ -3126,8 +3126,17 @@ delete_done:
update_ld_peers(pb, b_ctx_out->local_datapaths);
}
-handled = handle_updated_port(b_ctx_in, b_ctx_out, pb);
-if (!handled) {
+if (!handle_updated_port(b_ctx_in, b_ctx_out, pb)) {
+handled = false;
+break;
+}
+
+if (!sbrec_port_binding_is_new(pb) &&
+sbrec_port_binding_is_updated(pb,
+ SBREC_PORT_BINDING_COL_TUNNEL_KEY) &&
+get_local_datapath(b_ctx_out->local_datapaths,
+ pb->datapath->tunnel_key)) {
+handled = false;
break;
}
}
diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
index a40712e53..113d3e05c 100644
--- a/controller/ovn-controller.c
+++ b/controller/ovn-controller.c
@@ -1893,7 +1893,6 @@ runtime_data_sb_datapath_binding_handler(struct
engine_node *node OVS_UNUSED,
engine_get_input("SB_datapath_binding", node));
const struct sbrec_datapath_binding *dp;
struct ed_type_runtime_data *rt_data = data;
-struct local_datapath *ld;
SBREC_DATAPATH_BINDING_TABLE_FOR_EACH_TRACKED (dp, dp_table) {
if (sbrec_datapath_binding_is_deleted(dp)) {
@@ -1901,27 +1900,19 @@ runtime_data_sb_datapath_binding_handler(struct
engine_node *node OVS_UNUSED,
dp->tunnel_key)) {
return false;
}
+
+}
+
+if (sbrec_datapath_binding_is_updated(
+dp, SBREC_DATAPATH_BINDING_COL_TUNNEL_KEY) &&
+!sbrec_datapath_binding_is_new(dp)) {
/* If the tunnel key got updated, get_local_datapath will not find
* the ld. Use get_local_datapath_no_hash which does not
* rely on the hash.
*/
-if (sbrec_datapath_binding_is_updated(
-dp, SBREC_DATAPATH_BINDING_COL_TUNNEL_KEY)) {
-if (get_local_datapath_no_hash(_data->local_datapaths,
- dp->tunnel_key)) {
-return false;
-}
-}
-} else if (sbrec_datapath_binding_is_updated(
-dp, SBREC_DATAPATH_BINDING_COL_TUNNEL_KEY)
- && !sbrec_datapath_binding_is_new(dp)) {
-/* If the tunnel key is updated, remove the entry (with a wrong
- * hash) from the map. It will be (properly) added back later.
- */
-if ((ld = get_local_datapath_no_hash(_data->local_datapaths,
- dp->tunnel_key))) {
-hmap_remove(_data->local_datapaths, >hmap_node);
-local_datapath_destroy(ld);
+if (get_local_datapath_no_hash(_data->local_datapaths,
+ dp->tunnel_key)) {
+return false;
}
}
}
diff --git a/northd/northd.c b/northd/northd.c
index 8f20c4be3..a4bd3798b 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -4520,6 +4520,8 @@ ls_handle_lsp_changes(struct ovsdb_idl_txn *ovnsb_idl_txn,
op->visited = true;
continue;
}
+
+uint32_t old_tunnel_key = op->tunnel_key;
if (!ls_port_reinit(op, ovnsb_idl_t
[ovs-dev] [PATCH ovn 1/2 branch-24.03] tests: Add macro for checking flows after recompute.
From: Xavier Simonart The macro CHECK_FLOWS_AFTER_RECOMPUTE dumps the Openflows, then recomputes, then dumps again the Openflows, and finally compares both sets of flows. The test fails if flows are different. As of now, the macro cannot be used in all tests: many tests would fail as I+P does not properly remove flows when the last logical port of a datapath is deleted. Signed-off-by: Xavier Simonart Acked-by: Ales Musil Signed-off-by: Dumitru Ceara (cherry picked from commit 69ec36eba074263c43051ade7578792b44518d2c) --- tests/ovn-macros.at | 44 1 file changed, 44 insertions(+) diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at index 5b1e37d8a..344fdd69c 100644 --- a/tests/ovn-macros.at +++ b/tests/ovn-macros.at @@ -10,6 +10,50 @@ m4_define([OVN_CLEANUP_VSWITCH],[ OVS_APP_EXIT_AND_WAIT([ovsdb-server]) ]) +# DUMP_FLOWS(sbox, output_file) +# Dump openflows to output_file for sbox +m4_define([DUMP_FLOWS], [ +sbox=$1 +output_file=$2 +as $sbox +ovs-ofctl dump-flows br-int | + sed 's/cookie=0x[[^,]]*/cookie=xx/g' | + sed 's/duration=[[^,]]*/duration=xx/g' | + sed 's/idle_age=[[^,]]*/idle_age=xx/g' | + sed 's/, hard_age=[[^,]]*//g' | + sed 's/n_bytes=[[^,]]*/n_bytes=xx/g' | + sed 's/n_packets=[[^,]]*/n_packets=xx/g' | + sed 's/conjunction([[^,]]*/conjunction(xx/g' | + sort > $output_file +]) + +m4_define([CHECK_FLOWS_AFTER_RECOMPUTE], [ +hv=$1 +sbox=$2 +# Make sure I+P has finalized his job before getting flows and comparing them after recompte. +# Some tests have northd and ovn-nb ovsdb stopped, so avoid ovn-nbctl for those. +if [[ -e ovn-nb/ovn-nb.sock ]] && [[ -e northd/ovn-northd.pid ]]; then +# Do wait twice to handle some potential race conditions +check ovn-nbctl --wait=hv sync +check ovn-nbctl --wait=hv sync +fi + +as $sbox +if test "$hv" != "vtep"; then + # Get flows before and after recompute + DUMP_FLOWS([$sbox], [flows-$hv-1]) + + check ovn-appctl -t ovn-controller recompute + # The recompute might cause some sb changes. Let controller catch up. + if [[ -e ovn-nb/ovn-nb.sock ]] && [[ -e northd/ovn-northd.pid ]]; then + check ovn-nbctl --wait=hv sync + fi + DUMP_FLOWS([$sbox], [flows-$hv-2]) + diff flows-$hv-1 flows-$hv-2 > flow-diff + AT_CHECK([test $(diff flows-$hv-1 flows-$hv-2 | wc -l) == 0]) +fi +]) + # OVN_CLEANUP_CONTROLLER(sbox) # # Gracefully terminate ovn-controller in the specified -- 2.44.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn v2 0/4] Mac cache handling refactor
On Tue, May 7, 2024 at 6:49 PM Numan Siddique wrote: > On Tue, May 7, 2024 at 2:25 AM Ales Musil wrote: > > > > There were two modules in controller mac_cache and mac-learn, both of > > them did very similar thing with pretty big overlap. The goal of the > > series is to consolidate and merge both of those modules into single > > one. That will reduce the duplication and should make it easier for > > future updates to MAC binding, FDB or packet buffering functionality. > > > > There is also fix to properly handle tunnel_key change for LSP, LRP, > > LR and LS. This was inconsistent and could lead to wrong flows being > > still present even after the tunnel key change. This is not a huge > > issue because the tunnel_key is rarelyt changed during runtime. > > > > Ales Musil (4): > > northd, controller: Handle tunnel_key change consistently. > > controller: Rename mac_cache to to mac-cache. > > controller: Merge the mac-cache and mac-learn. > > controller: Use datapath key for the mac cache thresholds. > > Thanks. I applied the series to the main branch. > Do we need a backport ? If so, I'm inclined to backport the first > patch only as it fixes the issue. > Let me know your thoughts. > That's correct, only the first patch should be backported. > > Numan > > > > > > controller/automake.mk | 6 +- > > controller/binding.c| 13 +- > > controller/mac-cache.c | 745 > > controller/mac-cache.h | 210 ++ > > controller/mac-learn.c | 482 --- > > controller/mac-learn.h | 145 --- > > controller/mac_cache.c | 547 -- > > controller/mac_cache.h | 124 -- > > controller/ovn-controller.c | 214 +++ > > controller/pinctrl.c| 165 > > controller/statctrl.c | 7 +- > > controller/statctrl.h | 2 +- > > northd/northd.c | 7 + > > tests/ovn.at| 56 ++- > > 14 files changed, 1253 insertions(+), 1470 deletions(-) > > create mode 100644 controller/mac-cache.c > > create mode 100644 controller/mac-cache.h > > delete mode 100644 controller/mac-learn.c > > delete mode 100644 controller/mac-learn.h > > delete mode 100644 controller/mac_cache.c > > delete mode 100644 controller/mac_cache.h > > > > -- > > 2.44.0 > > > > ___ > > dev mailing list > > d...@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > Thanks, Ales -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> amu...@redhat.com <https://red.ht/sig> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn v2 3/4] controller: Merge the mac-cache and mac-learn.
Merge mac-cache and mac-learn into single module. Both of those
modules contained very similar functionality with some small
differences. By merging those we have unified interface to deal
with FDB and MAC binding.
Acked-by: Mark Michelson
Signed-off-by: Ales Musil
---
v2: Rebase on top of main.
---
controller/automake.mk | 2 -
controller/mac-cache.c | 588
controller/mac-cache.h | 165 +++---
controller/mac-learn.c | 482 -
controller/mac-learn.h | 145 -
controller/ovn-controller.c | 104 +--
controller/pinctrl.c| 165 +-
controller/statctrl.c | 5 +-
8 files changed, 697 insertions(+), 959 deletions(-)
delete mode 100644 controller/mac-learn.c
delete mode 100644 controller/mac-learn.h
diff --git a/controller/automake.mk b/controller/automake.mk
index 2eeca718a..1b1b3aeb1 100644
--- a/controller/automake.mk
+++ b/controller/automake.mk
@@ -36,8 +36,6 @@ controller_ovn_controller_SOURCES = \
controller/ovn-controller.h \
controller/physical.c \
controller/physical.h \
- controller/mac-learn.c \
- controller/mac-learn.h \
controller/local_data.c \
controller/local_data.h \
controller/ovsport.h \
diff --git a/controller/mac-cache.c b/controller/mac-cache.c
index 1515e0ec2..c52f913ce 100644
--- a/controller/mac-cache.c
+++ b/controller/mac-cache.c
@@ -25,29 +25,20 @@
VLOG_DEFINE_THIS_MODULE(mac_cache);
+#define MAX_BUFFERED_PACKETS1000
+#define BUFFER_QUEUE_DEPTH 4
+#define BUFFERED_PACKETS_TIMEOUT_MS 1
+#define BUFFERED_PACKETS_LOOKUP_MS 100
+
static uint32_t
-mac_cache_mb_data_hash(const struct mac_cache_mb_data *mb_data);
+mac_binding_data_hash(const struct mac_binding_data *mb_data);
static inline bool
-mac_cache_mb_data_equals(const struct mac_cache_mb_data *a,
- const struct mac_cache_mb_data *b);
-static struct mac_cache_mac_binding *
-mac_cache_mac_binding_find(struct mac_cache_data *data,
- const struct mac_cache_mb_data *mb_data);
-static bool
-mac_cache_mb_data_from_sbrec(struct mac_cache_mb_data *data,
- const struct sbrec_mac_binding *mb,
- struct ovsdb_idl_index *sbrec_pb_by_name);
+mac_binding_data_equals(const struct mac_binding_data *a,
+const struct mac_binding_data *b);
static uint32_t
-mac_cache_fdb_data_hash(const struct mac_cache_fdb_data *fdb_data);
+fdb_data_hash(const struct fdb_data *fdb_data);
static inline bool
-mac_cache_fdb_data_equals(const struct mac_cache_fdb_data *a,
- const struct mac_cache_fdb_data *b);
-static bool
-mac_cache_fdb_data_from_sbrec(struct mac_cache_fdb_data *data,
- const struct sbrec_fdb *fdb);
-static struct mac_cache_fdb *
-mac_cache_fdb_find(struct mac_cache_data *data,
- const struct mac_cache_fdb_data *fdb_data);
+fdb_data_equals(const struct fdb_data *a, const struct fdb_data *b);
static struct mac_cache_threshold *
mac_cache_threshold_find(struct hmap *thresholds, const struct uuid *uuid);
static uint64_t
@@ -59,6 +50,23 @@ mac_cache_threshold_remove(struct hmap *thresholds,
static void
mac_cache_update_req_delay(struct hmap *thresholds, uint64_t *req_delay);
+static struct buffered_packets *
+buffered_packets_find(struct buffered_packets_ctx *ctx,
+ const struct mac_binding_data *mb_data);
+
+static void
+buffered_packets_remove(struct buffered_packets_ctx *ctx,
+struct buffered_packets *bp);
+
+static void
+buffered_packets_db_lookup(struct buffered_packets *bp,
+ struct ds *ip, struct eth_addr *mac,
+ struct ovsdb_idl_index *sbrec_pb_by_key,
+ struct ovsdb_idl_index *sbrec_dp_by_key,
+ struct ovsdb_idl_index *sbrec_pb_by_name,
+ struct ovsdb_idl_index *sbrec_mb_by_lport_ip);
+
+/* Thresholds. */
bool
mac_cache_threshold_add(struct mac_cache_data *data,
const struct sbrec_datapath_binding *dp,
@@ -113,50 +121,78 @@ mac_cache_thresholds_clear(struct mac_cache_data *data)
}
}
-void
-mac_cache_mac_binding_add(struct mac_cache_data *data,
- const struct sbrec_mac_binding *mb,
- struct ovsdb_idl_index *sbrec_pb_by_name)
-{
-struct mac_cache_mb_data mb_data;
-if (!mac_cache_mb_data_from_sbrec(_data, mb, sbrec_pb_by_name)) {
-return;
-}
+/* MAC binding. */
+struct mac_binding *
+mac_binding_add(struct hmap *map, struct mac_binding_data mb_data,
+long long timestamp) {
-struct mac_cache_mac_binding *mc_mb = mac_cache_mac_binding_find(data,
- _data
[ovs-dev] [PATCH ovn v2 4/4] controller: Use datapath key for the mac cache thresholds.
Use datapath tunnel key instead of UUID for the mac cache threshold
handling. At the same time simplify the thresholds into single hmap.
The tunnel key is unique so there shouldn't be any overlap. Having
two thresholds per datapath is currently invalid configuration anyway.
The switch to datapath's tunnel key requires somehow costly
synchronization when the tunnel key changes. However, this is fine as
the key shouldn't change very often in some cases it won't change at
all.
Also fix wrong check in the aging tests that would ignore failure.
Acked-by: Mark Michelson
Signed-off-by: Ales Musil
---
v2: Rebase on top of main.
---
controller/mac-cache.c | 132 ++--
controller/mac-cache.h | 29
controller/ovn-controller.c | 105 +---
tests/ovn.at| 4 +-
4 files changed, 128 insertions(+), 142 deletions(-)
diff --git a/controller/mac-cache.c b/controller/mac-cache.c
index c52f913ce..d8c4e2aed 100644
--- a/controller/mac-cache.c
+++ b/controller/mac-cache.c
@@ -16,6 +16,7 @@
#include
#include
+#include "local_data.h"
#include "lport.h"
#include "mac-cache.h"
#include "openvswitch/hmap.h"
@@ -39,11 +40,8 @@ static uint32_t
fdb_data_hash(const struct fdb_data *fdb_data);
static inline bool
fdb_data_equals(const struct fdb_data *a, const struct fdb_data *b);
-static struct mac_cache_threshold *
-mac_cache_threshold_find(struct hmap *thresholds, const struct uuid *uuid);
static uint64_t
-mac_cache_threshold_get_value_ms(const struct sbrec_datapath_binding *dp,
- enum mac_cache_type type);
+mac_cache_threshold_get_value_ms(const struct sbrec_datapath_binding *dp);
static void
mac_cache_threshold_remove(struct hmap *thresholds,
struct mac_cache_threshold *threshold);
@@ -67,60 +65,82 @@ buffered_packets_db_lookup(struct buffered_packets *bp,
struct ovsdb_idl_index *sbrec_mb_by_lport_ip);
/* Thresholds. */
-bool
+void
mac_cache_threshold_add(struct mac_cache_data *data,
-const struct sbrec_datapath_binding *dp,
-enum mac_cache_type type)
+const struct sbrec_datapath_binding *dp)
{
-struct hmap *thresholds = >thresholds[type];
struct mac_cache_threshold *threshold =
-mac_cache_threshold_find(thresholds, >header_.uuid);
+mac_cache_threshold_find(data, dp->tunnel_key);
if (threshold) {
-return true;
+return;
}
-uint64_t value = mac_cache_threshold_get_value_ms(dp, type);
+uint64_t value = mac_cache_threshold_get_value_ms(dp);
if (!value) {
-return false;
+return;
}
threshold = xmalloc(sizeof *threshold);
-threshold->uuid = dp->header_.uuid;
+threshold->dp_key = dp->tunnel_key;
threshold->value = value;
threshold->dump_period = (3 * value) / 4;
-hmap_insert(thresholds, >hmap_node,
-uuid_hash(>header_.uuid));
-
-return true;
+hmap_insert(>thresholds, >hmap_node, dp->tunnel_key);
}
-bool
+void
mac_cache_threshold_replace(struct mac_cache_data *data,
const struct sbrec_datapath_binding *dp,
-enum mac_cache_type type)
+const struct hmap *local_datapaths)
{
-struct hmap *thresholds = >thresholds[type];
struct mac_cache_threshold *threshold =
-mac_cache_threshold_find(thresholds, >header_.uuid);
+mac_cache_threshold_find(data, dp->tunnel_key);
if (threshold) {
-mac_cache_threshold_remove(thresholds, threshold);
+mac_cache_threshold_remove(>thresholds, threshold);
+}
+
+if (!get_local_datapath(local_datapaths, dp->tunnel_key)) {
+return;
}
-return mac_cache_threshold_add(data, dp, type);
+mac_cache_threshold_add(data, dp);
+}
+
+
+struct mac_cache_threshold *
+mac_cache_threshold_find(struct mac_cache_data *data, uint32_t dp_key)
+{
+struct mac_cache_threshold *threshold;
+HMAP_FOR_EACH_WITH_HASH (threshold, hmap_node, dp_key, >thresholds) {
+if (threshold->dp_key == dp_key) {
+return threshold;
+}
+}
+
+return NULL;
}
void
-mac_cache_thresholds_clear(struct mac_cache_data *data)
+mac_cache_thresholds_sync(struct mac_cache_data *data,
+ const struct hmap *local_datapaths)
{
-for (size_t i = 0; i < MAC_CACHE_MAX; i++) {
-struct mac_cache_threshold *threshold;
-HMAP_FOR_EACH_POP (threshold, hmap_node, >thresholds[i]) {
-free(threshold);
+struct mac_cache_threshold *threshold;
+HMAP_FOR_EACH_SAFE (threshold, hmap_node, >thresholds) {
+if (!get_local_datapath(local_datapaths, threshold->dp_key)) {
+
[ovs-dev] [PATCH ovn v2 2/4] controller: Rename mac_cache to to mac-cache.
For consistency rename the mac_cache.c/.h to mac-cache.c/.h.
Acked-by: Mark Michelson
Signed-off-by: Ales Musil
---
v2: Rebase on top of main.
---
controller/automake.mk | 4 ++--
controller/{mac_cache.c => mac-cache.c} | 2 +-
controller/{mac_cache.h => mac-cache.h} | 2 +-
controller/ovn-controller.c | 2 +-
controller/statctrl.c | 2 +-
controller/statctrl.h | 2 +-
6 files changed, 7 insertions(+), 7 deletions(-)
rename controller/{mac_cache.c => mac-cache.c} (99%)
rename controller/{mac_cache.h => mac-cache.h} (99%)
diff --git a/controller/automake.mk b/controller/automake.mk
index a17ff0d60..2eeca718a 100644
--- a/controller/automake.mk
+++ b/controller/automake.mk
@@ -46,8 +46,8 @@ controller_ovn_controller_SOURCES = \
controller/vif-plug.c \
controller/mirror.h \
controller/mirror.c \
- controller/mac_cache.h \
- controller/mac_cache.c \
+ controller/mac-cache.h \
+ controller/mac-cache.c \
controller/statctrl.h \
controller/statctrl.c
diff --git a/controller/mac_cache.c b/controller/mac-cache.c
similarity index 99%
rename from controller/mac_cache.c
rename to controller/mac-cache.c
index 7e4feeed7..1515e0ec2 100644
--- a/controller/mac_cache.c
+++ b/controller/mac-cache.c
@@ -17,7 +17,7 @@
#include
#include "lport.h"
-#include "mac_cache.h"
+#include "mac-cache.h"
#include "openvswitch/hmap.h"
#include "openvswitch/vlog.h"
#include "ovn/logical-fields.h"
diff --git a/controller/mac_cache.h b/controller/mac-cache.h
similarity index 99%
rename from controller/mac_cache.h
rename to controller/mac-cache.h
index ea8aa7c1b..644ac8be2 100644
--- a/controller/mac_cache.h
+++ b/controller/mac-cache.h
@@ -121,4 +121,4 @@ void mac_cache_fdb_stats_run(struct ovs_list *stats_list,
uint64_t *req_delay,
void mac_cache_stats_destroy(struct ovs_list *stats_list);
-#endif /* controller/mac_cache.h */
+#endif /* controller/mac-cache.h */
diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
index 356ce881a..cde45e35e 100644
--- a/controller/ovn-controller.c
+++ b/controller/ovn-controller.c
@@ -83,7 +83,7 @@
#include "lib/ovn-l7.h"
#include "hmapx.h"
#include "mirror.h"
-#include "mac_cache.h"
+#include "mac-cache.h"
#include "statctrl.h"
#include "lib/dns-resolve.h"
diff --git a/controller/statctrl.c b/controller/statctrl.c
index 8cce97df8..cce31cce6 100644
--- a/controller/statctrl.c
+++ b/controller/statctrl.c
@@ -19,7 +19,7 @@
#include "dirs.h"
#include "latch.h"
#include "lflow.h"
-#include "mac_cache.h"
+#include "mac-cache.h"
#include "openvswitch/ofp-errors.h"
#include "openvswitch/ofp-flow.h"
#include "openvswitch/ofp-msgs.h"
diff --git a/controller/statctrl.h b/controller/statctrl.h
index c5cede353..f34da6bde 100644
--- a/controller/statctrl.h
+++ b/controller/statctrl.h
@@ -16,7 +16,7 @@
#ifndef STATCTRL_H
#define STATCTRL_H
-#include "mac_cache.h"
+#include "mac-cache.h"
void statctrl_init(void);
void statctrl_run(struct ovsdb_idl_txn *ovnsb_idl_txn,
--
2.44.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn v2 1/4] northd, controller: Handle tunnel_key change consistently.
Currently the tunnel_key change for either LS/LR/LSP/LRP wasn't
consistent. That would lead to a situations when some old would still
be present, breaking the connection especially for already existing
FDBs and MAC bindings.
Make sure the FDB entries are up to date by removing them from DB
when there is a tunnel_key change as those entries have only tunnel_key
refrences (dp_key, port_key).
MAC bindings have references to the datapath and port name, instead of
removing those entries do recompute in the controller when we detect
tunnel_key change. This can be costly at scale, however the tunnel_key
is not expected to change constantly, in most cases it shouldn't change
at all.
Fixes: b337750e45be ("northd: Incremental processing of VIF changes in 'northd'
node.")
Fixes: 425f699e2b20 ("controller: fixed potential segfault when changing
tunnel_key and deleting ls.")
Reported-at: https://issues.redhat.com/browse/FDP-393
Acked-by: Mark Michelson
Signed-off-by: Ales Musil
---
v2: Rebase on top of main.
---
controller/binding.c| 13 --
controller/ovn-controller.c | 27 +++
northd/northd.c | 7 +
tests/ovn.at| 52 +
4 files changed, 79 insertions(+), 20 deletions(-)
diff --git a/controller/binding.c b/controller/binding.c
index 8ac2ce3e2..0712d7030 100644
--- a/controller/binding.c
+++ b/controller/binding.c
@@ -3126,8 +3126,17 @@ delete_done:
update_ld_peers(pb, b_ctx_out->local_datapaths);
}
-handled = handle_updated_port(b_ctx_in, b_ctx_out, pb);
-if (!handled) {
+if (!handle_updated_port(b_ctx_in, b_ctx_out, pb)) {
+handled = false;
+break;
+}
+
+if (!sbrec_port_binding_is_new(pb) &&
+sbrec_port_binding_is_updated(pb,
+ SBREC_PORT_BINDING_COL_TUNNEL_KEY) &&
+get_local_datapath(b_ctx_out->local_datapaths,
+ pb->datapath->tunnel_key)) {
+handled = false;
break;
}
}
diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
index 23269af83..356ce881a 100644
--- a/controller/ovn-controller.c
+++ b/controller/ovn-controller.c
@@ -1894,7 +1894,6 @@ runtime_data_sb_datapath_binding_handler(struct
engine_node *node OVS_UNUSED,
engine_get_input("SB_datapath_binding", node));
const struct sbrec_datapath_binding *dp;
struct ed_type_runtime_data *rt_data = data;
-struct local_datapath *ld;
SBREC_DATAPATH_BINDING_TABLE_FOR_EACH_TRACKED (dp, dp_table) {
if (sbrec_datapath_binding_is_deleted(dp)) {
@@ -1902,27 +1901,19 @@ runtime_data_sb_datapath_binding_handler(struct
engine_node *node OVS_UNUSED,
dp->tunnel_key)) {
return false;
}
+
+}
+
+if (sbrec_datapath_binding_is_updated(
+dp, SBREC_DATAPATH_BINDING_COL_TUNNEL_KEY) &&
+!sbrec_datapath_binding_is_new(dp)) {
/* If the tunnel key got updated, get_local_datapath will not find
* the ld. Use get_local_datapath_no_hash which does not
* rely on the hash.
*/
-if (sbrec_datapath_binding_is_updated(
-dp, SBREC_DATAPATH_BINDING_COL_TUNNEL_KEY)) {
-if (get_local_datapath_no_hash(_data->local_datapaths,
- dp->tunnel_key)) {
-return false;
-}
-}
-} else if (sbrec_datapath_binding_is_updated(
-dp, SBREC_DATAPATH_BINDING_COL_TUNNEL_KEY)
- && !sbrec_datapath_binding_is_new(dp)) {
-/* If the tunnel key is updated, remove the entry (with a wrong
- * hash) from the map. It will be (properly) added back later.
- */
-if ((ld = get_local_datapath_no_hash(_data->local_datapaths,
- dp->tunnel_key))) {
-hmap_remove(_data->local_datapaths, >hmap_node);
-local_datapath_destroy(ld);
+if (get_local_datapath_no_hash(_data->local_datapaths,
+ dp->tunnel_key)) {
+return false;
}
}
}
diff --git a/northd/northd.c b/northd/northd.c
index 133cddb69..0cabda7ea 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -4550,6 +4550,8 @@ ls_handle_lsp_changes(struct ovsdb_idl_txn *ovnsb_idl_txn,
op->visited = true;
continue;
}
+
+uint32_t old_tunnel_key = op->tunnel_key;
if (!ls_port_reinit(op, ovnsb_idl_txn,
new_nbsp,
[ovs-dev] [PATCH ovn v2 0/4] Mac cache handling refactor
There were two modules in controller mac_cache and mac-learn, both of them did very similar thing with pretty big overlap. The goal of the series is to consolidate and merge both of those modules into single one. That will reduce the duplication and should make it easier for future updates to MAC binding, FDB or packet buffering functionality. There is also fix to properly handle tunnel_key change for LSP, LRP, LR and LS. This was inconsistent and could lead to wrong flows being still present even after the tunnel key change. This is not a huge issue because the tunnel_key is rarelyt changed during runtime. Ales Musil (4): northd, controller: Handle tunnel_key change consistently. controller: Rename mac_cache to to mac-cache. controller: Merge the mac-cache and mac-learn. controller: Use datapath key for the mac cache thresholds. controller/automake.mk | 6 +- controller/binding.c| 13 +- controller/mac-cache.c | 745 controller/mac-cache.h | 210 ++ controller/mac-learn.c | 482 --- controller/mac-learn.h | 145 --- controller/mac_cache.c | 547 -- controller/mac_cache.h | 124 -- controller/ovn-controller.c | 214 +++ controller/pinctrl.c| 165 controller/statctrl.c | 7 +- controller/statctrl.h | 2 +- northd/northd.c | 7 + tests/ovn.at| 56 ++- 14 files changed, 1253 insertions(+), 1470 deletions(-) create mode 100644 controller/mac-cache.c create mode 100644 controller/mac-cache.h delete mode 100644 controller/mac-learn.c delete mode 100644 controller/mac-learn.h delete mode 100644 controller/mac_cache.c delete mode 100644 controller/mac_cache.h -- 2.44.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn v4] controller: Track individual address set constants.
On Mon, May 6, 2024 at 8:41 PM Han Zhou wrote:
>
>
> On Thu, May 2, 2024 at 10:35 PM Ales Musil wrote:
> >
> > On Thu, May 2, 2024 at 6:23 PM Han Zhou wrote:
> > >
> > >
> > >
> > > On Thu, May 2, 2024 at 6:29 AM Ales Musil wrote:
> > > >
> > > > Instead of tracking address set per struct expr_constant_set track it
> > > > per individual struct expr_constant. This allows more fine grained
> > > > control for I-P processing of address sets in controller. It helps
> with
> > > > scenarios like matching on two address sets in one expression e.g.
> > > > "ip4.src == {$as1, $as2}". This allows any addition or removal of
> > > > individual adress from the set to be incrementally processed instead
> > > > of reprocessing all the flows.
> > > >
> > > > This unfortunately doesn't help with the following flows:
> > > > "ip4.src == $as1 && ip4.dst == $as2"
> > > > "ip4.src == $as1 || ip4.dst == $as2"
> > > >
> > > > The memory impact should be minimal as there is only increase of 8
> bytes
> > > > per the struct expr_constant.
> > > >
> > > > Reported-at: https://issues.redhat.com/browse/FDP-509
> > > > Signed-off-by: Ales Musil
> > > > ---
> > > > v4: Rebase on top of current main.
> > > > Update the "lflow_handle_addr_set_update" comment according to
> suggestion from Han.
> > >
> > > Thanks Ales. I updated the commit message for the same, and applied to
> main branch.
> > >
> > > Regards,
> > > Han
> > >
> > > > v3: Rebase on top of current main.
> > > > Address comments from Han:
> > > > - Adjust the comment for "lflow_handle_addr_set_update" to
> include remaning corner cases.
> > > > - Make sure that the flows are consistent between I-P and
> recompute.
> > > > v2: Rebase on top of current main.
> > > > Adjust the comment for I-P optimization.
> > > > ---
> > > > controller/lflow.c | 11 ++---
> > > > include/ovn/actions.h | 2 +-
> > > > include/ovn/expr.h | 46 ++-
> > > > lib/actions.c | 20 -
> > > > lib/expr.c | 99
> +
> > > > tests/ovn-controller.at | 79 +---
> > > > 6 files changed, 154 insertions(+), 103 deletions(-)
> > > >
> > > > diff --git a/controller/lflow.c b/controller/lflow.c
> > > > index 760ec0b41..1e05665a1 100644
> > > > --- a/controller/lflow.c
> > > > +++ b/controller/lflow.c
> > > > @@ -278,7 +278,7 @@ lflow_handle_changed_flows(struct lflow_ctx_in
> *l_ctx_in,
> > > > }
> > > >
> > > > static bool
> > > > -as_info_from_expr_const(const char *as_name, const union
> expr_constant *c,
> > > > +as_info_from_expr_const(const char *as_name, const struct
> expr_constant *c,
> > > > struct addrset_info *as_info)
> > > > {
> > > > as_info->name = as_name;
> > > > @@ -644,14 +644,11 @@ as_update_can_be_handled(const char *as_name,
> struct addr_set_diff *as_diff,
> > > > *generated.
> > > > *
> > > > * - The sub expression of the address set is combined with
> other sub-
> > > > - *expressions/constants, usually because of disjunctions
> between
> > > > - *sub-expressions/constants, e.g.:
> > > > + *expressions/constants on different fields, e.g.:
> > > > *
> > > > * ip.src == $as1 || ip.dst == $as2
> > > > - * ip.src == {$as1, $as2}
> > > > - * ip.src == {$as1, ip1}
> > > > *
> > > > - *All these could have been split into separate lflows.
> > > > + *This could have been split into separate lflows.
> > > > *
> > > > * - Conjunctions overlapping between lflows, which can be
> caused by
> > > > *overlapping address sets or same address set used by
> multiple lflows
> > > > @@ -714,7 +711,7 @@ lflow_handle_addr_set_update(const char *as_name,
> > > > if (as_diff->deleted) {
> > > > struct addrset_info as_info;
> > > > for
[ovs-dev] [PATCH ovn] controller: Avoid use after free in LB I-P.
Avoid use after free in scenario when controller received LB deletion
after the DB was reconnected. The reconnect led to idl clearing up
the "old" structs, one of them being the LB. However, during recompute
the struct was referenced when it was already gone.
Clear the whole objdep_mgr instead of going one-by-one during recompute.
==143949==ERROR: AddressSanitizer: heap-use-after-free
READ of size 4 at 0x513280d0 thread T0
0 0x61c3c9 in lb_data_local_lb_remove controller/ovn-controller.c:2978:5
1 0x5fd4df in en_lb_data_run controller/ovn-controller.c:3063:9
2 0x6fe0d9 in engine_recompute lib/inc-proc-eng.c:415:5
3 0x6fbdc2 in engine_run_node lib/inc-proc-eng.c:477:9
4 0x6fbdc2 in engine_run lib/inc-proc-eng.c:528:9
5 0x5f39a0 in main controller/ovn-controller.c
Fixes: 8382127186bf ("controller: Store load balancer data in separate node")
Reported-at: https://issues.redhat.com/browse/FDP-610
Signed-off-by: Ales Musil
---
controller/ovn-controller.c | 20 +--
tests/ovn-controller.at | 38 +
2 files changed, 48 insertions(+), 10 deletions(-)
diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
index 23269af83..65b9ba8e5 100644
--- a/controller/ovn-controller.c
+++ b/controller/ovn-controller.c
@@ -2972,7 +2972,7 @@ lb_data_local_lb_add(struct ed_type_lb_data *lb_data,
static void
lb_data_local_lb_remove(struct ed_type_lb_data *lb_data,
-struct ovn_controller_lb *lb, bool tracked)
+struct ovn_controller_lb *lb)
{
const struct uuid *uuid = >slb->header_.uuid;
@@ -2981,12 +2981,8 @@ lb_data_local_lb_remove(struct ed_type_lb_data *lb_data,
lb_data_removed_five_tuples_add(lb_data, lb);
-if (tracked) {
-hmap_insert(_data->old_lbs, >hmap_node, uuid_hash(uuid));
-uuidset_insert(_data->deleted, uuid);
-} else {
-ovn_controller_lb_destroy(lb);
-}
+hmap_insert(_data->old_lbs, >hmap_node, uuid_hash(uuid));
+uuidset_insert(_data->deleted, uuid);
}
static bool
@@ -3011,7 +3007,7 @@ lb_data_handle_changed_ref(enum objdep_type type, const
char *res_name,
continue;
}
-lb_data_local_lb_remove(lb_data, lb, true);
+lb_data_local_lb_remove(lb_data, lb);
const struct sbrec_load_balancer *sbrec_lb =
sbrec_load_balancer_table_get_for_uuid(ctx_in->lb_table, uuid);
@@ -3057,9 +3053,13 @@ en_lb_data_run(struct engine_node *node, void *data)
const struct sbrec_load_balancer_table *lb_table =
EN_OVSDB_GET(engine_get_input("SB_load_balancer", node));
+objdep_mgr_clear(_data->deps_mgr);
+
struct ovn_controller_lb *lb;
HMAP_FOR_EACH_SAFE (lb, hmap_node, _data->local_lbs) {
-lb_data_local_lb_remove(lb_data, lb, false);
+hmap_remove(_data->local_lbs, >hmap_node);
+lb_data_removed_five_tuples_add(lb_data, lb);
+ovn_controller_lb_destroy(lb);
}
const struct sbrec_load_balancer *sbrec_lb;
@@ -3097,7 +3097,7 @@ lb_data_sb_load_balancer_handler(struct engine_node
*node, void *data)
continue;
}
-lb_data_local_lb_remove(lb_data, lb, true);
+lb_data_local_lb_remove(lb_data, lb);
}
if (sbrec_load_balancer_is_deleted(sbrec_lb) ||
diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
index 27cec2aec..cecbc190b 100644
--- a/tests/ovn-controller.at
+++ b/tests/ovn-controller.at
@@ -2973,3 +2973,41 @@ priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4
actions=load:0x1->OXM_OF
OVN_CLEANUP([hv1])
AT_CLEANUP
+
+AT_SETUP([ovn-controller - LB remove after disconnect])
+ovn_start
+
+net_add n1
+sim_add hv1
+as hv1
+check ovs-vsctl add-br br-phys
+ovn_attach n1 br-phys 192.168.0.1
+check ovs-vsctl -- add-port br-int vif1 -- \
+set interface vif1 external-ids:iface-id=lsp
+
+check ovs-vsctl set Open_vSwitch .
external-ids:ovn-remote-probe-interval="5000"
+
+check ovn-nbctl ls-add ls
+check ovn-nbctl lsp-add ls lsp \
+-- lsp-set-addresses lsp "f0:00:00:00:00:01 172.16.0.10"
+
+check ovn-nbctl lb-add lb 192.168.100.100 172.16.0.10
+check ovn-nbctl ls-lb-add ls lb
+
+wait_for_ports_up
+check ovn-nbctl --wait=hv sync
+
+sleep_sb
+OVS_WAIT_UNTIL([grep -q 'OVNSB commit failed' hv1/ovn-controller.log])
+
+sleep_controller hv1
+wake_up_sb
+
+ovn-nbctl lb-del lb
+
+wake_up_controller hv1
+check ovn-nbctl --wait=hv sync
+
+OVN_CLEANUP([hv1
+/no response to inactivity probe after .* seconds, disconnecting/d])
+AT_CLEANUP
--
2.44.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn 3/3] northd: Use the NAT match column.
Use the newly added NAT match and priority column in logical flows.
This allows to differentiate between various scenarios and more
fine-grained control over the resulting translation. The flows with
the extra match have higher priority than regular flows as the
flows without match are subset of the flows with match, the priority
is calculated as 300 + priority column.
Reported-at: https://issues.redhat.com/browse/FDP-433
Signed-off-by: Ales Musil
---
northd/northd.c | 31 +++--
northd/ovn-northd.8.xml | 31 +
tests/ovn-northd.at | 79
tests/system-ovn.at | 272
4 files changed, 406 insertions(+), 7 deletions(-)
diff --git a/northd/northd.c b/northd/northd.c
index a883c3e08..a7e8c34c1 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -11544,9 +11544,14 @@ lrouter_dnat_and_snat_is_stateless(const struct
nbrec_nat *nat)
}
static inline uint16_t
-lrouter_nat_get_priority(const struct ovn_datapath *od, bool is_dnat,
+lrouter_nat_get_priority(const struct ovn_datapath *od,
+ const struct nbrec_nat *nat, bool is_dnat,
uint16_t prefix_len)
{
+if (nat->match[0]) {
+return 300 + nat->priority;
+}
+
if (is_dnat) {
return 100;
}
@@ -11608,7 +11613,7 @@ lrouter_nat_add_ext_ip_match(const struct ovn_datapath
*od,
*
*/
uint16_t priority =
-lrouter_nat_get_priority(od, is_src, cidr_bits) + 2;
+lrouter_nat_get_priority(od, nat, is_src, cidr_bits) + 2;
ds_clone(_exempt, match);
ds_put_format(_exempt, " && ip%s.%s == $%s",
@@ -14561,6 +14566,7 @@ build_lrouter_in_dnat_flow(struct lflow_table *lflows,
const char *nat_action = lrouter_use_common_zone(od)
? "ct_dnat_in_czone"
: "ct_dnat";
+uint16_t priority = lrouter_nat_get_priority(od, nat, true, cidr_bits);
ds_put_format(match, "ip && ip%c.dst == %s", is_v6 ? '6' : '4',
nat->external_ip);
@@ -14607,8 +14613,11 @@ build_lrouter_in_dnat_flow(struct lflow_table *lflows,
ds_put_format(actions, ");");
}
-ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT,
-lrouter_nat_get_priority(od, true, cidr_bits),
+if (!lrouter_use_common_zone(od) && nat->match[0]) {
+ds_put_format(match, " && (%s)", nat->match);
+}
+
+ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, priority,
ds_cstr(match), ds_cstr(actions),
>header_, lflow_ref);
}
@@ -14751,7 +14760,7 @@ build_lrouter_out_snat_stateless_flow(struct
lflow_table *lflows,
ds_clear(actions);
-uint16_t priority = lrouter_nat_get_priority(od, false, cidr_bits);
+uint16_t priority = lrouter_nat_get_priority(od, nat, false, cidr_bits);
build_lrouter_out_snat_match(lflows, od, nat, match, distributed_nat,
cidr_bits, is_v6, l3dgw_port, lflow_ref,
false);
@@ -14764,6 +14773,10 @@ build_lrouter_out_snat_stateless_flow(struct
lflow_table *lflows,
ds_put_format(actions, "ip%c.src=%s; next;",
is_v6 ? '6' : '4', nat->external_ip);
+if (nat->match[0]) {
+ds_put_format(match, " && (%s)", nat->match);
+}
+
ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_SNAT,
priority, ds_cstr(match),
ds_cstr(actions), >header_,
@@ -14786,7 +14799,7 @@ build_lrouter_out_snat_in_czone_flow(struct lflow_table
*lflows,
ds_clear(actions);
-uint16_t priority = lrouter_nat_get_priority(od, false, cidr_bits);
+uint16_t priority = lrouter_nat_get_priority(od, nat, false, cidr_bits);
struct ds zone_actions = DS_EMPTY_INITIALIZER;
build_lrouter_out_snat_match(lflows, od, nat, match, distributed_nat,
@@ -14845,7 +14858,7 @@ build_lrouter_out_snat_flow(struct lflow_table *lflows,
ds_clear(actions);
-uint16_t priority = lrouter_nat_get_priority(od, false, cidr_bits);
+uint16_t priority = lrouter_nat_get_priority(od, nat, false, cidr_bits);
build_lrouter_out_snat_match(lflows, od, nat, match, distributed_nat,
cidr_bits, is_v6, l3dgw_port, lflow_ref,
@@ -14864,6 +14877,10 @@ build_lrouter_out_snat_flow(struct lflow_table *lflows,
}
ds_put_format(actions, ");");
+if (nat->match[0]) {
+ds_put_format(match, " && (%s)", nat->match);
+}
+
ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_SNAT,
priority, ds_cstr(match),
ds_cstr(actions), >header
[ovs-dev] [PATCH ovn 2/3] nb: Add support for match and priority in NAT.
Add support for match and priority in NAT table. This allows to define
NAT that has extra match condition to have more fine-grained control
over the final NAT rule application. At the same time it allows for
NAT rules that would be considered as duplicates otherwise e.g.
multiple SNATs with same logical IP, but different external IP. Also,
when the match is specified allow addition of priority to order the
NAT rule valuation as needed.
Signed-off-by: Ales Musil
---
ovn-nb.ovsschema | 8 +-
ovn-nb.xml| 15 +++
tests/ovn-nbctl.at| 220 +++---
utilities/ovn-nbctl.8.xml | 14 ++-
utilities/ovn-nbctl.c | 189
5 files changed, 307 insertions(+), 139 deletions(-)
diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema
index 10ce50b25..e3c4aff9d 100644
--- a/ovn-nb.ovsschema
+++ b/ovn-nb.ovsschema
@@ -1,7 +1,7 @@
{
"name": "OVN_Northbound",
-"version": "7.3.1",
-"cksum": "3899022625 35372",
+"version": "7.4.0",
+"cksum": "1908497390 35615",
"tables": {
"NB_Global": {
"columns": {
@@ -524,6 +524,10 @@
"refType": "weak"},
"min": 0,
"max": 1}},
+"priority": {"type": {"key": {"type": "integer",
+ "minInteger": 0,
+ "maxInteger": 32767}}},
+"match": {"type": "string"},
"options": {"type": {"key": "string", "value": "string",
"min": 0, "max": "unlimited"}},
"external_ids": {
diff --git a/ovn-nb.xml b/ovn-nb.xml
index 5cb6ba640..fbad5f124 100644
--- a/ovn-nb.xml
+++ b/ovn-nb.xml
@@ -3924,6 +3924,21 @@ or
+
+ The packets that the NAT rules should match, in addition to the match
+ that is created based on the NAT type, in the same expression
+ language used for the column in the OVN
+ Southbound database's
+ table. This allows for more fine-grained control over the NAT rule.
+
+
+
+ The NAT rule's priority. Rules with numerically higher priority
+ take precedence over those with lower. The priority is taken into
+ account only if the match is defined.
+
+
Indicates if a dnat_and_snat rule should lead to connection
tracking state or not.
diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at
index 5248e6c76..19c83a4a5 100644
--- a/tests/ovn-nbctl.at
+++ b/tests/ovn-nbctl.at
@@ -625,15 +625,15 @@ AT_CHECK([ovn-nbctl lr-nat-add lr0 dnat_and_snat fd01::1
fd11::2])
AT_CHECK([ovn-nbctl lr-nat-add lr0 dnat_and_snat 30.0.0.2 192.168.1.3 lp0
00:00:00:01:02:03])
AT_CHECK([ovn-nbctl lr-nat-add lr0 dnat_and_snat fd01::2 fd11::3 lp0
00:00:00:01:02:03])
AT_CHECK([ovn-nbctl lr-nat-list lr0], [0], [dnl
-TYPE GATEWAY_PORT EXTERNAL_IPEXTERNAL_PORT
LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT
-dnat 30.0.0.1
192.168.1.2
-dnat fd01::1
fd11::2
-dnat_and_snat 30.0.0.1
192.168.1.2
-dnat_and_snat 30.0.0.2
192.168.1.3 00:00:00:01:02:03lp0
-dnat_and_snat fd01::1
fd11::2
-dnat_and_snat fd01::2
fd11::3 00:00:00:01:02:03lp0
-snat 30.0.0.1
192.168.1.0/24
-snat fd01::1
fd11::/64
+TYPE GATEWAY_PORT MATCH EXTERNAL_IP
EXTERNAL_PORTLOGICAL_IP EXTERNAL_MAC LOGICAL_PORT
+dnat 30.0.0.1
192.168.1.2
+dnat fd01::1
fd11::2
+dnat_and_snat30.0.0.1
192.168.1.2
+dnat_and_snat30.0.0.2
192.168.1.3 00:00:00:01:02:03lp0
+dnat_and_snatfd01::1
fd11::2
+dnat_and_snat
[ovs-dev] [PATCH ovn 1/3] nothd: Unify the priority calculation for NAT flows.
The priority calculation was scattered in multiple places which
could result in errors when the code is being updated. Move it
to common function that makes it very clear how is the priority
calculated.
Signed-off-by: Ales Musil
---
northd/northd.c | 82 +++--
1 file changed, 32 insertions(+), 50 deletions(-)
diff --git a/northd/northd.c b/northd/northd.c
index 133cddb69..a883c3e08 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -11543,6 +11543,25 @@ lrouter_dnat_and_snat_is_stateless(const struct
nbrec_nat *nat)
!strcmp(nat->type, "dnat_and_snat");
}
+static inline uint16_t
+lrouter_nat_get_priority(const struct ovn_datapath *od, bool is_dnat,
+ uint16_t prefix_len)
+{
+if (is_dnat) {
+return 100;
+}
+
+/* The priority here is calculated such that the
+ * nat->logical_ip with the longest mask gets a higher
+ * priority. */
+uint16_t priority = prefix_len + 1;
+if (!od->is_gw_router && od->n_l3dgw_ports) {
+priority += 128;
+}
+
+return priority;
+}
+
/* Handles the match criteria and actions in logical flow
* based on external ip based NAT rule filter.
*
@@ -11573,7 +11592,6 @@ lrouter_nat_add_ext_ip_match(const struct ovn_datapath
*od,
} else if (exempted_ext_ips) {
struct ds match_exempt = DS_EMPTY_INITIALIZER;
enum ovn_stage stage = is_src ? S_ROUTER_IN_DNAT : S_ROUTER_OUT_SNAT;
-uint16_t priority;
/* Priority of logical flows corresponding to exempted_ext_ips is
* +2 of the corresponding regular NAT rule.
@@ -11589,17 +11607,8 @@ lrouter_nat_add_ext_ip_match(const struct ovn_datapath
*od,
* lr_out_snat...priority=161, match=(..), action=(ct_snat();)
*
*/
-if (is_src) {
-/* S_ROUTER_IN_DNAT uses priority 100 */
-priority = 100 + 2;
-} else {
-/* S_ROUTER_OUT_SNAT uses priority (mask + 1 + 128 + 1) */
-priority = cidr_bits + 3;
-
-if (!od->is_gw_router) {
-priority += 128;
- }
-}
+uint16_t priority =
+lrouter_nat_get_priority(od, is_src, cidr_bits) + 2;
ds_clone(_exempt, match);
ds_put_format(_exempt, " && ip%s.%s == $%s",
@@ -14598,7 +14607,8 @@ build_lrouter_in_dnat_flow(struct lflow_table *lflows,
ds_put_format(actions, ");");
}
-ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, 100,
+ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT,
+lrouter_nat_get_priority(od, true, cidr_bits),
ds_cstr(match), ds_cstr(actions),
>header_, lflow_ref);
}
@@ -14741,25 +14751,14 @@ build_lrouter_out_snat_stateless_flow(struct
lflow_table *lflows,
ds_clear(actions);
-/* The priority here is calculated such that the
- * nat->logical_ip with the longest mask gets a higher
- * priority. */
-uint16_t priority = cidr_bits + 1;
-
+uint16_t priority = lrouter_nat_get_priority(od, false, cidr_bits);
build_lrouter_out_snat_match(lflows, od, nat, match, distributed_nat,
cidr_bits, is_v6, l3dgw_port, lflow_ref,
false);
-if (!od->is_gw_router) {
-/* Distributed router. */
-if (od->n_l3dgw_ports) {
-priority += 128;
-}
-
-if (distributed_nat) {
-ds_put_format(actions, "eth.src = "ETH_ADDR_FMT"; ",
- ETH_ADDR_ARGS(mac));
-}
+if (!od->is_gw_router && distributed_nat) {
+ds_put_format(actions, "eth.src = "ETH_ADDR_FMT"; ",
+ ETH_ADDR_ARGS(mac));
}
ds_put_format(actions, "ip%c.src=%s; next;",
@@ -14787,20 +14786,13 @@ build_lrouter_out_snat_in_czone_flow(struct
lflow_table *lflows,
ds_clear(actions);
-/* The priority here is calculated such that the
- * nat->logical_ip with the longest mask gets a higher
- * priority. */
-uint16_t priority = cidr_bits + 1;
+uint16_t priority = lrouter_nat_get_priority(od, false, cidr_bits);
struct ds zone_actions = DS_EMPTY_INITIALIZER;
build_lrouter_out_snat_match(lflows, od, nat, match, distributed_nat,
cidr_bits, is_v6, l3dgw_port,
lflow_ref, false);
-if (od->n_l3dgw_ports) {
-priority += 128;
-}
-
if (distributed_nat) {
ds_put_format(actions, "eth.src = "ETH_ADDR_FMT"; ",
ETH_ADDR_ARGS(mac));
@@ -14853,26 +14845,16 @@ build_lrouter_out_snat_flow(struct lflow_table
*lflows,
ds_clear(actions);
-/* The priority here is calculat
[ovs-dev] [PATCH ovn 0/3] Arbitrary match for NAT
This series adds the ability to have extra match per NAT, this allows the CMS to have more fine-grained control over the NAT action. At the same time it allows to have "duplicate" NATs e.g. multiple SNATs for the same logical_ip as well as multiple DNATs for the same external_ip. There is also priority in addition to the match which controls the evaluation order of the NAT with match, as the priority can be used only in combination with match. Ales Musil (3): nothd: Unify the priority calculation for NAT flows. nb: Add support for match and priority in NAT. northd: Use the NAT match column. northd/northd.c | 99 +++--- northd/ovn-northd.8.xml | 31 + ovn-nb.ovsschema | 8 +- ovn-nb.xml| 15 +++ tests/ovn-nbctl.at| 220 +- tests/ovn-northd.at | 79 +++ tests/system-ovn.at | 272 ++ utilities/ovn-nbctl.8.xml | 14 +- utilities/ovn-nbctl.c | 189 -- 9 files changed, 738 insertions(+), 189 deletions(-) -- 2.44.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn] northd, ic: Fix handling of ovn-appctl resume.
On Tue, Apr 23, 2024 at 2:44 PM Xavier Simonart wrote:
> After ovn-appctl resume was issued for northd or ovn-ic, there was no
> guarantee that northd or ovn-ic were waking up, potentially handling
> changes received while they were paused..
> Usually, poll_block would be woken up by POLLHUP, but race conditions could
> cause this not to happen.
> ovn-controller is already properly handling the resume.
>
> This caused the following tests to fail sporadically:
> - ovn-ic -- sync ISB status to INB
> - propagate Port_Binding.up to NB and OVS.
>
> Signed-off-by: Xavier Simonart
> ---
> ic/ovn-ic.c | 2 +-
> northd/ovn-northd.c | 1 +
> 2 files changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c
> index e947323bf..be23f199d 100644
> --- a/ic/ovn-ic.c
> +++ b/ic/ovn-ic.c
> @@ -2409,7 +2409,7 @@ ovn_ic_resume(struct unixctl_conn *conn, int argc
> OVS_UNUSED,
> {
> struct ic_state *state = state_;
> state->paused = false;
> -
> +poll_immediate_wake();
> unixctl_command_reply(conn, NULL);
> }
>
> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> index 3a5544b0c..d71114f35 100644
> --- a/northd/ovn-northd.c
> +++ b/northd/ovn-northd.c
> @@ -1107,6 +1107,7 @@ ovn_northd_resume(struct unixctl_conn *conn, int
> argc OVS_UNUSED,
> {
> struct northd_state *state = state_;
> state->paused = false;
> +poll_immediate_wake();
>
> unixctl_command_reply(conn, NULL);
> }
> --
> 2.31.1
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
Looks good to me, thanks.
Acked-by: Ales Musil
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn] ovn-ctl: Support for --config-file ovsdb-server option.
@@ -951,6 +967,7 @@ set_defaults () {
> OVN_SB_RELAY_DB_SSL_CERT=""
> OVN_SB_RELAY_DB_SSL_CA_CERT=""
> DB_SB_RELAY_USE_REMOTE_IN_DB="yes"
> +DB_SB_RELAY_CONFIG_FILE=
>
> DB_CLUSTER_SCHEMA_UPGRADE="yes"
> }
> @@ -1124,12 +1141,16 @@ File location options:
>--db-nb-create-insecure-remote=yes|no Create ptcp OVN Northbound remote
> (default: $DB_NB_CREATE_INSECURE_REMOTE)
>--db-nb-probe-interval-to-active Active probe interval from standby to
> active ovsdb-server remote (default: $DB_NB_PROBE_INTERVAL_TO_ACTIVE)
>--db-nb-election-timer=MS OVN Northbound RAFT db election timer to use
> on db creation (in milliseconds)
> + --db-nb-config-file=FILE OVN_Northbound ovsdb-server configuration file
> + Mutually exclusive with
> --db-nb-use-remote-in-db=yes.
>--db-sb-sync-from-addr=ADDR OVN Southbound active db tcp address
> (default: $DB_SB_SYNC_FROM_ADDR)
>--db-sb-sync-from-port=ADDR OVN Southbound active db tcp port (default:
> $DB_SB_SYNC_FROM_PORT)
>--db-sb-sync-from-proto=PROTO OVN Southbound active db transport
> (default: $DB_SB_SYNC_FROM_PROTO)
>--db-sb-create-insecure-remote=yes|no Create ptcp OVN Southbound remote
> (default: $DB_SB_CREATE_INSECURE_REMOTE)
>--db-sb-probe-interval-to-active Active probe interval from standby to
> active ovsdb-server remote (default: $DB_SB_PROBE_INTERVAL_TO_ACTIVE)
>--db-sb-election-timer=MS OVN Southbound RAFT db election timer to use
> on db creation (in milliseconds)
> + --db-sb-config-file=FILE OVN_Southbound ovsdb-server configuration file.
> + Mutually exclusive with
> --db-sb-use-remote-in-db=yes.
>--db-nb-cluster-local-addr=ADDR OVN_Northbound cluster local address \
>(default: $DB_NB_CLUSTER_LOCAL_ADDR)
>--db-nb-cluster-local-port=PORT OVN_Northbound cluster local tcp port \
> @@ -1157,7 +1178,9 @@ File location options:
>--ovn-northd-nb-db=NB DB address(es) (default: $OVN_NORTHD_NB_DB)
>--ovn-northd-sb-db=SB DB address(es) (default: $OVN_NORTHD_SB_DB)
>--db-nb-use-remote-in-db=yes|no OVN_Northbound db listen on target
> connection table (default: $DB_NB_USE_REMOTE_IN_DB)
> + 'yes' is mutually exclusive with
> --db-nb-config-file.
>--db-sb-use-remote-in-db=yes|no OVN_Southbound db listen on target
> connection table (default: $DB_SB_USE_REMOTE_IN_DB)
> + 'yes' is mutually exclusive with
> --db-sb-config-file.
>--db-ic-nb-sock=SOCKET OVN_IC_Northbound db socket (default:
> $DB_IC_NB_SOCK)
>--db-ic-sb-sock=SOCKET OVN_IC_Southbound db socket (default:
> $DB_IC_SB_SOCK)
>--db-ic-nb-file=FILEOVN_IC_Northbound db file (default:
> $DB_IC_NB_FILE)
> @@ -1209,10 +1232,18 @@ File location options:
>--ovn-ic-nb-db=IC NB DB address(es) (default: $OVN_IC_NB_DB)
>--ovn-ic-sb-db=IC SB DB address(es) (default: $OVN_IC_SB_DB)
>--db-ic-nb-use-remote-in-db=yes|no OVN_IC_Northbound db listen on
> target connection table (default: $DB_IC_NB_USE_REMOTE_IN_DB)
> + 'yes' is mutually exclusive with
> --db-ic-nb-config-file.
>--db-ic-sb-use-remote-in-db=yes|no OVN_IC_Southbound db listen on
> target connection table (default: $DB_IC_SB_USE_REMOTE_IN_DB)
> + 'yes' is mutually exclusive with
> --db-ic-sb-config-file.
> + --db-ic-nb-config-file=FILE OVN_IC_Northbound ovsdb-server
> configuration file
> + Mutually exclusive with
> --db-ic-nb-use-remote-in-db=yes.
> + --db-ic-sb-config-file=FILE OVN_IC_Southbound ovsdb-server
> configuration file
> + Mutually exclusive with
> --db-ic-sb-use-remote-in-db=yes.
>--db-sb-relay-sock=SOCKET OVN_IC_Northbound db socket (default:
> $DB_SB_RELAY_SOCK)
>--db-sb-relay-pidfile=FILE OVN_Southbound relay db pidfile (default:
> $DB_SB_RELAY_CTRL_PIDFILE)
>--db-sb-relay-ctrl-sock=SOCKET OVN_Southbound relay db control socket
> (default: $DB_SB_RELAY_CTRL_SOCK)
> + --db-sb-relay-config-file=FILE OVN_IC_Northbound ovsdb-server
> configuration file
> + Mutually exclusive with
> --db-ic-nb-use-remote-in-db=yes.
>--ovn-sb-relay-db-ssl-key=KEY OVN_Southbound DB relay SSL private key
> file
>--ovn-sb-relay-db-ssl-cert=CERT OVN_Southbound DB relay SSL certificate
> file
>--ovn-sb-relay-db-ssl-ca-cert=CERT OVN OVN_Southbound DB relay SSL CA
> certificate file
> --
> 2.44.0
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
Looks good to me, thanks.
Acked-by: Ales Musil
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v3] hash, jhash: Fix unaligned access to the hash remainder.
Partially revert db5a101931c5, this was to avoid warning, however we
shouldn't use pointer to "uint32_t" when the data are potentially
unaligned [0]. Use pointer to "uint8_t" right from the start, this
requires us to use ALIGNED_CAST for the get_unaligned_u32, which is
fine in that case, because the function uses
" __attribute__((__packed__))" struct to access the underlying "uint32_t".
lib/hash.c:46:22: runtime error: load of misaligned address
0x50700065 for type 'const uint32_t *' (aka 'const unsigned int *'),
which requires 4 byte alignment
0x50700065: note: pointer points here
73 62 2e 73 6f 63 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
00 00 00 00 00 00 00 00 00
0 0x6191cb in hash_bytes ovs/lib/hash.c:46:9
1 0x69d064 in hash_string ovs/lib/hash.h:404:12
2 0x69d064 in hash_name ovs/lib/shash.c:29:12
3 0x69d064 in shash_find ovs/lib/shash.c:237:49
4 0x69dada in shash_find_data ovs/lib/shash.c:251:31
5 0x507987 in add_remote ovs/ovsdb/ovsdb-server.c:1382:15
6 0x507987 in parse_options ovs/ovsdb/ovsdb-server.c:2659:13
7 0x507987 in main ovs/ovsdb/ovsdb-server.c:751:5
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior lib/hash.c:46:22
[0] https://github.com/llvm/llvm-project/issues/90848
Fixes: db5a101931c5 ("clang: Fix the alignment warning.")
Signed-off-by: Ales Musil
---
v3: Do partial revert of db5a101931c5 instead of simple cast.
---
lib/hash.c | 7 ---
lib/jhash.c | 10 +-
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/lib/hash.c b/lib/hash.c
index c722f3c3c..3d574de9b 100644
--- a/lib/hash.c
+++ b/lib/hash.c
@@ -29,15 +29,16 @@ hash_3words(uint32_t a, uint32_t b, uint32_t c)
uint32_t
hash_bytes(const void *p_, size_t n, uint32_t basis)
{
-const uint32_t *p = p_;
+const uint8_t *p = p_;
size_t orig_n = n;
uint32_t hash;
hash = basis;
while (n >= 4) {
-hash = hash_add(hash, get_unaligned_u32(p));
+hash = hash_add(hash,
+get_unaligned_u32(ALIGNED_CAST(const uint32_t *, p)));
n -= 4;
-p += 1;
+p += 4;
}
if (n) {
diff --git a/lib/jhash.c b/lib/jhash.c
index c59b51b61..a8e3f457b 100644
--- a/lib/jhash.c
+++ b/lib/jhash.c
@@ -96,18 +96,18 @@ jhash_words(const uint32_t *p, size_t n, uint32_t basis)
uint32_t
jhash_bytes(const void *p_, size_t n, uint32_t basis)
{
-const uint32_t *p = p_;
+const uint8_t *p = p_;
uint32_t a, b, c;
a = b = c = 0xdeadbeef + n + basis;
while (n >= 12) {
-a += get_unaligned_u32(p);
-b += get_unaligned_u32(p + 1);
-c += get_unaligned_u32(p + 2);
+a += get_unaligned_u32(ALIGNED_CAST(const uint32_t *, p));
+b += get_unaligned_u32(ALIGNED_CAST(const uint32_t *, p + 4));
+c += get_unaligned_u32(ALIGNED_CAST(const uint32_t *, p + 8));
jhash_mix(, , );
n -= 12;
-p += 3;
+p += 12;
}
if (n) {
--
2.44.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn] docs: List supported rolling upgrade paths.
On Fri, Apr 26, 2024 at 10:49 PM Ihar Hrachyshka wrote: > The wording above is not completely clear without these scenarios > listed. A confused reader may incorrectly read it as: > > ``` > Only LTS-to-LTS is supported for rolling upgrades. > ``` > > which is wrong. > > Signed-off-by: Ihar Hrachyshka > --- > Documentation/intro/install/ovn-upgrades.rst | 5 + > 1 file changed, 5 insertions(+) > > diff --git a/Documentation/intro/install/ovn-upgrades.rst > b/Documentation/intro/install/ovn-upgrades.rst > index 1f99a86ec..f3dea07dc 100644 > --- a/Documentation/intro/install/ovn-upgrades.rst > +++ b/Documentation/intro/install/ovn-upgrades.rst > @@ -74,6 +74,11 @@ To avoid buildup of complexity and technical debt we > limit the span of versions > supported for a rolling upgrade on :ref:`long-term-support` (LTS), and it > should always be possible to upgrade from the previous LTS version to the > next. > > +The following rolling upgrade paths are supported: > + > +1. LTS to the very next LTS release, or to any non-LTS in between the two. > +2. Any non-LTS to the very next LTS release. > + > The first LTS version of OVN was 22.03. If you want to upgrade between > other > versions, you can use the `Fail-safe upgrade`_ procedure. > > -- > 2.41.0 > > ___ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > Looks good to me, thanks. Acked-by: Ales Musil -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> amu...@redhat.com <https://red.ht/sig> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn] docs: Explain nature of ovs dependency.
On Fri, Apr 26, 2024 at 10:35 PM Ihar Hrachyshka wrote: > The dependency is during build time, not runtime. > > Signed-off-by: Ihar Hrachyshka > --- > Documentation/intro/install/ovn-upgrades.rst | 18 -- > 1 file changed, 12 insertions(+), 6 deletions(-) > > diff --git a/Documentation/intro/install/ovn-upgrades.rst > b/Documentation/intro/install/ovn-upgrades.rst > index bb387e2f8..1f99a86ec 100644 > --- a/Documentation/intro/install/ovn-upgrades.rst > +++ b/Documentation/intro/install/ovn-upgrades.rst > @@ -40,13 +40,19 @@ Release Notes > You should always check the OVS and OVN release notes (NEWS file) for any > release specific notes on upgrades. > > -OVS > > +Open vSwitch > + > > -OVN depends on and is included with OVS. It's expected that OVS and OVN > are > -upgraded together, partly for convenience. OVN is included in OVS > releases > -so it's easiest to upgrade them together. OVN may also make use of new > -features of OVS only available in that release. > +OVN compiles with a particular version of Open vSwitch. This is a > build-time > +dependency. > + > +In runtime, OVN should be able to work with any reasonably fresh version > of > +Open vSwitch (not necessarily the version that it was compiled against.) > + > +OVN may make use of new runtime features of Open vSwitch that are only > +available in a particular release. OVN is expected to test for an Open > vSwitch > +feature presence before using it, and gracefully handle scenarios where > Open > +vSwitch doesn't support a particular optional feature, yet. > > Upgrade procedures > -- > -- > 2.41.0 > > ___ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > Looks good to me, thanks. Acked-by: Ales Musil -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> amu...@redhat.com <https://red.ht/sig> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn v4] controller: Track individual address set constants.
On Thu, May 2, 2024 at 6:23 PM Han Zhou wrote:
>
>
>
> On Thu, May 2, 2024 at 6:29 AM Ales Musil wrote:
> >
> > Instead of tracking address set per struct expr_constant_set track it
> > per individual struct expr_constant. This allows more fine grained
> > control for I-P processing of address sets in controller. It helps with
> > scenarios like matching on two address sets in one expression e.g.
> > "ip4.src == {$as1, $as2}". This allows any addition or removal of
> > individual adress from the set to be incrementally processed instead
> > of reprocessing all the flows.
> >
> > This unfortunately doesn't help with the following flows:
> > "ip4.src == $as1 && ip4.dst == $as2"
> > "ip4.src == $as1 || ip4.dst == $as2"
> >
> > The memory impact should be minimal as there is only increase of 8 bytes
> > per the struct expr_constant.
> >
> > Reported-at: https://issues.redhat.com/browse/FDP-509
> > Signed-off-by: Ales Musil
> > ---
> > v4: Rebase on top of current main.
> > Update the "lflow_handle_addr_set_update" comment according to
> > suggestion from Han.
>
> Thanks Ales. I updated the commit message for the same, and applied to main
> branch.
>
> Regards,
> Han
>
> > v3: Rebase on top of current main.
> > Address comments from Han:
> > - Adjust the comment for "lflow_handle_addr_set_update" to include
> > remaning corner cases.
> > - Make sure that the flows are consistent between I-P and recompute.
> > v2: Rebase on top of current main.
> > Adjust the comment for I-P optimization.
> > ---
> > controller/lflow.c | 11 ++---
> > include/ovn/actions.h | 2 +-
> > include/ovn/expr.h | 46 ++-
> > lib/actions.c | 20 -
> > lib/expr.c | 99 +
> > tests/ovn-controller.at | 79 +---
> > 6 files changed, 154 insertions(+), 103 deletions(-)
> >
> > diff --git a/controller/lflow.c b/controller/lflow.c
> > index 760ec0b41..1e05665a1 100644
> > --- a/controller/lflow.c
> > +++ b/controller/lflow.c
> > @@ -278,7 +278,7 @@ lflow_handle_changed_flows(struct lflow_ctx_in
> > *l_ctx_in,
> > }
> >
> > static bool
> > -as_info_from_expr_const(const char *as_name, const union expr_constant *c,
> > +as_info_from_expr_const(const char *as_name, const struct expr_constant *c,
> > struct addrset_info *as_info)
> > {
> > as_info->name = as_name;
> > @@ -644,14 +644,11 @@ as_update_can_be_handled(const char *as_name, struct
> > addr_set_diff *as_diff,
> > *generated.
> > *
> > * - The sub expression of the address set is combined with other sub-
> > - *expressions/constants, usually because of disjunctions between
> > - *sub-expressions/constants, e.g.:
> > + *expressions/constants on different fields, e.g.:
> > *
> > * ip.src == $as1 || ip.dst == $as2
> > - * ip.src == {$as1, $as2}
> > - * ip.src == {$as1, ip1}
> > *
> > - *All these could have been split into separate lflows.
> > + *This could have been split into separate lflows.
> > *
> > * - Conjunctions overlapping between lflows, which can be caused by
> > *overlapping address sets or same address set used by multiple
> > lflows
> > @@ -714,7 +711,7 @@ lflow_handle_addr_set_update(const char *as_name,
> > if (as_diff->deleted) {
> > struct addrset_info as_info;
> > for (size_t i = 0; i < as_diff->deleted->n_values; i++) {
> > -union expr_constant *c = _diff->deleted->values[i];
> > +struct expr_constant *c = _diff->deleted->values[i];
> > if (!as_info_from_expr_const(as_name, c, _info)) {
> > continue;
> > }
> > diff --git a/include/ovn/actions.h b/include/ovn/actions.h
> > index ae0864fdd..88cf4de79 100644
> > --- a/include/ovn/actions.h
> > +++ b/include/ovn/actions.h
> > @@ -241,7 +241,7 @@ struct ovnact_next {
> > struct ovnact_load {
> > struct ovnact ovnact;
> > struct expr_field dst;
> > -union expr_constant imm;
> > +struct expr_constant imm;
> > };
> >
> > /* OVNACT_MOVE, OVNACT_EXCHANGE. */
> > diff --git a/include/ovn/expr.h b/include/ovn/expr.h
> >
Re: [ovs-dev] [PATCH v2] hash, jhash: Fix unaligned access to the hash remainder.
On Thu, May 2, 2024 at 8:03 PM Ilya Maximets wrote:
> On 5/2/24 15:28, Ales Musil wrote:
> > The pointer was passed to memcpy as uin32_t *, however the hash bytes
> > might be unaligned at that point. Case it to uint8_t * instead
>
> 'Case' ?
>
> > which has only single byte alignment requirement. This seems to be
> > a false positive reported by clang [0].
>
> After thinking some more, it's not actually a false positive per se.
> According to the C spec we're not actually allowed to have misaligned
> pointers even if we're not reading/writing through them.
>
> So, technically, the initial cast to uint32_t pointer is no correct.
> I don't think we can fully avoid such casts without loosing type checking,
> but I think we need to revert changes to hash functions made in
> commit db5a101931c5 ("clang: Fix the alignment warning.").
> i.e. we should go back to using uint8_t pointer and cast it on the
> get_unaligned_u32() call with ALIGNED_CAST. We will still have a
> misaligned pointer, but it will be immediately cast back, so should
> cause less issues.
>
> Note: all arithmetic should be done on the uint8_t pointer, not a
> misaligned uin32_t one to avoid potential other UB conditions.
>
> Best regards, Ilya Maximets.
>
Makes sense, done in v3.
>
> >
> > lib/hash.c:46:22: runtime error: load of misaligned address
> > 0x50700065 for type 'const uint32_t *' (aka 'const unsigned int *'),
> > which requires 4 byte alignment
> > 0x50700065: note: pointer points here
> > 73 62 2e 73 6f 63 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > ^
> > 00 00 00 00 00 00 00 00 00
> > 0 0x6191cb in hash_bytes ovs/lib/hash.c:46:9
> > 1 0x69d064 in hash_string ovs/lib/hash.h:404:12
> > 2 0x69d064 in hash_name ovs/lib/shash.c:29:12
> > 3 0x69d064 in shash_find ovs/lib/shash.c:237:49
> > 4 0x69dada in shash_find_data ovs/lib/shash.c:251:31
> > 5 0x507987 in add_remote ovs/ovsdb/ovsdb-server.c:1382:15
> > 6 0x507987 in parse_options ovs/ovsdb/ovsdb-server.c:2659:13
> > 7 0x507987 in main ovs/ovsdb/ovsdb-server.c:751:5
> >
> > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior lib/hash.c:46:22
> >
> > [0] https://github.com/llvm/llvm-project/issues/90848
> > Signed-off-by: Ales Musil
> > ---
> > lib/hash.c | 2 +-
> > lib/jhash.c | 2 +-
> > 2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/lib/hash.c b/lib/hash.c
> > index c722f3c3c..986fa6643 100644
> > --- a/lib/hash.c
> > +++ b/lib/hash.c
> > @@ -43,7 +43,7 @@ hash_bytes(const void *p_, size_t n, uint32_t basis)
> > if (n) {
> > uint32_t tmp = 0;
> >
> > -memcpy(, p, n);
> > +memcpy(, (const uint8_t *) p, n);
> > hash = hash_add(hash, tmp);
> > }
> >
> > diff --git a/lib/jhash.c b/lib/jhash.c
> > index c59b51b61..0a0628589 100644
> > --- a/lib/jhash.c
> > +++ b/lib/jhash.c
> > @@ -114,7 +114,7 @@ jhash_bytes(const void *p_, size_t n, uint32_t basis)
> > uint32_t tmp[3];
> >
> > tmp[0] = tmp[1] = tmp[2] = 0;
> > -memcpy(tmp, p, n);
> > +memcpy(tmp, (const uint8_t *) p, n);
> > a += tmp[0];
> > b += tmp[1];
> > c += tmp[2];
>
>
Thanks,
Ales
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn v5] controller: Allow br-int connection via other methods.
The br-int connection is hardcoded to use unix socket, which requires
for the socket to be visible for ovn-controller. This is achievable in
container by mounting the socket, but in turn the container requires
additional privileges.
Add option to vswitchd external-ids that allows to specify remote
target for management bridge. This gives the user possibility to
connect to management bridge in different manner than unix socket,
defaulting to the unix socket when not specified. In addition, there
is an option to specify inactivity probe for this connection, disabled
by default.
Reported-at: https://issues.redhat.com/browse/FDP-243
Signed-off-by: Ales Musil
---
v4: Rebase on top of current main.
v3: Rebase on top of current main.
Fix the copy-paste error in ovn-controller documentation.
v2: Rebase on top of current main.
Make the probe interval accept milliseconds to be aligned with other probe
intervals.
Use external-ids instead of options for the ovn-controller.
---
NEWS| 6 +++
controller/ofctrl.c | 10 +
controller/ofctrl.h | 5 ++-
controller/ovn-controller.8.xml | 15
controller/ovn-controller.c | 59 +++--
controller/pinctrl.c| 56 ++--
controller/pinctrl.h| 6 ++-
controller/statctrl.c | 66 ++---
controller/statctrl.h | 3 +-
include/ovn/features.h | 2 +-
lib/features.c | 35 +
lib/ovn-util.c | 26 +
lib/ovn-util.h | 4 ++
lib/test-ovn-features.c | 6 +--
tests/ovn-controller.at | 45 ++
15 files changed, 193 insertions(+), 151 deletions(-)
diff --git a/NEWS b/NEWS
index 3b5e93dc9..4e15f31c8 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,12 @@ Post v24.03.0
external-ids, the option is no longer needed as it became effectively
"true" for all scenarios.
- Added DHCPv4 relay support.
+ - Add "ovn-bridge-remote" config option to vswitchd external-ids,
+that allows to specify connection method to management bridge for
+ovn-controller, defaulting to the unix socket.
+ - Add "ovn-bridge-remote-probe-interval" config option to vswitchd
+external-ids, that sets probe interval for integration bridge connection,
+disabled by default.
OVN v24.03.0 - 01 Mar 2024
--
diff --git a/controller/ofctrl.c b/controller/ofctrl.c
index 6a2564604..9d181a782 100644
--- a/controller/ofctrl.c
+++ b/controller/ofctrl.c
@@ -771,19 +771,13 @@ ofctrl_get_mf_field_id(void)
* Returns 'true' if an OpenFlow reconnect happened; 'false' otherwise.
*/
bool
-ofctrl_run(const struct ovsrec_bridge *br_int,
+ofctrl_run(const char *conn_target, int probe_interval,
const struct ovsrec_open_vswitch_table *ovs_table,
struct shash *pending_ct_zones)
{
-char *target = xasprintf("unix:%s/%s.mgmt", ovs_rundir(), br_int->name);
bool reconnected = false;
-if (strcmp(target, rconn_get_target(swconn))) {
-VLOG_INFO("%s: connecting to switch", target);
-rconn_connect(swconn, target, target);
-}
-free(target);
-
+ovn_update_swconn_at(swconn, conn_target, probe_interval, "ofctrl");
rconn_run(swconn);
if (!rconn_is_connected(swconn) || !pending_ct_zones) {
diff --git a/controller/ofctrl.h b/controller/ofctrl.h
index 502c73da6..7df0a24ea 100644
--- a/controller/ofctrl.h
+++ b/controller/ofctrl.h
@@ -50,8 +50,9 @@ struct ovn_desired_flow_table {
/* Interface for OVN main loop. */
void ofctrl_init(struct ovn_extend_table *group_table,
struct ovn_extend_table *meter_table);
-bool ofctrl_run(const struct ovsrec_bridge *br_int,
-const struct ovsrec_open_vswitch_table *,
+
+bool ofctrl_run(const char *conn_target, int probe_interval,
+const struct ovsrec_open_vswitch_table *ovs_table,
struct shash *pending_ct_zones);
enum mf_field_id ofctrl_get_mf_field_id(void);
void ofctrl_put(struct ovn_desired_flow_table *lflow_table,
diff --git a/controller/ovn-controller.8.xml b/controller/ovn-controller.8.xml
index 85e7966d7..b6404a19d 100644
--- a/controller/ovn-controller.8.xml
+++ b/controller/ovn-controller.8.xml
@@ -378,6 +378,21 @@
cap for the exponential backoff used by ovn-controller
to send GARPs packets.
+ external_ids:ovn-bridge-remote
+
+
+ Connection to the OVN management bridge in OvS. It defaults to
+ unix:br-int.mgmt when not specified.
+
+
+ external_ids:ovn-bridge-remote-probe-interval
+
+
+ The inactivity probe interval of the connection to the OVN management
+ bridge, in milliseconds.
+ If the value is zero, it disables t
[ovs-dev] [PATCH ovn v4] controller: Track individual address set constants.
Instead of tracking address set per struct expr_constant_set track it
per individual struct expr_constant. This allows more fine grained
control for I-P processing of address sets in controller. It helps with
scenarios like matching on two address sets in one expression e.g.
"ip4.src == {$as1, $as2}". This allows any addition or removal of
individual adress from the set to be incrementally processed instead
of reprocessing all the flows.
This unfortunately doesn't help with the following flows:
"ip4.src == $as1 && ip4.dst == $as2"
"ip4.src == $as1 || ip4.dst == $as2"
The memory impact should be minimal as there is only increase of 8 bytes
per the struct expr_constant.
Reported-at: https://issues.redhat.com/browse/FDP-509
Signed-off-by: Ales Musil
---
v4: Rebase on top of current main.
Update the "lflow_handle_addr_set_update" comment according to suggestion
from Han.
v3: Rebase on top of current main.
Address comments from Han:
- Adjust the comment for "lflow_handle_addr_set_update" to include remaning
corner cases.
- Make sure that the flows are consistent between I-P and recompute.
v2: Rebase on top of current main.
Adjust the comment for I-P optimization.
---
controller/lflow.c | 11 ++---
include/ovn/actions.h | 2 +-
include/ovn/expr.h | 46 ++-
lib/actions.c | 20 -
lib/expr.c | 99 +
tests/ovn-controller.at | 79 +---
6 files changed, 154 insertions(+), 103 deletions(-)
diff --git a/controller/lflow.c b/controller/lflow.c
index 760ec0b41..1e05665a1 100644
--- a/controller/lflow.c
+++ b/controller/lflow.c
@@ -278,7 +278,7 @@ lflow_handle_changed_flows(struct lflow_ctx_in *l_ctx_in,
}
static bool
-as_info_from_expr_const(const char *as_name, const union expr_constant *c,
+as_info_from_expr_const(const char *as_name, const struct expr_constant *c,
struct addrset_info *as_info)
{
as_info->name = as_name;
@@ -644,14 +644,11 @@ as_update_can_be_handled(const char *as_name, struct
addr_set_diff *as_diff,
*generated.
*
* - The sub expression of the address set is combined with other sub-
- *expressions/constants, usually because of disjunctions between
- *sub-expressions/constants, e.g.:
+ *expressions/constants on different fields, e.g.:
*
* ip.src == $as1 || ip.dst == $as2
- * ip.src == {$as1, $as2}
- * ip.src == {$as1, ip1}
*
- *All these could have been split into separate lflows.
+ *This could have been split into separate lflows.
*
* - Conjunctions overlapping between lflows, which can be caused by
*overlapping address sets or same address set used by multiple lflows
@@ -714,7 +711,7 @@ lflow_handle_addr_set_update(const char *as_name,
if (as_diff->deleted) {
struct addrset_info as_info;
for (size_t i = 0; i < as_diff->deleted->n_values; i++) {
-union expr_constant *c = _diff->deleted->values[i];
+struct expr_constant *c = _diff->deleted->values[i];
if (!as_info_from_expr_const(as_name, c, _info)) {
continue;
}
diff --git a/include/ovn/actions.h b/include/ovn/actions.h
index ae0864fdd..88cf4de79 100644
--- a/include/ovn/actions.h
+++ b/include/ovn/actions.h
@@ -241,7 +241,7 @@ struct ovnact_next {
struct ovnact_load {
struct ovnact ovnact;
struct expr_field dst;
-union expr_constant imm;
+struct expr_constant imm;
};
/* OVNACT_MOVE, OVNACT_EXCHANGE. */
diff --git a/include/ovn/expr.h b/include/ovn/expr.h
index c48f82398..e54edb5bf 100644
--- a/include/ovn/expr.h
+++ b/include/ovn/expr.h
@@ -368,7 +368,7 @@ bool expr_relop_from_token(enum lex_type type, enum
expr_relop *relop);
struct expr {
struct ovs_list node; /* In parent EXPR_T_AND or EXPR_T_OR if any. */
enum expr_type type;/* Expression type. */
-char *as_name; /* Address set name. Null if it is not an
+const char *as_name;/* Address set name. Null if it is not an
address set. */
union {
@@ -505,40 +505,42 @@ enum expr_constant_type {
};
/* A string or integer constant (one must know which from context). */
-union expr_constant {
-/* Integer constant.
- *
- * The width of a constant isn't always clear, e.g. if you write "1",
- * there's no way to tell whether you mean for that to be a 1-bit constant
- * or a 128-bit constant or somewhere in between. */
-struct {
-union mf_subvalue value;
-union mf_subvalue mask; /* Only initialized if 'masked'. */
-bool masked;
-
-enum lex_format format; /* From the constant's lex_token. */
-};
+struct expr_const
[ovs-dev] [PATCH v2] hash, jhash: Fix unaligned access to the hash remainder.
The pointer was passed to memcpy as uin32_t *, however the hash bytes
might be unaligned at that point. Case it to uint8_t * instead
which has only single byte alignment requirement. This seems to be
a false positive reported by clang [0].
lib/hash.c:46:22: runtime error: load of misaligned address
0x50700065 for type 'const uint32_t *' (aka 'const unsigned int *'),
which requires 4 byte alignment
0x50700065: note: pointer points here
73 62 2e 73 6f 63 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
00 00 00 00 00 00 00 00 00
0 0x6191cb in hash_bytes ovs/lib/hash.c:46:9
1 0x69d064 in hash_string ovs/lib/hash.h:404:12
2 0x69d064 in hash_name ovs/lib/shash.c:29:12
3 0x69d064 in shash_find ovs/lib/shash.c:237:49
4 0x69dada in shash_find_data ovs/lib/shash.c:251:31
5 0x507987 in add_remote ovs/ovsdb/ovsdb-server.c:1382:15
6 0x507987 in parse_options ovs/ovsdb/ovsdb-server.c:2659:13
7 0x507987 in main ovs/ovsdb/ovsdb-server.c:751:5
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior lib/hash.c:46:22
[0] https://github.com/llvm/llvm-project/issues/90848
Signed-off-by: Ales Musil
---
lib/hash.c | 2 +-
lib/jhash.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/hash.c b/lib/hash.c
index c722f3c3c..986fa6643 100644
--- a/lib/hash.c
+++ b/lib/hash.c
@@ -43,7 +43,7 @@ hash_bytes(const void *p_, size_t n, uint32_t basis)
if (n) {
uint32_t tmp = 0;
-memcpy(, p, n);
+memcpy(, (const uint8_t *) p, n);
hash = hash_add(hash, tmp);
}
diff --git a/lib/jhash.c b/lib/jhash.c
index c59b51b61..0a0628589 100644
--- a/lib/jhash.c
+++ b/lib/jhash.c
@@ -114,7 +114,7 @@ jhash_bytes(const void *p_, size_t n, uint32_t basis)
uint32_t tmp[3];
tmp[0] = tmp[1] = tmp[2] = 0;
-memcpy(tmp, p, n);
+memcpy(tmp, (const uint8_t *) p, n);
a += tmp[0];
b += tmp[1];
c += tmp[2];
--
2.44.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn v3] controller: Track individual address set constants.
On Wed, May 1, 2024 at 6:38 PM Han Zhou wrote:
>
>
> On Tue, Apr 30, 2024 at 9:56 AM Ales Musil wrote:
> >
> > Instead of tracking address set per struct expr_constant_set track it
> > per individual struct expr_constant. This allows more fine grained
> > control for I-P processing of address sets in controller. It helps with
> > scenarios like matching on two address sets in one expression e.g.
> > "ip4.src == {$as1, $as2}". This allows any addition or removal of
> > individual adress from the set to be incrementally processed instead
> > of reprocessing all the flows.
> >
> > This unfortunately doesn't help with the following flows:
> > "ip4.src == $as1 && ip4.dst == $as2"
> > "ip4.src == $as1 || ip4.dst == $as2"
> >
> > The memory impact should be minimal as there is only increase of 8 bytes
> > per the struct expr_constant.
> >
> > Reported-at: https://issues.redhat.com/browse/FDP-509
> > Signed-off-by: Ales Musil
> > ---
> > v3: Rebase on top of current main.
> > Address comments from Han:
> > - Adjust the comment for "lflow_handle_addr_set_update" to include
> remaning corner cases.
> > - Make sure that the flows are consistent between I-P and recompute.
> > v2: Rebase on top of current main.
> > Adjust the comment for I-P optimization.
> > ---
> > controller/lflow.c | 7 ++-
> > include/ovn/actions.h | 2 +-
> > include/ovn/expr.h | 46 ++-
> > lib/actions.c | 20 -
> > lib/expr.c | 99 +
> > tests/ovn-controller.at | 79 +---
> > 6 files changed, 153 insertions(+), 100 deletions(-)
> >
> > diff --git a/controller/lflow.c b/controller/lflow.c
> > index 760ec0b41..06e839cbe 100644
> > --- a/controller/lflow.c
> > +++ b/controller/lflow.c
> > @@ -278,7 +278,7 @@ lflow_handle_changed_flows(struct lflow_ctx_in
> *l_ctx_in,
> > }
> >
> > static bool
> > -as_info_from_expr_const(const char *as_name, const union expr_constant
> *c,
> > +as_info_from_expr_const(const char *as_name, const struct expr_constant
> *c,
> > struct addrset_info *as_info)
> > {
> > as_info->name = as_name;
> > @@ -647,9 +647,8 @@ as_update_can_be_handled(const char *as_name, struct
> addr_set_diff *as_diff,
> > *expressions/constants, usually because of disjunctions between
> > *sub-expressions/constants, e.g.:
> > *
> > + * ip.src == $as1 && ip.dst == $as2
> > * ip.src == $as1 || ip.dst == $as2
> > - * ip.src == {$as1, $as2}
> > - * ip.src == {$as1, ip1}
> > *
> > *All these could have been split into separate lflows.
>
> Hi Ales, thanks for v3.
>
Hi Han,
> I checked again and wondered why you mentioned that "ip.src == $as1 &&
> ip.dst == $as2" is not supported. This expression would generate
> conjunctions, which works with I-P before your change and still works. Did
> I miss anything?
>
yeah my bad, I was focused on this patch rather than what is supported
overall.
>
> In addition, since the constraints are relaxed after your change, I'd also
> update the above comments a little more, something like:
>
>* - The sub expression of the address set is combined with other
> sub-
>*expressions/constants on different fields, e.g.:
>
>
>*
>
>
>
>
>* ip.src == $as1 || ip.dst == $as2
>
>*
>
>*This could have been split into separate lflows.
>
>
> What do you think?
>
Sounds good, I'll post v4 with this update.
>
> Thanks,
> Han
>
> > *
> > @@ -714,7 +713,7 @@ lflow_handle_addr_set_update(const char *as_name,
> > if (as_diff->deleted) {
> > struct addrset_info as_info;
> > for (size_t i = 0; i < as_diff->deleted->n_values; i++) {
> > -union expr_constant *c = _diff->deleted->values[i];
> > +struct expr_constant *c = _diff->deleted->values[i];
> > if (!as_info_from_expr_const(as_name, c, _info)) {
> > continue;
> > }
> > diff --git a/include/ovn/actions.h b/include/ovn/actions.h
> > index ae0864fdd..88cf4de79 100644
> > --- a/include/ovn/actions.h
> > +++ b/include/ovn/actions.h
> > @@ -241,7 +241,7 @@ struct ovnact_next {
> > struct ovnact_loa
Re: [ovs-dev] [PATCH] hash, jhash: Fix unaligned access to the hash remainder.
On Thu, May 2, 2024 at 1:22 PM Ilya Maximets wrote:
> On 5/2/24 12:22, Ales Musil wrote:
> > The has was passed to memcpy as uin32_t *, however the hash bytes
>
> 'The has was passed' ? :)
>
Oops :)
>
> > might be unaligned at that point. Case it to uint8_t * instead
> > which has only single byte alignment requirement.
> >
> > lib/hash.c:46:22: runtime error: load of misaligned address
> 0x50700065 for type 'const uint32_t *' (aka 'const unsigned int *'),
> which requires 4 byte alignment
> > 0x50700065: note: pointer points here
> > 73 62 2e 73 6f 63 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00
> > ^
>
> Please, wrap these lines.
>
Ack
>
> > #0 0x6191cb in hash_bytes /workspace/ovn/ovs/lib/hash.c:46:9
> > #1 0x69d064 in hash_string /workspace/ovn/ovs/lib/hash.h:404:12
> > #2 0x69d064 in hash_name /workspace/ovn/ovs/lib/shash.c:29:12
> > #3 0x69d064 in shash_find /workspace/ovn/ovs/lib/shash.c:237:49
> > #4 0x69dada in shash_find_data /workspace/ovn/ovs/lib/shash.c:251:31
> > #5 0x507987 in add_remote
> /workspace/ovn/ovs/ovsdb/ovsdb-server.c:1382:15
> > #6 0x507987 in parse_options
> /workspace/ovn/ovs/ovsdb/ovsdb-server.c:2659:13
> > #7 0x507987 in main /workspace/ovn/ovs/ovsdb/ovsdb-server.c:751:5
> > #8 0x7f47e3997087 in __libc_start_call_main
> (/lib64/libc.so.6+0x2a087) (BuildId:
> b098f1c75a76548bb230d8f551eae07a2aeccf06)
> > #9 0x7f47e399714a in __libc_start_main@GLIBC_2.2.5
> (/lib64/libc.so.6+0x2a14a) (BuildId:
> b098f1c75a76548bb230d8f551eae07a2aeccf06)
> > #10 0x42de64 in _start
> (/workspace/ovn/ovs/ovsdb/ovsdb-server+0x42de64) (BuildId:
> 6c3f4e311556b29f84c9c4a5d6df5114dc08a12e)
> >
>
> Please, remove the '#' signs as github misinterprets them as PR/issue
> reference. And, please, remove the unnecessary info from the trace,
> e.g. BuildId, '/workspace/ovn/' part of the paths and maybe some other
> parts of the base libc frames.
>
Ack
>
> > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior lib/hash.c:46:22
> >
> > Signed-off-by: Ales Musil
> > ---
> > lib/hash.c | 2 +-
> > lib/jhash.c | 2 +-
> > 2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/lib/hash.c b/lib/hash.c
> > index c722f3c3c..986fa6643 100644
> > --- a/lib/hash.c
> > +++ b/lib/hash.c
> > @@ -43,7 +43,7 @@ hash_bytes(const void *p_, size_t n, uint32_t basis)
> > if (n) {
> > uint32_t tmp = 0;
> >
> > -memcpy(, p, n);
> > +memcpy(, (const uint8_t *) p, n);
>
> We may accept the change, however, this looks more like a compiler
> bug to me. memcpy() accepts void pointers, so there is already an
> implicit cast. I didn't look into assembly, but I'd guess clang
> inlines the call and while doing that assumes the type. I'm not
> sure it is allowed to do that. Also, the 'n' here is always less
> than 4, so alignment should not be a problem because we can't copy
> the whole thing in a single aligned instruction (maybe there are
> instructions that can copy just 3 bytes without touching the 4th,
> but idk).
>
> Did you have a look at the asm by any chance?
>
>
As discussed offline, it doesn't inline and does the function call instead.
>
> Best regards, Ilya Maximets.
>
>
Thanks,
Ales
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH] sparse: Add additional define for sparse on GCC >= 14.
GCC 14 renamed one of the AVX512 defines to have only single underscore instead of two [0]. Add the single underscore define to keep compatibility with multiple GCC versions. [0] https://github.com/gcc-mirror/gcc/commit/aea8e4105553cd16799f2134d15420ccf182d732 Tested-by: Dumitru Ceara Signed-off-by: Ales Musil --- include/sparse/immintrin.h | 4 1 file changed, 4 insertions(+) diff --git a/include/sparse/immintrin.h b/include/sparse/immintrin.h index dd742be9f..36b41d352 100644 --- a/include/sparse/immintrin.h +++ b/include/sparse/immintrin.h @@ -26,5 +26,9 @@ #define _KEYLOCKERINTRIN_H_INCLUDED #define __AVX512FP16INTRIN_H_INCLUDED #define __AVX512FP16VLINTRIN_H_INCLUDED +/* GCC >=14 changed the "__AVX512FP16INTRIN_H_INCLUDED" to have only single + * underscore. We need both to keep compatibility between various GCC + * versions. */ +#define _AVX512FP16INTRIN_H_INCLUDED #include_next -- 2.44.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH] hash, jhash: Fix unaligned access to the hash remainder.
The has was passed to memcpy as uin32_t *, however the hash bytes
might be unaligned at that point. Case it to uint8_t * instead
which has only single byte alignment requirement.
lib/hash.c:46:22: runtime error: load of misaligned address 0x50700065 for
type 'const uint32_t *' (aka 'const unsigned int *'), which requires 4 byte
alignment
0x50700065: note: pointer points here
73 62 2e 73 6f 63 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00
^
#0 0x6191cb in hash_bytes /workspace/ovn/ovs/lib/hash.c:46:9
#1 0x69d064 in hash_string /workspace/ovn/ovs/lib/hash.h:404:12
#2 0x69d064 in hash_name /workspace/ovn/ovs/lib/shash.c:29:12
#3 0x69d064 in shash_find /workspace/ovn/ovs/lib/shash.c:237:49
#4 0x69dada in shash_find_data /workspace/ovn/ovs/lib/shash.c:251:31
#5 0x507987 in add_remote /workspace/ovn/ovs/ovsdb/ovsdb-server.c:1382:15
#6 0x507987 in parse_options /workspace/ovn/ovs/ovsdb/ovsdb-server.c:2659:13
#7 0x507987 in main /workspace/ovn/ovs/ovsdb/ovsdb-server.c:751:5
#8 0x7f47e3997087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087)
(BuildId: b098f1c75a76548bb230d8f551eae07a2aeccf06)
#9 0x7f47e399714a in __libc_start_main@GLIBC_2.2.5
(/lib64/libc.so.6+0x2a14a) (BuildId: b098f1c75a76548bb230d8f551eae07a2aeccf06)
#10 0x42de64 in _start (/workspace/ovn/ovs/ovsdb/ovsdb-server+0x42de64)
(BuildId: 6c3f4e311556b29f84c9c4a5d6df5114dc08a12e)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior lib/hash.c:46:22
Signed-off-by: Ales Musil
---
lib/hash.c | 2 +-
lib/jhash.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/hash.c b/lib/hash.c
index c722f3c3c..986fa6643 100644
--- a/lib/hash.c
+++ b/lib/hash.c
@@ -43,7 +43,7 @@ hash_bytes(const void *p_, size_t n, uint32_t basis)
if (n) {
uint32_t tmp = 0;
-memcpy(, p, n);
+memcpy(, (const uint8_t *) p, n);
hash = hash_add(hash, tmp);
}
diff --git a/lib/jhash.c b/lib/jhash.c
index c59b51b61..0a0628589 100644
--- a/lib/jhash.c
+++ b/lib/jhash.c
@@ -114,7 +114,7 @@ jhash_bytes(const void *p_, size_t n, uint32_t basis)
uint32_t tmp[3];
tmp[0] = tmp[1] = tmp[2] = 0;
-memcpy(tmp, p, n);
+memcpy(tmp, (const uint8_t *) p, n);
a += tmp[0];
b += tmp[1];
c += tmp[2];
--
2.44.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn v3] controller: Track individual address set constants.
Instead of tracking address set per struct expr_constant_set track it
per individual struct expr_constant. This allows more fine grained
control for I-P processing of address sets in controller. It helps with
scenarios like matching on two address sets in one expression e.g.
"ip4.src == {$as1, $as2}". This allows any addition or removal of
individual adress from the set to be incrementally processed instead
of reprocessing all the flows.
This unfortunately doesn't help with the following flows:
"ip4.src == $as1 && ip4.dst == $as2"
"ip4.src == $as1 || ip4.dst == $as2"
The memory impact should be minimal as there is only increase of 8 bytes
per the struct expr_constant.
Reported-at: https://issues.redhat.com/browse/FDP-509
Signed-off-by: Ales Musil
---
v3: Rebase on top of current main.
Address comments from Han:
- Adjust the comment for "lflow_handle_addr_set_update" to include remaning
corner cases.
- Make sure that the flows are consistent between I-P and recompute.
v2: Rebase on top of current main.
Adjust the comment for I-P optimization.
---
controller/lflow.c | 7 ++-
include/ovn/actions.h | 2 +-
include/ovn/expr.h | 46 ++-
lib/actions.c | 20 -
lib/expr.c | 99 +
tests/ovn-controller.at | 79 +---
6 files changed, 153 insertions(+), 100 deletions(-)
diff --git a/controller/lflow.c b/controller/lflow.c
index 760ec0b41..06e839cbe 100644
--- a/controller/lflow.c
+++ b/controller/lflow.c
@@ -278,7 +278,7 @@ lflow_handle_changed_flows(struct lflow_ctx_in *l_ctx_in,
}
static bool
-as_info_from_expr_const(const char *as_name, const union expr_constant *c,
+as_info_from_expr_const(const char *as_name, const struct expr_constant *c,
struct addrset_info *as_info)
{
as_info->name = as_name;
@@ -647,9 +647,8 @@ as_update_can_be_handled(const char *as_name, struct
addr_set_diff *as_diff,
*expressions/constants, usually because of disjunctions between
*sub-expressions/constants, e.g.:
*
+ * ip.src == $as1 && ip.dst == $as2
* ip.src == $as1 || ip.dst == $as2
- * ip.src == {$as1, $as2}
- * ip.src == {$as1, ip1}
*
*All these could have been split into separate lflows.
*
@@ -714,7 +713,7 @@ lflow_handle_addr_set_update(const char *as_name,
if (as_diff->deleted) {
struct addrset_info as_info;
for (size_t i = 0; i < as_diff->deleted->n_values; i++) {
-union expr_constant *c = _diff->deleted->values[i];
+struct expr_constant *c = _diff->deleted->values[i];
if (!as_info_from_expr_const(as_name, c, _info)) {
continue;
}
diff --git a/include/ovn/actions.h b/include/ovn/actions.h
index ae0864fdd..88cf4de79 100644
--- a/include/ovn/actions.h
+++ b/include/ovn/actions.h
@@ -241,7 +241,7 @@ struct ovnact_next {
struct ovnact_load {
struct ovnact ovnact;
struct expr_field dst;
-union expr_constant imm;
+struct expr_constant imm;
};
/* OVNACT_MOVE, OVNACT_EXCHANGE. */
diff --git a/include/ovn/expr.h b/include/ovn/expr.h
index c48f82398..e54edb5bf 100644
--- a/include/ovn/expr.h
+++ b/include/ovn/expr.h
@@ -368,7 +368,7 @@ bool expr_relop_from_token(enum lex_type type, enum
expr_relop *relop);
struct expr {
struct ovs_list node; /* In parent EXPR_T_AND or EXPR_T_OR if any. */
enum expr_type type;/* Expression type. */
-char *as_name; /* Address set name. Null if it is not an
+const char *as_name;/* Address set name. Null if it is not an
address set. */
union {
@@ -505,40 +505,42 @@ enum expr_constant_type {
};
/* A string or integer constant (one must know which from context). */
-union expr_constant {
-/* Integer constant.
- *
- * The width of a constant isn't always clear, e.g. if you write "1",
- * there's no way to tell whether you mean for that to be a 1-bit constant
- * or a 128-bit constant or somewhere in between. */
-struct {
-union mf_subvalue value;
-union mf_subvalue mask; /* Only initialized if 'masked'. */
-bool masked;
-
-enum lex_format format; /* From the constant's lex_token. */
-};
+struct expr_constant {
+const char *as_name;
-/* Null-terminated string constant. */
-char *string;
+union {
+/* Integer constant.
+ *
+ * The width of a constant isn't always clear, e.g. if you write "1",
+ * there's no way to tell whether you mean for that to be a 1-bit
+ * constant or a 128-bit constant or somewhere in between. */
+struct {
+union mf_subvalue value;
+union mf_subv
[ovs-dev] [PATCH ovn v3] ci: Keep the container version pinned.
The Ubuntu 24.04 brought some issues that are not really straight forward to fix. Keep the Ubuntu version on 22.04 for now to keep the CI working. At the same time Fedora updated Clang to version 18, which is throwing compilation error that need to be fixed in OvS first. Signed-off-by: Ales Musil --- utilities/containers/fedora/Dockerfile | 2 +- utilities/containers/ubuntu/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/utilities/containers/fedora/Dockerfile b/utilities/containers/fedora/Dockerfile index bf3c293fc..9b8386aae 100755 --- a/utilities/containers/fedora/Dockerfile +++ b/utilities/containers/fedora/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/fedora/fedora:latest +FROM quay.io/fedora/fedora:39 ARG CONTAINERS_PATH diff --git a/utilities/containers/ubuntu/Dockerfile b/utilities/containers/ubuntu/Dockerfile index 1371b3f70..ac1e6a5bf 100755 --- a/utilities/containers/ubuntu/Dockerfile +++ b/utilities/containers/ubuntu/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.hub.docker.com/library/ubuntu:latest +FROM registry.hub.docker.com/library/ubuntu:22.04 ARG CONTAINERS_PATH -- 2.44.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH] sparse: Add immintrin.h header.
On Tue, Apr 30, 2024 at 4:36 PM Ilya Maximets wrote: > Sparse doesn't understand _Float16 and some other types used by > immintrin.h from GCC 13. This breaks sparse builds with DPDK on > Fedora 38+ and Ubuntu 24.04. > > Add another sparse-specific header to workaround the problem. We do > need some of the functions and types defined in these headers, so we > can't really stab out the whole header. Carving out the main offenders > instead by defining the inclusion guards. > > This is fragile and depends on internals of immintrin and underlying > headers, but I'm not sure what the better way to solve the issue > would be. This approach should be more or less portable between > compilers, because it only defines a few specific variables. We may > have to add more as GCC headers change over time. > > This fixes the build with a following config on F38 and Ubuntu 24.04: > > ./configure --enable-sparse --with-dpdk=yes --enable-Werror > > Signed-off-by: Ilya Maximets > --- > include/sparse/automake.mk | 1 + > include/sparse/immintrin.h | 30 ++ > 2 files changed, 31 insertions(+) > create mode 100644 include/sparse/immintrin.h > > diff --git a/include/sparse/automake.mk b/include/sparse/automake.mk > index c1229870b..45e6202c5 100644 > --- a/include/sparse/automake.mk > +++ b/include/sparse/automake.mk > @@ -1,5 +1,6 @@ > noinst_HEADERS += \ > include/sparse/rte_byteorder.h \ > +include/sparse/immintrin.h \ > include/sparse/xmmintrin.h \ > include/sparse/arpa/inet.h \ > include/sparse/bits/floatn.h \ > diff --git a/include/sparse/immintrin.h b/include/sparse/immintrin.h > new file mode 100644 > index 0..dd742be9f > --- /dev/null > +++ b/include/sparse/immintrin.h > @@ -0,0 +1,30 @@ > +/* Copyright (c) 2024 Red Hat, Inc. > + * > + * Licensed under the Apache License, Version 2.0 (the "License"); > + * you may not use this file except in compliance with the License. > + * You may obtain a copy of the License at: > + * > + * http://www.apache.org/licenses/LICENSE-2.0 > + * > + * Unless required by applicable law or agreed to in writing, software > + * distributed under the License is distributed on an "AS IS" BASIS, > + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or > implied. > + * See the License for the specific language governing permissions and > + * limitations under the License. > + */ > + > +#ifndef __CHECKER__ > +#error "Use this header only with sparse. It is not a correct > implementation." > +#endif > + > +/* Sparse doesn't know some types used by AVX512 and some other headers. > + * Mark those headers as already included to avoid failures. This is > fragile, > + * so may need adjustments with compiler changes. */ > +#define _AVX512BF16INTRIN_H_INCLUDED > +#define _AVX512BF16VLINTRIN_H_INCLUDED > +#define _AVXNECONVERTINTRIN_H_INCLUDED > +#define _KEYLOCKERINTRIN_H_INCLUDED > +#define __AVX512FP16INTRIN_H_INCLUDED > +#define __AVX512FP16VLINTRIN_H_INCLUDED > + > +#include_next > -- > 2.44.0 > > Looks good to me, thanks! Acked-by: Ales Musil -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> amu...@redhat.com <https://red.ht/sig> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn v2] ci: Keep the the container version pinned.
On Tue, Apr 30, 2024 at 3:31 PM Ales Musil wrote: > The Ubuntu 24.04 brought some issues that are not realyl stright > typo: s/realyl stright/really straight :( forward to fix. Keep the Ubuntu version on 22.04 for now to keep > the CI working. > > At the same time Fedora updated Clang to version 18, which is > throwing compilation error that need to be fixed in OvS first. > > Signed-off-by: Ales Musil > --- > utilities/containers/fedora/Dockerfile | 2 +- > utilities/containers/ubuntu/Dockerfile | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/utilities/containers/fedora/Dockerfile > b/utilities/containers/fedora/Dockerfile > index bf3c293fc..9b8386aae 100755 > --- a/utilities/containers/fedora/Dockerfile > +++ b/utilities/containers/fedora/Dockerfile > @@ -1,4 +1,4 @@ > -FROM quay.io/fedora/fedora:latest > +FROM quay.io/fedora/fedora:39 > > ARG CONTAINERS_PATH > > diff --git a/utilities/containers/ubuntu/Dockerfile > b/utilities/containers/ubuntu/Dockerfile > index 1371b3f70..ac1e6a5bf 100755 > --- a/utilities/containers/ubuntu/Dockerfile > +++ b/utilities/containers/ubuntu/Dockerfile > @@ -1,4 +1,4 @@ > -FROM registry.hub.docker.com/library/ubuntu:latest > +FROM registry.hub.docker.com/library/ubuntu:22.04 > > ARG CONTAINERS_PATH > > -- > 2.44.0 > > -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> amu...@redhat.com <https://red.ht/sig> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn v2] ci: Keep the the container version pinned.
The Ubuntu 24.04 brought some issues that are not realyl stright forward to fix. Keep the Ubuntu version on 22.04 for now to keep the CI working. At the same time Fedora updated Clang to version 18, which is throwing compilation error that need to be fixed in OvS first. Signed-off-by: Ales Musil --- utilities/containers/fedora/Dockerfile | 2 +- utilities/containers/ubuntu/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/utilities/containers/fedora/Dockerfile b/utilities/containers/fedora/Dockerfile index bf3c293fc..9b8386aae 100755 --- a/utilities/containers/fedora/Dockerfile +++ b/utilities/containers/fedora/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/fedora/fedora:latest +FROM quay.io/fedora/fedora:39 ARG CONTAINERS_PATH diff --git a/utilities/containers/ubuntu/Dockerfile b/utilities/containers/ubuntu/Dockerfile index 1371b3f70..ac1e6a5bf 100755 --- a/utilities/containers/ubuntu/Dockerfile +++ b/utilities/containers/ubuntu/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.hub.docker.com/library/ubuntu:latest +FROM registry.hub.docker.com/library/ubuntu:22.04 ARG CONTAINERS_PATH -- 2.44.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn] ci: Keep the Ubuntu container on 22.04.
The Ubuntu 24.04 brought some issues that are not realyl stright forward to fix. Keep the Ubuntu version on 22.04 for now to keep the CI working. Signed-off-by: Ales Musil --- utilities/containers/ubuntu/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utilities/containers/ubuntu/Dockerfile b/utilities/containers/ubuntu/Dockerfile index 1371b3f70..ac1e6a5bf 100755 --- a/utilities/containers/ubuntu/Dockerfile +++ b/utilities/containers/ubuntu/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.hub.docker.com/library/ubuntu:latest +FROM registry.hub.docker.com/library/ubuntu:22.04 ARG CONTAINERS_PATH -- 2.44.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn v2] controller: Track individual address set constants.
On Mon, Apr 29, 2024 at 11:01 PM Han Zhou wrote:
> On Fri, Apr 12, 2024 at 8:20 AM Ales Musil wrote:
> >
> > Instead of tracking address set per struct expr_constant_set track it
> > per individual struct expr_constant. This allows more fine grained
> > control for I-P processing of address sets in controller. It helps with
> > scenarios like matching on two address sets in one expression e.g.
> > "ip4.src == {$as1, $as2}". This allows any addition or removal of
> > individual adress from the set to be incrementally processed instead
> > of reprocessing all the flows.
> >
> > This unfortunately doesn't help with the following flows:
> > "ip4.src == $as1 && ip4.dst == $as2"
> > "ip4.src == $as1 || ip4.dst == $as2"
> >
> > The memory impact should be minimal as there is only increase of 8 bytes
> > per the struct expr_constant.
> >
> > Reported-at: https://issues.redhat.com/browse/FDP-509
> > Signed-off-by: Ales Musil
> > ---
> > v2: Rebase on top of current main.
> > Adjust the comment for I-P optimization.
>
> Thanks Ales for v2, and sorry for taking so long to review. Please see my
> comments below.
>
>
Hi Han,
thank you for the review.
>
> > ---
> > controller/lflow.c | 4 +-
> > include/ovn/actions.h | 2 +-
> > include/ovn/expr.h | 46 ++-
> > lib/actions.c | 20 -
> > lib/expr.c | 98 -
> > tests/ovn-controller.at | 14 +++---
> > 6 files changed, 84 insertions(+), 100 deletions(-)
> >
> > diff --git a/controller/lflow.c b/controller/lflow.c
>
> In lflow.c, I noticed that the comments for the function
> lflow_handle_addr_set_update needs to be updated, because these are not
> true any more, and also better to mention what's still not supported such
> as the examples in your commit message.
>
> * - The sub expression of the address set is combined with other
> sub-
> *expressions/constants, usually because of disjunctions between
>
> *sub-expressions/constants, e.g.:
> *
> * ip.src == $as1 || ip.dst == $as2
>
> * ip.src == {$as1, $as2}
>
> * ip.src == {$as1, ip1}
>
> *
> *All these could have been split into separate lflows.
>
>
Good point, I'll update that comment in v3 to reflect this.
>
> > index 895d17d19..730dc879d 100644
> > --- a/controller/lflow.c
> > +++ b/controller/lflow.c
> > @@ -278,7 +278,7 @@ lflow_handle_changed_flows(struct lflow_ctx_in
> *l_ctx_in,
> > }
> >
> > static bool
> > -as_info_from_expr_const(const char *as_name, const union expr_constant
> *c,
> > +as_info_from_expr_const(const char *as_name, const struct expr_constant
> *c,
> > struct addrset_info *as_info)
> > {
> > as_info->name = as_name;
> > @@ -714,7 +714,7 @@ lflow_handle_addr_set_update(const char *as_name,
> > if (as_diff->deleted) {
> > struct addrset_info as_info;
> > for (size_t i = 0; i < as_diff->deleted->n_values; i++) {
> > -union expr_constant *c = _diff->deleted->values[i];
> > +struct expr_constant *c = _diff->deleted->values[i];
> > if (!as_info_from_expr_const(as_name, c, _info)) {
> > continue;
> > }
> > diff --git a/include/ovn/actions.h b/include/ovn/actions.h
> > index 8e794450c..39c62bb66 100644
> > --- a/include/ovn/actions.h
> > +++ b/include/ovn/actions.h
> > @@ -238,7 +238,7 @@ struct ovnact_next {
> > struct ovnact_load {
> > struct ovnact ovnact;
> > struct expr_field dst;
> > -union expr_constant imm;
> > +struct expr_constant imm;
> > };
> >
> > /* OVNACT_MOVE, OVNACT_EXCHANGE. */
> > diff --git a/include/ovn/expr.h b/include/ovn/expr.h
> > index c48f82398..e54edb5bf 100644
> > --- a/include/ovn/expr.h
> > +++ b/include/ovn/expr.h
> > @@ -368,7 +368,7 @@ bool expr_relop_from_token(enum lex_type type, enum
> expr_relop *relop);
> > struct expr {
> > struct ovs_list node; /* In parent EXPR_T_AND or EXPR_T_OR if
> any. */
> > enum expr_type type;/* Expression type. */
> > -char *as_name; /* Address set name. Null if it is not
> an
> > +const char *as_name;/* Address set name. Null if it is not
> an
> >
Re: [ovs-dev] [PATCH] tc: Fix -Wgnu-variable-sized-type-not-at-end warning with Clang 18.
On Fri, Apr 26, 2024 at 7:44 PM Ilya Maximets wrote:
> Clang 18.1.3-2.fc41 throws a warning:
>
> lib/tc.c:3060:25: error: field 'sel' with variable sized type
> 'struct tc_pedit_sel' not at the end of a struct or class is a
> GNU extension [-Werror,-Wgnu-variable-sized-type-not-at-end]
>
>3060 | struct tc_pedit sel;
> | ^
>
> Refactor the structure into a proper union to avoid the build failure.
>
> Interestingly, clang 18.1.3-2.fc41 on Fedora throws a warning, but
> relatively the same version 18.1.3 (1) on Ubuntu 23.04 does not.
>
> Signed-off-by: Ilya Maximets
> ---
> lib/tc.c | 22 +++---
> 1 file changed, 11 insertions(+), 11 deletions(-)
>
> diff --git a/lib/tc.c b/lib/tc.c
> index e9bcae4e4..e55ba3b1b 100644
> --- a/lib/tc.c
> +++ b/lib/tc.c
> @@ -3056,17 +3056,17 @@ nl_msg_put_flower_rewrite_pedits(struct ofpbuf
> *request,
> struct tc_action *action,
> uint32_t action_pc)
> {
> -struct {
> +union {
> struct tc_pedit sel;
> -struct tc_pedit_key keys[MAX_PEDIT_OFFSETS];
> -struct tc_pedit_key_ex keys_ex[MAX_PEDIT_OFFSETS];
> -} sel = {
> -.sel = {
> -.nkeys = 0
> -}
> -};
> +uint8_t buffer[sizeof(struct tc_pedit)
> + + MAX_PEDIT_OFFSETS * sizeof(struct tc_pedit_key)];
> +} sel;
> +struct tc_pedit_key_ex keys_ex[MAX_PEDIT_OFFSETS];
> int i, j, err;
>
> +memset(, 0, sizeof sel);
> +memset(keys_ex, 0, sizeof keys_ex);
> +
> for (i = 0; i < ARRAY_SIZE(flower_pedit_map); i++) {
> struct flower_key_to_pedit *m = _pedit_map[i];
> struct tc_pedit_key *pedit_key = NULL;
> @@ -3100,8 +3100,8 @@ nl_msg_put_flower_rewrite_pedits(struct ofpbuf
> *request,
> return EOPNOTSUPP;
> }
>
> -pedit_key = [sel.sel.nkeys];
> -pedit_key_ex = _ex[sel.sel.nkeys];
> +pedit_key = [sel.sel.nkeys];
> +pedit_key_ex = _ex[sel.sel.nkeys];
> pedit_key_ex->cmd = TCA_PEDIT_KEY_EX_CMD_SET;
> pedit_key_ex->htype = m->htype;
> pedit_key->off = cur_offset;
> @@ -3121,7 +3121,7 @@ nl_msg_put_flower_rewrite_pedits(struct ofpbuf
> *request,
> }
> }
> }
> -nl_msg_put_act_pedit(request, , sel.keys_ex,
> +nl_msg_put_act_pedit(request, , keys_ex,
> flower->csum_update_flags ? TC_ACT_PIPE :
> action_pc);
>
> return 0;
> --
> 2.44.0
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
Looks good to me, thanks.
Acked-by: Ales Musil
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH] tests: Fix build failure with Clang 18 due to -Wformat-truncation.
On Fri, Apr 26, 2024 at 6:35 PM Ilya Maximets wrote:
> Cirrus CI is broken on FreeBSD 13.3 due to clang version update.
> It now complains about snprintf truncation the same way GCC does:
>
> tests/test-util.c:1129:16: error: 'snprintf' will always be truncated;
> specified size is 5, but format string expands to at least 6
> [-Werror,-Wformat-truncation]
>
> 1129 | ovs_assert(snprintf(s, 5, "abcde") == 5);
>|^
>
> Clang 17 on FreeBSD 14.0 works fine, but new Clang 18.1.4 on 13.3
> fails to build.
>
> Fix that by disabling Clang diagnostic the same way as we do for GCC.
>
> Unfortunately, the pragma's are compiler-specific, so cannot be
> combined, AFAIK.
>
> Signed-off-by: Ilya Maximets
> ---
> tests/test-util.c | 13 ++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/tests/test-util.c b/tests/test-util.c
> index 7d899fbbf..5d88d38f2 100644
> --- a/tests/test-util.c
> +++ b/tests/test-util.c
> @@ -1116,12 +1116,16 @@ test_snprintf(struct ovs_cmdl_context *ctx
> OVS_UNUSED)
> {
> char s[16];
>
> +/* GCC 7+ and Clang 18+ warn about the following calls that truncate
> + * a string using snprintf(). We're testing that truncation works
> + * properly, so temporarily disable the warning. */
> #if __GNUC__ >= 7
> -/* GCC 7+ warns about the following calls that truncate a string using
> - * snprintf(). We're testing that truncation works properly, so
> - * temporarily disable the warning. */
> #pragma GCC diagnostic push
> #pragma GCC diagnostic ignored "-Wformat-truncation"
> +#endif
> +#if __clang_major__ >= 18
> +#pragma clang diagnostic push
> +#pragma clang diagnostic ignored "-Wformat-truncation"
> #endif
> ovs_assert(snprintf(s, 4, "abcde") == 5);
> ovs_assert(!strcmp(s, "abc"));
> @@ -1130,6 +1134,9 @@ test_snprintf(struct ovs_cmdl_context *ctx
> OVS_UNUSED)
> ovs_assert(!strcmp(s, "abcd"));
> #if __GNUC__ >= 7
> #pragma GCC diagnostic pop
> +#endif
> +#if __clang_major__ >= 18
> +#pragma clang diagnostic pop
> #endif
>
> ovs_assert(snprintf(s, 6, "abcde") == 5);
> --
> 2.44.0
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
Looks good to me, thanks.
Acked-by: Ales Musil
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn] ci: Fix OPTS not being passed to OSX builds.
On Thu, Apr 25, 2024 at 4:44 PM wrote: > From: Numan Siddique > > OSX job is failing with the below error even though the job > disables SSL. > > ld: library 'ssl' not found > > Passing OPTS to the OSX build fixes this issue. > > This issue is already addressed in ovs [1]. > > [1] - > https://github.com/openvswitch/ovs/commit/2f34475a9708617eaa484044a5b485980b734b38 > > Signed-off-by: Numan Siddique > --- > .ci/osx-build.sh | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/.ci/osx-build.sh b/.ci/osx-build.sh > index 4b78b66dd1..3fcc801e7f 100755 > --- a/.ci/osx-build.sh > +++ b/.ci/osx-build.sh > @@ -19,7 +19,7 @@ function configure_ovn() > ./boot.sh && ./configure $* > } > > -configure_ovn $EXTRA_OPTS $* > +configure_ovn $EXTRA_OPTS $OPTS $* > > if [ "$CC" = "clang" ]; then > set make CFLAGS="$CFLAGS -Wno-error=unused-command-line-argument" > -- > 2.44.0 > > ___ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > Looks good to me, thanks. Acked-by: Ales Musil -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> amu...@redhat.com <https://red.ht/sig> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn v4] controller: Allow br-int connection via other methods.
The br-int connection is hardcoded to use unix socket, which requires
for the socket to be visible for ovn-controller. This is achievable in
container by mounting the socket, but in turn the container requires
additional privileges.
Add option to vswitchd external-ids that allows to specify remote
target for management bridge. This gives the user possibility to
connect to management bridge in different manner than unix socket,
defaulting to the unix socket when not specified. In addition, there
is an option to specify inactivity probe for this connection, disabled
by default.
Reported-at: https://issues.redhat.com/browse/FDP-243
Signed-off-by: Ales Musil
---
v4: Rebase on top of current main.
v3: Rebase on top of current main.
Fix the copy-paste error in ovn-controller documentation.
v2: Rebase on top of current main.
Make the probe interval accept milliseconds to be aligned with other probe
intervals.
Use external-ids instead of options for the ovn-controller.
---
NEWS| 6 +++
controller/ofctrl.c | 10 +
controller/ofctrl.h | 5 ++-
controller/ovn-controller.8.xml | 15
controller/ovn-controller.c | 59 +++--
controller/pinctrl.c| 56 ++--
controller/pinctrl.h| 6 ++-
controller/statctrl.c | 66 ++---
controller/statctrl.h | 3 +-
include/ovn/features.h | 2 +-
lib/features.c | 35 +
lib/ovn-util.c | 26 +
lib/ovn-util.h | 4 ++
lib/test-ovn-features.c | 6 +--
tests/ovn-controller.at | 46 +++
15 files changed, 194 insertions(+), 151 deletions(-)
diff --git a/NEWS b/NEWS
index 3b5e93dc9..4e15f31c8 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,12 @@ Post v24.03.0
external-ids, the option is no longer needed as it became effectively
"true" for all scenarios.
- Added DHCPv4 relay support.
+ - Add "ovn-bridge-remote" config option to vswitchd external-ids,
+that allows to specify connection method to management bridge for
+ovn-controller, defaulting to the unix socket.
+ - Add "ovn-bridge-remote-probe-interval" config option to vswitchd
+external-ids, that sets probe interval for integration bridge connection,
+disabled by default.
OVN v24.03.0 - 01 Mar 2024
--
diff --git a/controller/ofctrl.c b/controller/ofctrl.c
index 6a2564604..9d181a782 100644
--- a/controller/ofctrl.c
+++ b/controller/ofctrl.c
@@ -771,19 +771,13 @@ ofctrl_get_mf_field_id(void)
* Returns 'true' if an OpenFlow reconnect happened; 'false' otherwise.
*/
bool
-ofctrl_run(const struct ovsrec_bridge *br_int,
+ofctrl_run(const char *conn_target, int probe_interval,
const struct ovsrec_open_vswitch_table *ovs_table,
struct shash *pending_ct_zones)
{
-char *target = xasprintf("unix:%s/%s.mgmt", ovs_rundir(), br_int->name);
bool reconnected = false;
-if (strcmp(target, rconn_get_target(swconn))) {
-VLOG_INFO("%s: connecting to switch", target);
-rconn_connect(swconn, target, target);
-}
-free(target);
-
+ovn_update_swconn_at(swconn, conn_target, probe_interval, "ofctrl");
rconn_run(swconn);
if (!rconn_is_connected(swconn) || !pending_ct_zones) {
diff --git a/controller/ofctrl.h b/controller/ofctrl.h
index 502c73da6..7df0a24ea 100644
--- a/controller/ofctrl.h
+++ b/controller/ofctrl.h
@@ -50,8 +50,9 @@ struct ovn_desired_flow_table {
/* Interface for OVN main loop. */
void ofctrl_init(struct ovn_extend_table *group_table,
struct ovn_extend_table *meter_table);
-bool ofctrl_run(const struct ovsrec_bridge *br_int,
-const struct ovsrec_open_vswitch_table *,
+
+bool ofctrl_run(const char *conn_target, int probe_interval,
+const struct ovsrec_open_vswitch_table *ovs_table,
struct shash *pending_ct_zones);
enum mf_field_id ofctrl_get_mf_field_id(void);
void ofctrl_put(struct ovn_desired_flow_table *lflow_table,
diff --git a/controller/ovn-controller.8.xml b/controller/ovn-controller.8.xml
index 85e7966d7..b6404a19d 100644
--- a/controller/ovn-controller.8.xml
+++ b/controller/ovn-controller.8.xml
@@ -378,6 +378,21 @@
cap for the exponential backoff used by ovn-controller
to send GARPs packets.
+ external_ids:ovn-bridge-remote
+
+
+ Connection to the OVN management bridge in OvS. It defaults to
+ unix:br-int.mgmt when not specified.
+
+
+ external_ids:ovn-bridge-remote-probe-interval
+
+
+ The inactivity probe interval of the connection to the OVN management
+ bridge, in milliseconds.
+ If the value is zero, it disables t
Re: [ovs-dev] [PATCH ovn] tests: Fix netcat 7.94 issues.
On Tue, Apr 23, 2024 at 11:26 AM wrote:
> Thanks Dumitru,
> I didn't noticed that the patch was applied while I was typing my
> message :D
>
> Overall I think it's fine if it stays as it was proposed by Ales. I
> just wanted to raise a very fringe concern that perhaps using two
> separate UDP servers could mask some underlying issue and if there's a
> way to consistently reproduce failures of this test, I'd be happy to
> take a look at it.
>
Hi Martin,
so I doubt that this is some hidden issue because the listening netcat is
really closed after the first connection, as this is not the first time I
have encountered this. However for transparency I have included logs from
both runs [0]. And you can reproduce it very easily just getting netcat
7.94 or running the tests with the Fedora container should be enough.
>
>
> On Tue, 2024-04-23 at 11:15 +0200, Dumitru Ceara wrote:
> > On 4/23/24 11:12, martin.kal...@canonical.com wrote:
> > > Hi Ales,
> > > Sorry that these new tests are causing problems. Just out of
> > > curiosity,
> > > do you have link to some failing test runs? I'll add few thoughts
> > > below.
> > >
> > > On Tue, 2024-04-23 at 09:41 +0200, Ales Musil wrote:
> > > > The netcat 7.94 allows multiple connections over udp (-k/--keep-
> > > > open)
> > > > [0],
> > > > without this option the connection can be closed "unexpctedly".
> > > > This
> > > > to keep the test backward compatible make new servers for every
> > > > UDP
> > > > connection.
> > > >
> > > > The second issue is that netcat is attempting to listen on IPv4
> > > > when
> > > > the there isn't any server address specified and fails to do so.
> > > > Add
> > > > -6 flag to indicate that this is pure IPv6 connection.
> > > >
> > > > [0]
> > > >
> https://github.com/nmap/nmap/commit/4e6c8feb153c0c9ff8a68cd841669d650319ab45
> > > > Fixes: 40136a2f2c84 ("northd: Fix direct access to SNAT
> > > > network.")
> > > > Signed-off-by: Ales Musil
> > > > ---
> > > > tests/system-ovn.at | 14 +++---
> > > > 1 file changed, 11 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/tests/system-ovn.at b/tests/system-ovn.at
> > > > index 41c051c1e..6dcdb45d1 100644
> > > > --- a/tests/system-ovn.at
> > > > +++ b/tests/system-ovn.at
> > > > @@ -3582,7 +3582,6 @@ test_connectivity_from_ext() {
> > > > local ip=$1; shift
> > > >
> > > > # Start listening daemons for UDP and TCP connections
> > >
> > > nit: Comment above should be adjusted to reflect that UDP server is
> > > no
> > > longer started here.
> > >
> >
> > I forgot to mention in my previous email that I had fixed this up.
> > Same
> > for the other comment.
> >
> > > > -NETNS_DAEMONIZE($vm, [nc -l -u 1234], [nc-$vm-$ip-udp.pid])
> > > > NETNS_DAEMONIZE($vm, [nc -l -k 1235], [nc-$vm-$ip-tcp.pid])
> > > >
> > > > # Ensure that vm can be pinged on the specified IP
> > > > @@ -3592,8 +3591,13 @@ test_connectivity_from_ext() {
> > > > ])
> > > >
> > > > # Perform two consecutive UDP connections to the specified
> > > > IP
> > > > +NETNS_DAEMONIZE($vm, [nc -l -u 1234], [nc-$vm-$ip-udp.pid])
> > > > NS_CHECK_EXEC([alice1], [nc -u $ip 1234 -p 2000 -z])
> > > > +kill $(cat nc-$vm-$ip-udp.pid)
> > > > +
> > > > +NETNS_DAEMONIZE($vm, [nc -l -u 1234], [nc-$vm-$ip-udp.pid])
> > > > NS_CHECK_EXEC([alice1], [nc -u $ip 1234 -p 2000 -z])
> > > > +kill $(cat nc-$vm-$ip-udp.pid)
> > >
> > > In the original tests, the two separate, consecutive, client
> > > connections used same source port, which should ensure that the
> > > test
> > > passes even without the '-k' option. This should work because a
> > > socket
> > > is opened (and kept alive) between source IP:PORT and destination
> > > IP:PORT on the server side. So if two client processes use the same
> > > source port, to the server it just looks like a single client
> > > sending
> > > two datagrams.
> > >
> > > The reason why I decided to go with two consecutive client
> > > connections
> > > is that inlining script for a single 'nc' process to send two
> > > mess
[ovs-dev] [PATCH ovn] tests: Fix netcat 7.94 issues.
The netcat 7.94 allows multiple connections over udp (-k/--keep-open) [0],
without this option the connection can be closed "unexpctedly". This
to keep the test backward compatible make new servers for every UDP
connection.
The second issue is that netcat is attempting to listen on IPv4 when
the there isn't any server address specified and fails to do so. Add
-6 flag to indicate that this is pure IPv6 connection.
[0] https://github.com/nmap/nmap/commit/4e6c8feb153c0c9ff8a68cd841669d650319ab45
Fixes: 40136a2f2c84 ("northd: Fix direct access to SNAT network.")
Signed-off-by: Ales Musil
---
tests/system-ovn.at | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/tests/system-ovn.at b/tests/system-ovn.at
index 41c051c1e..6dcdb45d1 100644
--- a/tests/system-ovn.at
+++ b/tests/system-ovn.at
@@ -3582,7 +3582,6 @@ test_connectivity_from_ext() {
local ip=$1; shift
# Start listening daemons for UDP and TCP connections
-NETNS_DAEMONIZE($vm, [nc -l -u 1234], [nc-$vm-$ip-udp.pid])
NETNS_DAEMONIZE($vm, [nc -l -k 1235], [nc-$vm-$ip-tcp.pid])
# Ensure that vm can be pinged on the specified IP
@@ -3592,8 +3591,13 @@ test_connectivity_from_ext() {
])
# Perform two consecutive UDP connections to the specified IP
+NETNS_DAEMONIZE($vm, [nc -l -u 1234], [nc-$vm-$ip-udp.pid])
NS_CHECK_EXEC([alice1], [nc -u $ip 1234 -p 2000 -z])
+kill $(cat nc-$vm-$ip-udp.pid)
+
+NETNS_DAEMONIZE($vm, [nc -l -u 1234], [nc-$vm-$ip-udp.pid])
NS_CHECK_EXEC([alice1], [nc -u $ip 1234 -p 2000 -z])
+kill $(cat nc-$vm-$ip-udp.pid)
# Send data over TCP connection to the specified IP
NS_CHECK_EXEC([alice1], [echo "TCP test" | nc --send-only $ip 1235])
@@ -3781,8 +3785,7 @@ test_connectivity_from_ext() {
local ip=$1; shift
# Start listening daemons for UDP and TCP connections
-NETNS_DAEMONIZE($vm, [nc -l -u 1234], [nc-$vm-$ip-udp.pid])
-NETNS_DAEMONIZE($vm, [nc -l -k 1235], [nc-$vm-$ip-tcp.pid])
+NETNS_DAEMONIZE($vm, [nc -6 -l -k 1235], [nc-$vm-$ip-tcp.pid])
# Ensure that vm can be pinged on the specified IP
NS_CHECK_EXEC([alice1], [ping -q -c 3 -i 0.3 -w 2 $ip | FORMAT_PING], \
@@ -3791,8 +3794,13 @@ test_connectivity_from_ext() {
])
# Perform two consecutive UDP connections to the specified IP
+NETNS_DAEMONIZE($vm, [nc -6 -l -u 1234], [nc-$vm-$ip-udp.pid])
NS_CHECK_EXEC([alice1], [nc -u $ip 1234 -p 2000 -z])
+kill $(cat nc-$vm-$ip-udp.pid)
+
+NETNS_DAEMONIZE($vm, [nc -6 -l -u 1234], [nc-$vm-$ip-udp.pid])
NS_CHECK_EXEC([alice1], [nc -u $ip 1234 -p 2000 -z])
+kill $(cat nc-$vm-$ip-udp.pid)
# Send data over TCP connection to the specified IP
NS_CHECK_EXEC([alice1], [echo "TCP test" | nc --send-only $ip 1235])
--
2.44.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH ovn v5] northd, controller: Use paused controller action for packet buffering.
On Fri, Apr 19, 2024 at 6:38 PM Numan Siddique wrote:
>
>
> On Fri, Apr 19, 2024 at 7:09 AM Ales Musil wrote:
>
>> The current packet injection loses ct_state in the process. When
>> the ct_state is lost we might commit to DNAT zone and perform
>> zero SNAT after the packet injection. This causes the first session
>> to be wrong as the reply packets are not unDNATted.
>>
>> Instead of re-injecting the packet back into the pipeline when
>> we get the MAC binding, use paused controller action. The paused
>> controller action stores ct_state, which is important for the behavior
>> of the resumed packet.
>>
>> At the same time bump the OvS submodule latest branch-3.3. This is
>> mainly for [0], which fixes metering for paused controller actions.
>>
>> In order to make sure that the paused action works during upgrade add
>> the output implicitly. Once the upgrade is done northd will create option
>> to inform controllers that the implicit action is no longer needed.
>>
>> [0] c560f6ca3257 ("ofproto-dpif-xlate: Fix continuations with associated
>> metering.")
>>
>> Reported-at: https://issues.redhat.com/browse/FDP-439
>> Signed-off-by: Ales Musil
>> ---
>> v5: Rebase on top of current main.
>> v4: Fix copy paste error in the global_handler.
>> v3: Rebase on top of current main.
>> Add flag to ensure that the paused action works during upgrade.
>> v2: Fix the Jira link and add ack from Mark.
>>
>
> Thanks. I applied this patch to the main.
> It doesn't apply cleanly to branch-24.03. Please submit a backport patch
> for branches - 24.03 and 23.09.
>
Forgot to reply earlier, the backports are up on ML.
> Numan
>
>
> ---
>> controller/lflow.c | 1 +
>> controller/lflow.h | 1 +
>> controller/mac-learn.c | 30
>> controller/mac-learn.h | 9 ++--
>> controller/ovn-controller.c | 21
>> controller/pinctrl.c| 64 +
>> include/ovn/actions.h | 3 ++
>> lib/actions.c | 47 +-
>> northd/en-global-config.c | 4 ++
>> northd/northd.c | 6 +--
>> tests/multinode.at | 8
>> tests/ovn-northd.at | 3 ++
>> tests/ovn.at| 8 ++--
>> tests/system-ovn.at | 95 +
>> tests/test-ovn.c| 1 +
>> 15 files changed, 239 insertions(+), 62 deletions(-)
>>
>> diff --git a/controller/lflow.c b/controller/lflow.c
>> index 895d17d19..760ec0b41 100644
>> --- a/controller/lflow.c
>> +++ b/controller/lflow.c
>> @@ -874,6 +874,7 @@ add_matches_to_flow_table(const struct
>> sbrec_logical_flow *lflow,
>> .collector_ids = l_ctx_in->collector_ids,
>> .lflow_uuid = lflow->header_.uuid,
>> .dp_key = ldp->datapath->tunnel_key,
>> +.explicit_arp_ns_output = l_ctx_in->explicit_arp_ns_output,
>>
>> .pipeline = ingress ? OVNACT_P_INGRESS : OVNACT_P_EGRESS,
>> .ingress_ptable = OFTABLE_LOG_INGRESS_PIPELINE,
>> diff --git a/controller/lflow.h b/controller/lflow.h
>> index 9b7ffa19c..295d004f4 100644
>> --- a/controller/lflow.h
>> +++ b/controller/lflow.h
>> @@ -130,6 +130,7 @@ struct lflow_ctx_in {
>> bool lb_hairpin_use_ct_mark;
>> bool localnet_learn_fdb;
>> bool localnet_learn_fdb_changed;
>> +bool explicit_arp_ns_output;
>> };
>>
>> struct lflow_ctx_out {
>> diff --git a/controller/mac-learn.c b/controller/mac-learn.c
>> index 071f01b4f..0c3b60c23 100644
>> --- a/controller/mac-learn.c
>> +++ b/controller/mac-learn.c
>> @@ -199,15 +199,24 @@ ovn_fdb_add(struct hmap *fdbs, uint32_t dp_key,
>> struct eth_addr mac,
>> /* packet buffering functions */
>>
>> struct packet_data *
>> -ovn_packet_data_create(struct ofpbuf ofpacts,
>> - const struct dp_packet *original_packet)
>> +ovn_packet_data_create(const struct ofputil_packet_in *pin,
>> + const struct ofpbuf *continuation)
>> {
>> struct packet_data *pd = xmalloc(sizeof *pd);
>>
>> -pd->ofpacts = ofpacts;
>> -/* clone the packet to send it later with correct L2 address */
>> -pd->p = dp_packet_clone_data(dp_packet_data(original_packet),
>> - dp_packet_size(original_packet));
>> +pd->pin = (struct ofputil_packet_in) {
>> +.packet = xmemdup(pin->packet, pin->p
Re: [ovs-dev] [Patch ovn v4 2/2] northd: Fix direct access to SNAT network.
e SNAT, DNAT and DNAT_AND_SNAT behavior with multiple
>> # distributed gateway LRPs.
>>
>> -check ovn-sbctl chassis-add gw1 geneve 127.0.0.1
>> -check ovn-sbctl chassis-add gw2 geneve 128.0.0.1
>> -check ovn-sbctl chassis-add gw3 geneve 129.0.0.1
>> +check ovn-sbctl chassis-add gw1 geneve 127.0.0.1 \
>> + -- set chassis gw1 other_config:ct-commit-to-zone="true"
>> +
>> +check ovn-sbctl chassis-add gw2 geneve 128.0.0.1 \
>> + -- set chassis gw2 other_config:ct-commit-to-zone="true"
>> +
>> +check ovn-sbctl chassis-add gw3 geneve 129.0.0.1 \
>> + -- set chassis gw3 other_config:ct-commit-to-zone="true"
>>
>> check ovn-nbctl lr-add DR
>> check ovn-nbctl lrp-add DR DR-S1 02:ac:10:01:00:01 172.16.1.1/24
>> @@ -7673,11 +7727,21 @@ AT_CHECK([grep lr_in_unsnat lrflows | grep
>> ct_snat | ovn_strip_lflows], [0], [dn
>> ])
>>
>> AT_CHECK([grep lr_out_snat lrflows | grep ct_snat | ovn_strip_lflows],
>> [0], [dnl
>> + table=??(lr_out_snat), priority=161 , match=(ip && ip4.dst ==
>> 20.0.0.10 && inport == "DR-S1" && is_chassis_resident("cr-DR-S1")),
>> action=(ct_snat;)
>> + table=??(lr_out_snat), priority=161 , match=(ip && ip4.dst ==
>> 20.0.0.10 && inport == "DR-S2" && is_chassis_resident("cr-DR-S2")),
>> action=(ct_snat;)
>> + table=??(lr_out_snat), priority=161 , match=(ip && ip4.dst ==
>> 20.0.0.10 && inport == "DR-S3" && is_chassis_resident("cr-DR-S3")),
>> action=(ct_snat;)
>>table=??(lr_out_snat), priority=161 , match=(ip && ip4.src ==
>> 20.0.0.10 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1") &&
>> (!ct.trk || !ct.rpl)), action=(ct_snat(172.16.1.10);)
>>table=??(lr_out_snat), priority=161 , match=(ip && ip4.src ==
>> 20.0.0.10 && outport == "DR-S2" && is_chassis_resident("cr-DR-S2") &&
>> (!ct.trk || !ct.rpl)), action=(ct_snat(10.0.0.10);)
>>table=??(lr_out_snat), priority=161 , match=(ip && ip4.src ==
>> 20.0.0.10 && outport == "DR-S3" && is_chassis_resident("cr-DR-S3") &&
>> (!ct.trk || !ct.rpl)), action=(ct_snat(192.168.0.10);)
>> ])
>>
>> +AT_CHECK([grep lr_out_post_snat lrflows | ovn_strip_lflows], [0], [dnl
>> + table=??(lr_out_post_snat ), priority=0, match=(1),
>> action=(next;)
>> + table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
>> 20.0.0.10 && inport == "DR-S1" && is_chassis_resident("cr-DR-S1") &&
>> ct.new), action=(ct_commit_to_zone(snat);)
>> + table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
>> 20.0.0.10 && inport == "DR-S2" && is_chassis_resident("cr-DR-S2") &&
>> ct.new), action=(ct_commit_to_zone(snat);)
>> + table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
>> 20.0.0.10 && inport == "DR-S3" && is_chassis_resident("cr-DR-S3") &&
>> ct.new), action=(ct_commit_to_zone(snat);)
>> +])
>> +
>> check ovn-nbctl --wait=sb lr-nat-del DR snat 20.0.0.10
>> AT_CHECK([ovn-sbctl dump-flows DR | grep -e lr_in_unsnat -e lr_out_snat
>> | grep ct_snat | wc -l], [0], [0
>> ])
>> diff --git a/tests/system-ovn.at b/tests/system-ovn.at
>> index 516fb4d99..0cd121981 100644
>> --- a/tests/system-ovn.at
>> +++ b/tests/system-ovn.at
>> @@ -3574,6 +3574,39 @@ NS_CHECK_EXEC([foo1], [ping -q -c 3 -i 0.3 -w 2
>> 10.0.0.1 | FORMAT_PING], \
>> 3 packets transmitted, 3 received, 0% packet loss, time 0ms
>> ])
>>
>> +# test_connectivity_from_ext takes parameters 'vm' and 'ip'. It tests
>> +# icmp, udp and tcp connectivity from external network to the 'vm' on
>> +# the specified 'ip'.
>> +test_connectivity_from_ext() {
>> +local vm=$1; shift
>> +local ip=$1; shift
>> +
>> +# Start listening daemons for UDP and TCP connections
>> +NETNS_DAEMONIZE($vm, [nc -l -u 1234], [nc-$vm-$ip-udp.pid])
>> +NETNS_DAEMONIZE($vm, [nc -l -k 1235], [nc-$vm-$ip-tcp.pid])
>> +
>> +# Ensure that vm can be pinged on the specified IP
>> +NS_CHECK_EXEC([alice1], [ping -q -c 3 -i 0.3 -w 2 $ip |
>> FORMAT_PING], \
>> +[0], [dnl
>> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
>> +])
>> +
>> +# Perform two consecutive UDP connections to the specified IP
>> +NS_CHECK_EXEC([alice1], [nc -u $ip 1234 -p 2000 -z])
>> +NS_CHECK_EXEC([alice1], [nc -u $ip 1234 -p 2000 -z])
>> +
>> +# Send data over TCP connection to the specified IP
>> +NS_CHECK_EXEC([alice1], [echo "TCP test" | nc --send-only $ip 1235])
>> +}
>> +
>> +# Test access from external network to the internal IP of a VM that
>> +# has also configured DNAT
>> +test_connectivity_from_ext foo1 192.168.1.2
>> +
>> +# Test access from external network to the internal IP of a VM that
>> +# does not have DNAT
>> +test_connectivity_from_ext bar1 192.168.2.2
>> +
>> OVS_WAIT_UNTIL([
>> total_pkts=$(cat ext-net.tcpdump | wc -l)
>> test "${total_pkts}" = "3"
>> @@ -3740,6 +3773,39 @@ sed -e 's/zone=[[0-9]]*/zone=/'], [0],
>> [dnl
>>
>>
>> icmpv6,orig=(src=fd12::2,dst=fd20::2,id=,type=128,code=0),reply=(src=fd20::2,dst=fd20::1,id=,type=129,code=0),zone=
>> ])
>>
>> +# test_connectivity_from_ext takes parameters 'vm' and 'ip'. It tests
>> +# icmp, udp and tcp connectivity from external network to the 'vm' on
>> +# the specified 'ip'.
>> +test_connectivity_from_ext() {
>> +local vm=$1; shift
>> +local ip=$1; shift
>> +
>> +# Start listening daemons for UDP and TCP connections
>> +NETNS_DAEMONIZE($vm, [nc -l -u 1234], [nc-$vm-$ip-udp.pid])
>> +NETNS_DAEMONIZE($vm, [nc -l -k 1235], [nc-$vm-$ip-tcp.pid])
>> +
>> +# Ensure that vm can be pinged on the specified IP
>> +NS_CHECK_EXEC([alice1], [ping -q -c 3 -i 0.3 -w 2 $ip |
>> FORMAT_PING], \
>> +[0], [dnl
>> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
>> +])
>> +
>> +# Perform two consecutive UDP connections to the specified IP
>> +NS_CHECK_EXEC([alice1], [nc -u $ip 1234 -p 2000 -z])
>> +NS_CHECK_EXEC([alice1], [nc -u $ip 1234 -p 2000 -z])
>> +
>> +# Send data over TCP connection to the specified IP
>> +NS_CHECK_EXEC([alice1], [echo "TCP test" | nc --send-only $ip 1235])
>> +}
>> +
>> +# Test access from external network to the internal IP of a VM that
>> +# has also configured DNAT
>> +test_connectivity_from_ext foo1 fd11::2
>> +
>> +# Test access from external network to the internal IP of a VM that
>> +# does not have DNAT
>> +test_connectivity_from_ext bar1 fd12::2
>> +
>> OVS_APP_EXIT_AND_WAIT([ovn-controller])
>>
>> as ovn-sb
>> @@ -3920,6 +3986,7 @@ NS_CHECK_EXEC([foo2], [ping -q -c 3 -i 0.3 -w 2
>> 172.16.1.4 | FORMAT_PING], \
>> AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep icmp |
>> FORMAT_CT(172.16.1.1) | \
>> sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl
>>
>>
>> icmp,orig=(src=172.16.1.1,dst=172.16.1.4,id=,type=8,code=0),reply=(src=192.168.2.2,dst=172.16.1.1,id=,type=0,code=0),zone=
>>
>> +icmp,orig=(src=172.16.1.1,dst=192.168.2.2,id=,type=8,code=0),reply=(src=192.168.2.2,dst=172.16.1.1,id=,type=0,code=0),zone=
>>
>>
>> icmp,orig=(src=192.168.1.3,dst=172.16.1.4,id=,type=8,code=0),reply=(src=172.16.1.4,dst=172.16.1.1,id=,type=0,code=0),zone=
>> ])
>>
>> @@ -4088,6 +4155,7 @@ NS_CHECK_EXEC([foo2], [ping -q -c 3 -i 0.3 -w 2
>> fd20::4 | FORMAT_PING], \
>> AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fd20::1) | \
>> sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl
>>
>>
>> icmpv6,orig=(src=fd11::3,dst=fd20::4,id=,type=128,code=0),reply=(src=fd20::4,dst=fd20::1,id=,type=129,code=0),zone=
>>
>> +icmpv6,orig=(src=fd20::1,dst=fd12::2,id=,type=128,code=0),reply=(src=fd12::2,dst=fd20::1,id=,type=129,code=0),zone=
>>
>>
>> icmpv6,orig=(src=fd20::1,dst=fd20::4,id=,type=128,code=0),reply=(src=fd12::2,dst=fd20::1,id=,type=129,code=0),zone=
>> ])
>>
>> --
>> 2.40.1
>>
>>
>
> --
> Best Regards,
> Martin Kalcok.
>
The change looks good to me, thanks!
Acked-by: Ales Musil
[0]
https://github.com/ovn-org/ovn-kubernetes/commit/236e63c665bb60dd48dd5cc7f8ef2324a061d229
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [Patch ovn v4 1/2] actions: New action ct_commit_to_zone.
obal_config_tracked_data {
> diff --git a/ovn-sb.xml b/ovn-sb.xml
> index 4c26c6714..ab0c37c8d 100644
> --- a/ovn-sb.xml
> +++ b/ovn-sb.xml
> @@ -1432,13 +1432,31 @@
>
>
>
> +ct_commit_to_zone(dnat);
> +ct_commit_to_zone(snat);
> +
> +
> +Commit the flow to the specific zone in the connection
> tracker.
> +The packet is then automatically sent to the next tables as if
> +followed by next; action. The next tables will
> +see the changes in the packet caused by the connection
> tracker.
> +
> +
> +
> +Note that this action is meaningful only in the Logical Router
> +Datapath as the Logical Switch Datapath does not use separate
> +connection tracking zones. Using this action in Logical Switch
> +Datapath falls back to committing the flow into the logical
> port's
> +conntrack zone.
> +
> +
> ct_dnat;
> ct_dnat(IP);
>
>
> ct_dnat sends the packet through the DNAT zone in
> connection tracking table to unDNAT any packet that was
> DNATed in
> -the opposite direction. The packet is then automatically
> sent to
> +the opposite direction. The packet is then automatically sent
>
nit: Unrelated change
> to the next tables as if followed by next;
> action.
> The next tables will see the changes in the packet caused by
> the connection tracker.
> @@ -1448,7 +1466,7 @@
> DNAT zone to change the destination IP address of the packet
> to
> the one provided inside the parentheses and commits the
> connection.
> The packet is then automatically sent to the next tables as if
> -followed by next; action. The next tables will
> see
> +followed by next; action. The next tables will
> see
>
nit: Same
> the changes in the packet caused by the connection tracker.
>
>
> diff --git a/tests/ovn.at b/tests/ovn.at
> index c8cc1d37f..1852457e1 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -1316,6 +1316,22 @@ ct_commit {
> ct_label=0x181716151413121110090807060504030201; };
> ct_commit { ip4.dst = 192.168.0.1; };
> Field ip4.dst is not modifiable.
>
> +# ct_commit_to_zone
> +ct_commit_to_zone(dnat);
> +encodes as ct(commit,table=oflow_in_table,zone=NXM_NX_REG13[[0..15]])
> +has prereqs ip
> +ct_commit_to_zone(snat);
> +encodes as ct(commit,table=oflow_in_table,zone=NXM_NX_REG13[[0..15]])
> +has prereqs ip
> +ct_commit_to_zone;
> +Syntax error at `;' expecting `('.
> +ct_commit_to_zone();
> +"ct_commit_to_zone" action accepts only "dnat" or "snat" parameter.
> +ct_commit_to_zone(foo);
> +"ct_commit_to_zone" action accepts only "dnat" or "snat" parameter.
> +ct_commit_to_zone(dnat;
> +Syntax error at `;' expecting `)'.
> +
> # Legact ct_commit_v1 action.
> ct_commit();
> Syntax error at `(' expecting `;'.
> diff --git a/utilities/ovn-trace.c b/utilities/ovn-trace.c
> index ee086a7ae..7aa6e2ca9 100644
> --- a/utilities/ovn-trace.c
> +++ b/utilities/ovn-trace.c
> @@ -2463,24 +2463,20 @@ execute_ct_nat(const struct ovnact_ct_nat *ct_nat,
> }
>
> static void
> -execute_ct_commit_nat(const struct ovnact_ct_commit_nat *ct_nat,
> - const struct ovntrace_datapath *dp, struct flow
> *uflow,
> - enum ovnact_pipeline pipeline, struct ovs_list
> *super)
> +ct_commit_to_zone__(const struct ovnact_ct_commit_to_zone *ct_nat,
> +const struct ovntrace_datapath *dp, struct flow
> *uflow,
> +enum ovnact_pipeline pipeline, struct ovs_list *super,
> +struct ds *action)
> {
> struct flow ct_flow = *uflow;
> -struct ds s = DS_EMPTY_INITIALIZER;
> -
> -ds_put_cstr(, "ct_commit_nat /* assuming no"
> -" un-nat entry, so no change */");
>
> /* ct(nat) implies ct(). */
> if (!(ct_flow.ct_state & CS_TRACKED)) {
> -ct_flow.ct_state |= next_ct_state();
> +ct_flow.ct_state |= next_ct_state(action);
> }
>
> struct ovntrace_node *node = ovntrace_node_append(
> -super, OVNTRACE_NODE_TRANSFORMATION, "%s", ds_cstr());
> -ds_destroy();
> +super, OVNTRACE_NODE_TRANSFORMATION, "%s", ds_cstr(action));
>
> /* Trace the actions in the next table. */
> trace__(dp, _flow, ct_nat->ltable, pipeline, >subs);
> @@ -2490,6 +2486,30 @@ execute_ct_commit_nat(const struct
> ovnact_ct_commit_nat *ct_nat,
> * flow, not ct_flow. */
> }
>
> +static void
> +execute_ct_commit_nat(const struct ovnact_ct_commit_to_zone *ct_nat,
> + const struct ovntrace_datapath *dp, struct flow
> *uflow,
> + enum ovnact_pipeline pipeline, struct ovs_list
> *super)
> +{
> +struct ds s = DS_EMPTY_INITIALIZER;
> +ds_put_cstr(, "ct_commit_nat /* assuming no"
> +" un-nat entry, so no change */");
> +ct_commit_to_zone__(ct_nat, dp, uflow, pipeline, super, );
> +ds_destroy();
> +}
> +
> +static void
> +execute_ct_commit_to_zone(const struct ovnact_ct_commit_to_zone
> *ct_commit,
> + const struct ovntrace_datapath *dp,
> + struct flow *uflow, enum ovnact_pipeline
> pipeline,
> + struct ovs_list *super)
> +{
> +struct ds s = DS_EMPTY_INITIALIZER;
> +ds_put_format(, "ct_commit_to_zone(%s)",
> + ct_commit->dnat_zone ? "dnat" : "snat");
> +ct_commit_to_zone__(ct_commit, dp, uflow, pipeline, super, );
> +ds_destroy();
> +}
>
> static void
> execute_ct_lb(const struct ovnact_ct_lb *ct_lb,
> @@ -3147,6 +3167,11 @@ trace_actions(const struct ovnact *ovnacts, size_t
> ovnacts_len,
> flow_clear_conntrack(uflow);
> break;
>
> +case OVNACT_CT_COMMIT_TO_ZONE:
> +execute_ct_commit_to_zone(ovnact_get_CT_COMMIT_TO_ZONE(a), dp,
> + uflow, pipeline, super);
> +break;
> +
> case OVNACT_CT_COMMIT_NAT:
> execute_ct_commit_nat(ovnact_get_CT_COMMIT_NAT(a), dp, uflow,
>pipeline, super);
> --
> 2.40.1
>
>
With that addressed:
Acked-by: Ales Musil
Thanks,
Ales
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com
<https://red.ht/sig>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH ovn 3/4] controller: Merge the mac-cache and mac-learn.
Merge mac-cache and mac-learn into single module. Both of those
modules contained very similar functionality with some small
differences. By merging those we have unified interface to deal
with FDB and MAC binding.
Signed-off-by: Ales Musil
---
controller/automake.mk | 2 -
controller/mac-cache.c | 588
controller/mac-cache.h | 165 +++---
controller/mac-learn.c | 482 -
controller/mac-learn.h | 145 -
controller/ovn-controller.c | 104 +--
controller/pinctrl.c| 165 +-
controller/statctrl.c | 5 +-
8 files changed, 697 insertions(+), 959 deletions(-)
delete mode 100644 controller/mac-learn.c
delete mode 100644 controller/mac-learn.h
diff --git a/controller/automake.mk b/controller/automake.mk
index 2eeca718a..1b1b3aeb1 100644
--- a/controller/automake.mk
+++ b/controller/automake.mk
@@ -36,8 +36,6 @@ controller_ovn_controller_SOURCES = \
controller/ovn-controller.h \
controller/physical.c \
controller/physical.h \
- controller/mac-learn.c \
- controller/mac-learn.h \
controller/local_data.c \
controller/local_data.h \
controller/ovsport.h \
diff --git a/controller/mac-cache.c b/controller/mac-cache.c
index 1515e0ec2..c52f913ce 100644
--- a/controller/mac-cache.c
+++ b/controller/mac-cache.c
@@ -25,29 +25,20 @@
VLOG_DEFINE_THIS_MODULE(mac_cache);
+#define MAX_BUFFERED_PACKETS1000
+#define BUFFER_QUEUE_DEPTH 4
+#define BUFFERED_PACKETS_TIMEOUT_MS 1
+#define BUFFERED_PACKETS_LOOKUP_MS 100
+
static uint32_t
-mac_cache_mb_data_hash(const struct mac_cache_mb_data *mb_data);
+mac_binding_data_hash(const struct mac_binding_data *mb_data);
static inline bool
-mac_cache_mb_data_equals(const struct mac_cache_mb_data *a,
- const struct mac_cache_mb_data *b);
-static struct mac_cache_mac_binding *
-mac_cache_mac_binding_find(struct mac_cache_data *data,
- const struct mac_cache_mb_data *mb_data);
-static bool
-mac_cache_mb_data_from_sbrec(struct mac_cache_mb_data *data,
- const struct sbrec_mac_binding *mb,
- struct ovsdb_idl_index *sbrec_pb_by_name);
+mac_binding_data_equals(const struct mac_binding_data *a,
+const struct mac_binding_data *b);
static uint32_t
-mac_cache_fdb_data_hash(const struct mac_cache_fdb_data *fdb_data);
+fdb_data_hash(const struct fdb_data *fdb_data);
static inline bool
-mac_cache_fdb_data_equals(const struct mac_cache_fdb_data *a,
- const struct mac_cache_fdb_data *b);
-static bool
-mac_cache_fdb_data_from_sbrec(struct mac_cache_fdb_data *data,
- const struct sbrec_fdb *fdb);
-static struct mac_cache_fdb *
-mac_cache_fdb_find(struct mac_cache_data *data,
- const struct mac_cache_fdb_data *fdb_data);
+fdb_data_equals(const struct fdb_data *a, const struct fdb_data *b);
static struct mac_cache_threshold *
mac_cache_threshold_find(struct hmap *thresholds, const struct uuid *uuid);
static uint64_t
@@ -59,6 +50,23 @@ mac_cache_threshold_remove(struct hmap *thresholds,
static void
mac_cache_update_req_delay(struct hmap *thresholds, uint64_t *req_delay);
+static struct buffered_packets *
+buffered_packets_find(struct buffered_packets_ctx *ctx,
+ const struct mac_binding_data *mb_data);
+
+static void
+buffered_packets_remove(struct buffered_packets_ctx *ctx,
+struct buffered_packets *bp);
+
+static void
+buffered_packets_db_lookup(struct buffered_packets *bp,
+ struct ds *ip, struct eth_addr *mac,
+ struct ovsdb_idl_index *sbrec_pb_by_key,
+ struct ovsdb_idl_index *sbrec_dp_by_key,
+ struct ovsdb_idl_index *sbrec_pb_by_name,
+ struct ovsdb_idl_index *sbrec_mb_by_lport_ip);
+
+/* Thresholds. */
bool
mac_cache_threshold_add(struct mac_cache_data *data,
const struct sbrec_datapath_binding *dp,
@@ -113,50 +121,78 @@ mac_cache_thresholds_clear(struct mac_cache_data *data)
}
}
-void
-mac_cache_mac_binding_add(struct mac_cache_data *data,
- const struct sbrec_mac_binding *mb,
- struct ovsdb_idl_index *sbrec_pb_by_name)
-{
-struct mac_cache_mb_data mb_data;
-if (!mac_cache_mb_data_from_sbrec(_data, mb, sbrec_pb_by_name)) {
-return;
-}
+/* MAC binding. */
+struct mac_binding *
+mac_binding_add(struct hmap *map, struct mac_binding_data mb_data,
+long long timestamp) {
-struct mac_cache_mac_binding *mc_mb = mac_cache_mac_binding_find(data,
- _data);
-if (!mc_mb) {
-mc_mb = xmalloc(sizeof *mc_mb
[ovs-dev] [PATCH ovn 1/4] northd, controller: Handle tunnel_key change consistently.
Currently the tunnel_key change for either LS/LR/LSP/LRP wasn't
consistent. That would lead to a situations when some old would still
be present, breaking the connection especially for already existing
FDBs and MAC bindings.
Make sure the FDB entries are up to date by removing them from DB
when there is a tunnel_key change as those entries have only tunnel_key
refrences (dp_key, port_key).
MAC bindings have references to the datapath and port name, instead of
removing those entries do recompute in the controller when we detect
tunnel_key change. This can be costly at scale, however the tunnel_key
is not expected to change constantly, in most cases it shouldn't change
at all.
Fixes: b337750e45be ("northd: Incremental processing of VIF changes in 'northd'
node.")
Fixes: 425f699e2b20 ("controller: fixed potential segfault when changing
tunnel_key and deleting ls.")
Reported-at: https://issues.redhat.com/browse/FDP-393
Signed-off-by: Ales Musil
---
controller/binding.c| 13 --
controller/ovn-controller.c | 27 +++
northd/northd.c | 7 +
tests/ovn.at| 52 +
4 files changed, 79 insertions(+), 20 deletions(-)
diff --git a/controller/binding.c b/controller/binding.c
index 8ac2ce3e2..0712d7030 100644
--- a/controller/binding.c
+++ b/controller/binding.c
@@ -3126,8 +3126,17 @@ delete_done:
update_ld_peers(pb, b_ctx_out->local_datapaths);
}
-handled = handle_updated_port(b_ctx_in, b_ctx_out, pb);
-if (!handled) {
+if (!handle_updated_port(b_ctx_in, b_ctx_out, pb)) {
+handled = false;
+break;
+}
+
+if (!sbrec_port_binding_is_new(pb) &&
+sbrec_port_binding_is_updated(pb,
+ SBREC_PORT_BINDING_COL_TUNNEL_KEY) &&
+get_local_datapath(b_ctx_out->local_datapaths,
+ pb->datapath->tunnel_key)) {
+handled = false;
break;
}
}
diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
index 23269af83..356ce881a 100644
--- a/controller/ovn-controller.c
+++ b/controller/ovn-controller.c
@@ -1894,7 +1894,6 @@ runtime_data_sb_datapath_binding_handler(struct
engine_node *node OVS_UNUSED,
engine_get_input("SB_datapath_binding", node));
const struct sbrec_datapath_binding *dp;
struct ed_type_runtime_data *rt_data = data;
-struct local_datapath *ld;
SBREC_DATAPATH_BINDING_TABLE_FOR_EACH_TRACKED (dp, dp_table) {
if (sbrec_datapath_binding_is_deleted(dp)) {
@@ -1902,27 +1901,19 @@ runtime_data_sb_datapath_binding_handler(struct
engine_node *node OVS_UNUSED,
dp->tunnel_key)) {
return false;
}
+
+}
+
+if (sbrec_datapath_binding_is_updated(
+dp, SBREC_DATAPATH_BINDING_COL_TUNNEL_KEY) &&
+!sbrec_datapath_binding_is_new(dp)) {
/* If the tunnel key got updated, get_local_datapath will not find
* the ld. Use get_local_datapath_no_hash which does not
* rely on the hash.
*/
-if (sbrec_datapath_binding_is_updated(
-dp, SBREC_DATAPATH_BINDING_COL_TUNNEL_KEY)) {
-if (get_local_datapath_no_hash(_data->local_datapaths,
- dp->tunnel_key)) {
-return false;
-}
-}
-} else if (sbrec_datapath_binding_is_updated(
-dp, SBREC_DATAPATH_BINDING_COL_TUNNEL_KEY)
- && !sbrec_datapath_binding_is_new(dp)) {
-/* If the tunnel key is updated, remove the entry (with a wrong
- * hash) from the map. It will be (properly) added back later.
- */
-if ((ld = get_local_datapath_no_hash(_data->local_datapaths,
- dp->tunnel_key))) {
-hmap_remove(_data->local_datapaths, >hmap_node);
-local_datapath_destroy(ld);
+if (get_local_datapath_no_hash(_data->local_datapaths,
+ dp->tunnel_key)) {
+return false;
}
}
}
diff --git a/northd/northd.c b/northd/northd.c
index 331d9c267..eda1a6823 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -4541,6 +4541,8 @@ ls_handle_lsp_changes(struct ovsdb_idl_txn *ovnsb_idl_txn,
op->visited = true;
continue;
}
+
+uint32_t old_tunnel_key = op->tunnel_key;
if (!ls_port_reinit(op, ovnsb_idl_txn, >ls_ports,
new_nbsp, NULL,
od, sb, ni->sbrec_mirror_tab
[ovs-dev] [PATCH ovn 4/4] controller: Use datapath key for the mac cache thresholds.
Use datapath tunnel key instead of UUID for the mac cache threshold
handling. At the same time simplify the thresholds into single hmap.
The tunnel key is unique so there shouldn't be any overlap. Having
two thresholds per datapath is currently invalid configuration anyway.
The switch to datapath's tunnel key requires somehow costly
synchronization when the tunnel key changes. However this is fine as
the key shouldn't change very often in some cases it won't change at
all.
Also fix wrong check in the aging tests that would ignore failure.
Signed-off-by: Ales Musil
---
controller/mac-cache.c | 132 ++--
controller/mac-cache.h | 29
controller/ovn-controller.c | 105 +---
tests/ovn.at| 4 +-
4 files changed, 128 insertions(+), 142 deletions(-)
diff --git a/controller/mac-cache.c b/controller/mac-cache.c
index c52f913ce..d8c4e2aed 100644
--- a/controller/mac-cache.c
+++ b/controller/mac-cache.c
@@ -16,6 +16,7 @@
#include
#include
+#include "local_data.h"
#include "lport.h"
#include "mac-cache.h"
#include "openvswitch/hmap.h"
@@ -39,11 +40,8 @@ static uint32_t
fdb_data_hash(const struct fdb_data *fdb_data);
static inline bool
fdb_data_equals(const struct fdb_data *a, const struct fdb_data *b);
-static struct mac_cache_threshold *
-mac_cache_threshold_find(struct hmap *thresholds, const struct uuid *uuid);
static uint64_t
-mac_cache_threshold_get_value_ms(const struct sbrec_datapath_binding *dp,
- enum mac_cache_type type);
+mac_cache_threshold_get_value_ms(const struct sbrec_datapath_binding *dp);
static void
mac_cache_threshold_remove(struct hmap *thresholds,
struct mac_cache_threshold *threshold);
@@ -67,60 +65,82 @@ buffered_packets_db_lookup(struct buffered_packets *bp,
struct ovsdb_idl_index *sbrec_mb_by_lport_ip);
/* Thresholds. */
-bool
+void
mac_cache_threshold_add(struct mac_cache_data *data,
-const struct sbrec_datapath_binding *dp,
-enum mac_cache_type type)
+const struct sbrec_datapath_binding *dp)
{
-struct hmap *thresholds = >thresholds[type];
struct mac_cache_threshold *threshold =
-mac_cache_threshold_find(thresholds, >header_.uuid);
+mac_cache_threshold_find(data, dp->tunnel_key);
if (threshold) {
-return true;
+return;
}
-uint64_t value = mac_cache_threshold_get_value_ms(dp, type);
+uint64_t value = mac_cache_threshold_get_value_ms(dp);
if (!value) {
-return false;
+return;
}
threshold = xmalloc(sizeof *threshold);
-threshold->uuid = dp->header_.uuid;
+threshold->dp_key = dp->tunnel_key;
threshold->value = value;
threshold->dump_period = (3 * value) / 4;
-hmap_insert(thresholds, >hmap_node,
-uuid_hash(>header_.uuid));
-
-return true;
+hmap_insert(>thresholds, >hmap_node, dp->tunnel_key);
}
-bool
+void
mac_cache_threshold_replace(struct mac_cache_data *data,
const struct sbrec_datapath_binding *dp,
-enum mac_cache_type type)
+const struct hmap *local_datapaths)
{
-struct hmap *thresholds = >thresholds[type];
struct mac_cache_threshold *threshold =
-mac_cache_threshold_find(thresholds, >header_.uuid);
+mac_cache_threshold_find(data, dp->tunnel_key);
if (threshold) {
-mac_cache_threshold_remove(thresholds, threshold);
+mac_cache_threshold_remove(>thresholds, threshold);
+}
+
+if (!get_local_datapath(local_datapaths, dp->tunnel_key)) {
+return;
}
-return mac_cache_threshold_add(data, dp, type);
+mac_cache_threshold_add(data, dp);
+}
+
+
+struct mac_cache_threshold *
+mac_cache_threshold_find(struct mac_cache_data *data, uint32_t dp_key)
+{
+struct mac_cache_threshold *threshold;
+HMAP_FOR_EACH_WITH_HASH (threshold, hmap_node, dp_key, >thresholds) {
+if (threshold->dp_key == dp_key) {
+return threshold;
+}
+}
+
+return NULL;
}
void
-mac_cache_thresholds_clear(struct mac_cache_data *data)
+mac_cache_thresholds_sync(struct mac_cache_data *data,
+ const struct hmap *local_datapaths)
{
-for (size_t i = 0; i < MAC_CACHE_MAX; i++) {
-struct mac_cache_threshold *threshold;
-HMAP_FOR_EACH_POP (threshold, hmap_node, >thresholds[i]) {
-free(threshold);
+struct mac_cache_threshold *threshold;
+HMAP_FOR_EACH_SAFE (threshold, hmap_node, >thresholds) {
+if (!get_local_datapath(local_datapaths, threshold->dp_key)) {
+mac_cache_threshold_remove(>thresholds, threshold);
[ovs-dev] [PATCH ovn 2/4] controller: Rename mac_cache to to mac-cache.
For consistency rename the mac_cache.c/.h to mac-cache.c/.h.
Signed-off-by: Ales Musil
---
controller/automake.mk | 4 ++--
controller/{mac_cache.c => mac-cache.c} | 2 +-
controller/{mac_cache.h => mac-cache.h} | 2 +-
controller/ovn-controller.c | 2 +-
controller/statctrl.c | 2 +-
controller/statctrl.h | 2 +-
6 files changed, 7 insertions(+), 7 deletions(-)
rename controller/{mac_cache.c => mac-cache.c} (99%)
rename controller/{mac_cache.h => mac-cache.h} (99%)
diff --git a/controller/automake.mk b/controller/automake.mk
index a17ff0d60..2eeca718a 100644
--- a/controller/automake.mk
+++ b/controller/automake.mk
@@ -46,8 +46,8 @@ controller_ovn_controller_SOURCES = \
controller/vif-plug.c \
controller/mirror.h \
controller/mirror.c \
- controller/mac_cache.h \
- controller/mac_cache.c \
+ controller/mac-cache.h \
+ controller/mac-cache.c \
controller/statctrl.h \
controller/statctrl.c
diff --git a/controller/mac_cache.c b/controller/mac-cache.c
similarity index 99%
rename from controller/mac_cache.c
rename to controller/mac-cache.c
index 7e4feeed7..1515e0ec2 100644
--- a/controller/mac_cache.c
+++ b/controller/mac-cache.c
@@ -17,7 +17,7 @@
#include
#include "lport.h"
-#include "mac_cache.h"
+#include "mac-cache.h"
#include "openvswitch/hmap.h"
#include "openvswitch/vlog.h"
#include "ovn/logical-fields.h"
diff --git a/controller/mac_cache.h b/controller/mac-cache.h
similarity index 99%
rename from controller/mac_cache.h
rename to controller/mac-cache.h
index ea8aa7c1b..644ac8be2 100644
--- a/controller/mac_cache.h
+++ b/controller/mac-cache.h
@@ -121,4 +121,4 @@ void mac_cache_fdb_stats_run(struct ovs_list *stats_list,
uint64_t *req_delay,
void mac_cache_stats_destroy(struct ovs_list *stats_list);
-#endif /* controller/mac_cache.h */
+#endif /* controller/mac-cache.h */
diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
index 356ce881a..cde45e35e 100644
--- a/controller/ovn-controller.c
+++ b/controller/ovn-controller.c
@@ -83,7 +83,7 @@
#include "lib/ovn-l7.h"
#include "hmapx.h"
#include "mirror.h"
-#include "mac_cache.h"
+#include "mac-cache.h"
#include "statctrl.h"
#include "lib/dns-resolve.h"
diff --git a/controller/statctrl.c b/controller/statctrl.c
index 8cce97df8..cce31cce6 100644
--- a/controller/statctrl.c
+++ b/controller/statctrl.c
@@ -19,7 +19,7 @@
#include "dirs.h"
#include "latch.h"
#include "lflow.h"
-#include "mac_cache.h"
+#include "mac-cache.h"
#include "openvswitch/ofp-errors.h"
#include "openvswitch/ofp-flow.h"
#include "openvswitch/ofp-msgs.h"
diff --git a/controller/statctrl.h b/controller/statctrl.h
index c5cede353..f34da6bde 100644
--- a/controller/statctrl.h
+++ b/controller/statctrl.h
@@ -16,7 +16,7 @@
#ifndef STATCTRL_H
#define STATCTRL_H
-#include "mac_cache.h"
+#include "mac-cache.h"
void statctrl_init(void);
void statctrl_run(struct ovsdb_idl_txn *ovnsb_idl_txn,
--
2.44.0
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
