[ovs-dev] [PATCH net-next v5 4/8] openvswitch: Update the CT state key only after nf_conntrack_in().

Only a successful nf_conntrack_in() call can effect a connection state change, so if suffices to update the key only after the nf_conntrack_in() returns. This change is needed for the later NAT patches. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- net/openvswitch/conntrack

[ovs-dev] [PATCH net-next v5 2/8] netfilter: Factor out nf_ct_get_info().

Define a new inline function to map conntrack status to enum ip_conntrack_info. This removes the need to otherwise duplicate this code in a later patch ("openvswitch: Find existing conntrack entry after upcall."). Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- inclu

Re: [ovs-dev] [PATCH net-next v4 8/8] openvswitch: Interface with NAT.

Thanks for review, I removed these in version 5. Jarno > On Dec 10, 2015, at 11:10 AM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > On Tue, Dec 08, 2015 at 05:01:10PM -0800, Jarno Rajahalme wrote: >> -/* Call the helper right after nf_conntra

Re: [ovs-dev] [PATCH] flow: pass last field to miniflow_pad_to_64

Sorry Ben, I forgot about this and now I ran out of time. Jarno > On Dec 1, 2015, at 10:29 AM, Ben Pfaff wrote: > > On Tue, Dec 01, 2015 at 03:03:16PM +0900, Simon Horman wrote: >> Make miniflow_pad_to_64() a little more robust with regards to updates to >> struct flow by

Re: [ovs-dev] [PATCH] match: Add support for matching IGMP fields.

> On Dec 15, 2015, at 5:47 PM, Ben Pfaff <b...@ovn.org> wrote: > > On Mon, Dec 14, 2015 at 04:36:08PM -0800, Jarno Rajahalme wrote: >> >>> On Dec 14, 2015, at 3:12 AM, Ben Pfaff <b...@ovn.org> wrote: >>> >>> On Thu, Dec 10, 2015 at

Re: [ovs-dev] [PATCH] match: Add support for matching IGMP fields.

> On Dec 14, 2015, at 3:12 AM, Ben Pfaff <b...@ovn.org> wrote: > > On Thu, Dec 10, 2015 at 01:42:41PM -0800, Jarno Rajahalme wrote: >> Complete the IGMP protocol support by making IGMP fields (type, code, >> and group) matchable via OpenFlow by the way of new Nicira

Re: [ovs-dev] [PATCH 0/9] Translation fixes for revalidation

IMO this series should be backported to 2.4 and 2.3 as well, where applicable. Jarno > On Dec 10, 2015, at 18:17, Daniele Di Proietto <diproiet...@vmware.com> wrote: > > > >> On 10/12/2015 16:27, "Jesse Gross" <je...@kernel.org> wrote: >&g

[ovs-dev] [PATCH] match: Add support for matching IGMP fields.

-by: Jarno Rajahalme <ja...@ovn.org> --- build-aux/extract-ofp-fields | 1 + lib/match.c | 15 ++ lib/match.h | 3 +++ lib/meta-flow.c | 45 +- lib/meta-flow.h

Re: [ovs-dev] [PATCH net-next v4 2/8] netfilter: Factor out nf_ct_get_info().

> On Dec 10, 2015, at 11:14 AM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > On Tue, Dec 08, 2015 at 05:01:04PM -0800, Jarno Rajahalme wrote: >> Define a new inline function to map conntrack status to enum >> ip_conntrack_info. This removes the need to other

Re: [ovs-dev] [PATCH 1/9] dpif-netdev: Initialize match.tun_md in various places.

Acked-by: Jarno Rajahalme <ja...@ovn.org> > On Dec 9, 2015, at 6:27 PM, Daniele Di Proietto <diproiet...@vmware.com> > wrote: > > This solves a crash in dp_netdev_flow_add(), when log level is debug. > > Signed-off-by: Daniele Di Proietto <diproiet...@vmware.c

Re: [ovs-dev] [PATCH 3/9] tnl-ports: Generate mask with correct prerequisites.

d with the one generated by the translation). > Good catch! Maybe add a comment that ‘up_port’ is zero for non-UDP tunneling protocols, just to make the conditional a bit clearer? Acked-by: Jarno Rajahalme <ja...@ovn.org> > Signed-off-by: Daniele Di Proietto <diproiet...@vmware.c

Re: [ovs-dev] [PATCH 0/9] Translation fixes for revalidation

> On Dec 10, 2015, at 4:11 PM, Jarno Rajahalme <ja...@ovn.org> wrote: > > >> On Dec 10, 2015, at 3:20 PM, Jesse Gross <je...@kernel.org> wrote: >> >> On Wed, Dec 9, 2015 at 6:27 PM, Daniele Di Proietto >> <diproiet...@vmware.com> wrote: &

Re: [ovs-dev] [PATCH 5/9] odp-util: Return exact mask if netlink mask attribute is missing.

Awesome, Acked-by: Jarno Rajahalme <ja...@ovn.org> > On Dec 9, 2015, at 6:27 PM, Daniele Di Proietto <diproiet...@vmware.com> > wrote: > > In the ODP context an empty mask netlink attribute usually means that > the flow should be an exact match. > > odp_fl

Re: [ovs-dev] [PATCH 6/9] odp-util: Correctly [de]serialize mask for ND attributes.

With the comment below, Acked-by: Jarno Rajahalme <ja...@ovn.org> > On Dec 9, 2015, at 6:27 PM, Daniele Di Proietto <diproiet...@vmware.com> > wrote: > > When converting between ODP attributes and struct flow_wildcards, we > check that all the prerequisites ar

Re: [ovs-dev] [PATCH 8/9] ofproto-dpif-xlate: Don't unwildcard tunnel attributes on set.

Acked-by: Jarno Rajahalme <ja...@ovn.org> > On Dec 9, 2015, at 6:27 PM, Daniele Di Proietto <diproiet...@vmware.com> > wrote: > > When translating a set action we also unwildcard the field in question. > This is done to correctly translate set actions with the value

Re: [ovs-dev] [PATCH 2/9] ofproto-dpif-xlate: Fix revalidation in execute_controller_action().

ions() might have an influence on slow_path reason > (which is included in the generated ODP actions), meaning that the > revalidation will not generate the same actions than the original > translation. > > Fix the problem my making execute_controller_action() call “my” ->

Re: [ovs-dev] [PATCH 4/9] odp-util: Commit ICMP set only for ICMP packets.

With a note below, Acked-by: Jarno Rajahalme <ja...@ovn.org> > On Dec 9, 2015, at 6:27 PM, Daniele Di Proietto <diproiet...@vmware.com> > wrote: > > commit_set_icmp_action() should do its job only if the packet is ICMP, > otherwise there will be two problem

Re: [ovs-dev] [PATCH 0/9] Translation fixes for revalidation

> On Dec 10, 2015, at 3:20 PM, Jesse Gross wrote: > > On Wed, Dec 9, 2015 at 6:27 PM, Daniele Di Proietto > wrote: >> Sometimes the ofproto layer creates a flow which is not liked by the >> revalidation for various reasons. This behavior, while not

Re: [ovs-dev] [PATCH 7/9] ofproto-dpif-xlate: Generate right mask when checking prereqs.

> On Dec 9, 2015, at 6:27 PM, Daniele Di Proietto > wrote: > > During translation we need to unwildcard each member of the flow that we > look at. When setting or moving a field, we need to look at (and > consequently unwildcard) the field itself an all the

Re: [ovs-dev] [PATCH 8/9] ofproto-dpif-xlate: Don't unwildcard tunnel attributes on set.

Acked-by: Jarno Rajahalme <ja...@ovn.org> > On Dec 9, 2015, at 6:27 PM, Daniele Di Proietto <diproiet...@vmware.com> > wrote: > > When translating a set action we also unwildcard the field in question. > This is done to correctly translate set actions with the value

Re: [ovs-dev] [PATCH 9/9] ofproto-dpif-xlate: Do not include non existing MPLS lse in wc.

> On Dec 9, 2015, at 6:27 PM, Daniele Di Proietto > wrote: > > An action list like > > actions=push_mpls:0x8847,load:10->OXM_OF_MPLS_LABEL[] > > will generate an exact match on the newly pushed mpls label, because the > load action needs to unwildcard its target to

Re: [ovs-dev] [PATCH] seq: Add a coverage counter for seq_change.

> On Dec 7, 2015, at 9:34 AM, Ben Pfaff <b...@ovn.org> wrote: > > On Fri, Dec 04, 2015 at 03:57:09PM -0800, Jarno Rajahalme wrote: >> Having a coverage counter tracking the value of the internal seq_next >> should help in debugging. >> >> Suggested-by: Ju

Re: [ovs-dev] [PATCH] ovs-ofctl: replace-flows and diff-flows support for multiple tables

- > Shashank Shanbhag, > ----- > > On Thu, Nov 19, 2015 at 1:43 PM, Jarno Rajahalme <ja...@ovn.org > <mailto:ja...@ovn.org>> wrote: > > > On Oct 19, 2015, at 8:50 AM, Ben Pfaff <b...@nicira.com > > &l

Re: [ovs-dev] [PATCH] seq: Add a coverage counter for seq_change.

> On Dec 8, 2015, at 11:41 AM, Ben Pfaff <b...@ovn.org> wrote: > > On Tue, Dec 08, 2015 at 11:39:23AM -0800, Jarno Rajahalme wrote: >> >>> On Dec 7, 2015, at 9:34 AM, Ben Pfaff <b...@ovn.org> wrote: >>> >>> On Fri, Dec 04, 2015 at 03:57:09P

[ovs-dev] [PATCH net-next v4 3/8] netfilter: Allow calling into nat helper without skb_dst.

elar <pshe...@nicira.com> Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 29 - net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 29 - 2 files changed, 16 insertions(+), 42 deletions(-)

[ovs-dev] [PATCH net-next v4 4/8] openvswitch: Update the CT state key only after nf_conntrack_in().

Only a successful nf_conntrack_in() call can effect a connection state change, so if suffices to update the key only after the nf_conntrack_in() returns. This change is needed for the later NAT patches. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- net/openvswitch/conntrack

[ovs-dev] [PATCH net-next v4 0/8] openvswitch: NAT support.

here. The flow table above is an OpenFlow table, and the rules therein are translated to kernel flow entries on-demand by ovs-vswitchd. Jarno Rajahalme (8): netfilter: Remove IP_CT_NEW_REPLY definition. netfilter: Factor out nf_ct_get_info(). netfilter: Allow calling into nat helper without

[ovs-dev] [PATCH net-next v4 5/8] openvswitch: Find existing conntrack entry after upcall.

hrough NAT using the original ct reference also after the reference is lost after an upcall. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- net/openvswitch/conntrack.c | 95 ++--- 1 file changed, 82 insertions(+), 13 deletions(-) diff --git a

[ovs-dev] [PATCH net-next v4 2/8] netfilter: Factor out nf_ct_get_info().

Define a new inline function to map conntrack status to enum ip_conntrack_info. This removes the need to otherwise duplicate this code in a later patch ("openvswitch: Find existing conntrack entry after upcall."). Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- inclu

[ovs-dev] [PATCH net-next v4 1/8] netfilter: Remove IP_CT_NEW_REPLY definition.

Remove the definition of IP_CT_NEW_REPLY from the kernel as it does not make sense. This allows the definition of IP_CT_NUMBER to be simplified as well. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- include/uapi/linux/netfilter/nf_conntrack_common.h | 12 +--- net/openv

Re: [ovs-dev] [PATCH 1/2] odp-util: Consider NAT bits in conversions and format.

Acked-by: Jarno Rajahalme <ja...@ovn.org> Pushed to master, Jarno > On Dec 3, 2015, at 10:35 AM, Daniele Di Proietto <diproiet...@vmware.com> > wrote: > > Signed-off-by: Daniele Di Proietto <diproiet...@vmware.com> > --- > lib/odp-util.c | 16

Re: [ovs-dev] [PATCH] tests: Check for NAT modules in system testsuite.

d be nice for the module to be automatically loaded by the > OVS kernel datapath when needed (I believe it happens with > nf_conntrack_ftp), but I don't know if there's a way to do that. > > Anyway, this fixes a problem, so: > > Acked-by: Daniele Di Proietto <diproiet...@vmware.com>

Re: [ovs-dev] [PATCH 2/2] ofproto-dpif: Validate NAT action support.

Thanks Daniele! Acked-by: Jarno Rajahalme <ja...@ovn.org> Pushed to master, Jarno > On Dec 3, 2015, at 10:35 AM, Daniele Di Proietto <diproiet...@vmware.com> > wrote: > > The NAT validation is similar (and based on) the existing conntrack > validation: when a dpi

[ovs-dev] [PATCH] seq: Add a coverage counter for seq_change.

Having a coverage counter tracking the value of the internal seq_next should help in debugging. Suggested-by: Justin Pettit <jpet...@ovn.org> Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- lib/seq.c | 8 1 file changed, 8 insertions(+) diff --git a/lib/seq.c b/lib

Re: [ovs-dev] [PATCH] bond: Use correct type for slave's change_seq.

> On Dec 3, 2015, at 10:57 PM, Ben Pfaff <b...@ovn.org> wrote: > > On Thu, Dec 03, 2015 at 10:23:19PM -0800, Ben Pfaff wrote: >> On Thu, Dec 03, 2015 at 05:59:12PM -0800, Jarno Rajahalme wrote: >>> seq values are 64-bit, and storing them to a 32-bit variable cau

[ovs-dev] [PATCH] bond: Use correct type for slave's change_seq.

Bayless <hbayl...@vmware.com> Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- ofproto/bond.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ofproto/bond.c b/ofproto/bond.c index 1dbf8f1..c2749e5 100644 --- a/ofproto/bond.c +++ b/ofproto/bond.c @@ -84,7 +84

Re: [ovs-dev] [PATCH] bond: Use correct type for slave's change_seq.

> On Dec 3, 2015, at 6:19 PM, Joe Stringer <j...@ovn.org> wrote: > > On 3 December 2015 at 17:59, Jarno Rajahalme <ja...@ovn.org > <mailto:ja...@ovn.org>> wrote: > seq values are 64-bit, and storing them to a 32-bit variable causes > the stored value n

Re: [ovs-dev] [PATCH 2/2] ofproto-dpif: Validate ct action support.

LGTM, Acked-by: Jarno Rajahalme <ja...@ovn.org> > On Dec 1, 2015, at 4:17 PM, Joe Stringer <joestrin...@nicira.com> wrote: > > Disallow installing rules that execute ct() if conntrack is unsupported > in the datapath. > > Reported-by: Ravindra Kenchappa <rav

[ovs-dev] [PATCH] tests: Check for NAT modules in system testsuite.

FTP NAT system tests fail if the corresponding modules are not loaded. Add a probe for nf_nat_ftp module to make sure it is loaded before the tests. Reported-by: Daniele Di Proietto <diproiet...@vmware.com> Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- tests/system-kmod-macros.

Re: [ovs-dev] [PATCH net-next v3 1/8] netfilter: Remove IP_CT_NEW_REPLY definition.

> On Nov 25, 2015, at 21:41, Simon Horman <simon.hor...@netronome.com> wrote: > >> On Wed, Nov 25, 2015 at 04:08:14PM -0800, Jarno Rajahalme wrote: >> Remove the definition of IP_CT_NEW_REPLY from the kernel as it does >> not make sense. This allows

Re: [ovs-dev] [PATCH v3 0/4] Meter implementation for userspace datapath.

> On Nov 29, 2015, at 17:12, Ben Pfaff <b...@ovn.org> wrote: > >> On Mon, Nov 23, 2015 at 08:54:31PM -0800, Jarno Rajahalme wrote: >> Back by popular demand, here is the OpenFlow meter implementation for >> the userspace datapath. Meters are inherentl

Re: [ovs-dev] [PATCH] ofproto-dpif-xlate: Fix byte-order error in comparison.

Thanks for fixing that Ben. Jarno Jarno > On Nov 26, 2015, at 08:50, Ben Pfaff <b...@ovn.org> wrote: > >> On Thu, Nov 26, 2015 at 02:47:21PM -0200, Flavio Leitner wrote: >>> On Wed, Nov 25, 2015 at 10:30:57PM -0800, Ben Pfaff wrote: >>> Found by spar

Re: [ovs-dev] [PATCH net-next v3 1/8] netfilter: Remove IP_CT_NEW_REPLY definition.

> On Nov 30, 2015, at 10:16 AM, Jarno Rajahalme <ja...@ovn.org> wrote: > > >> On Nov 25, 2015, at 21:41, Simon Horman <simon.hor...@netronome.com> wrote: >> >>> On Wed, Nov 25, 2015 at 04:08:14PM -0800, Jarno Rajahalme wrote: >>> Remov

Re: [ovs-dev] [PATCH v2 2/2] ovs-ofctl: Support multiple tables in replace-flows and diff-flows.

> On Nov 25, 2015, at 5:07 PM, Ben Pfaff <b...@ovn.org> wrote: > > On Wed, Nov 25, 2015 at 04:19:40PM -0800, Jarno Rajahalme wrote: >> >>> On Nov 24, 2015, at 4:22 PM, Ben Pfaff <b...@ovn.org> wrote: >>> >>> On Tue, Nov 24, 2015 at 10:21:41

Re: [ovs-dev] [PATCH v2 6/8] system-tests: Workaround for pyftpdlib bug handling IPv6 addresses.

> On Nov 25, 2015, at 9:38 AM, Joe Stringer <j...@wand.net.nz> wrote: > > On 6 November 2015 at 16:10, Jarno Rajahalme <jrajaha...@nicira.com> wrote: >> Hack around a bug in pyftpdlib that rejects EPRT connection due to >> mismatching textual repres

[ovs-dev] [PATCH net-next v3 4/8] openvswitch: Update the CT state key only after nf_conntrack_in().

Only a successful nf_conntrack_in() call can effect a connection state change, so if suffices to update the key only after the nf_conntrack_in() returns. This change is needed for the later NAT patches. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- net/openvswitch/conntrack

[ovs-dev] [PATCH net-next v3 8/8] openvswitch: Interface with NAT.

/nat. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- include/uapi/linux/openvswitch.h | 47 net/openvswitch/conntrack.c | 520 +-- net/openvswitch/conntrack.h | 3 +- 3 files changed, 544 insertions(+), 26 deletions(-) diff --git a/i

[ovs-dev] [PATCH net-next v3 7/8] openvswitch: Delay conntrack helper call for new connections.

There is no need to help connections that are not confirmed, so we can delay helping new connections to the time when they are confirmed. This change is needed for NAT support, and having this as a separate patch will make the following NAT patch a bit easier to review. Signed-off-by: Jarno

[ovs-dev] [PATCH net-next v3 2/8] netfilter: Factor out nf_ct_get_info().

Define a new inline function to map conntrack status to enum ip_conntrack_info. This removes the need to otherwise duplicate this code in a later patch ("openvswitch: Find existing conntrack entry after upcall."). Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- inclu

[ovs-dev] [PATCH net-next v3 6/8] openvswitch: Handle NF_REPEAT in conntrack action.

Repeat the nf_conntrack_in() call when it returns NF_REPEAT. This avoids dropping a SYN packet re-opening an existing TCP connection. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- net/openvswitch/conntrack.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git

[ovs-dev] [PATCH net-next v3 5/8] openvswitch: Find existing conntrack entry after upcall.

hrough NAT using the original ct reference also after the reference is lost after an upcall. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- net/openvswitch/conntrack.c | 95 ++--- 1 file changed, 82 insertions(+), 13 deletions(-) diff --git a

[ovs-dev] [PATCH net-next v3 3/8] netfilter: Allow calling into nat helper without skb_dst.

elar <pshe...@nicira.com> Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 29 - net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 29 - 2 files changed, 16 insertions(+), 42 deletions(-)

Re: [ovs-dev] [PATCH v3 1/2] ofproto: Allow xlate_actions() to fail.

> On Nov 25, 2015, at 2:58 PM, Joe Stringer <j...@ovn.org> wrote: > > On 25 November 2015 at 11:23, Jarno Rajahalme <ja...@ovn.org > <mailto:ja...@ovn.org>> wrote: >> >> On Nov 25, 2015, at 11:11 AM, Jarno Rajahalme <ja...@ovn.org> wrote: >&

Re: [ovs-dev] [PATCH v3 1/2] ofproto: Allow xlate_actions() to fail.

> On Nov 25, 2015, at 3:14 PM, Joe Stringer <j...@ovn.org> wrote: > > On 25 November 2015 at 15:12, Joe Stringer <joestrin...@nicira.com> wrote: >> On 25 November 2015 at 15:06, Jarno Rajahalme <ja...@ovn.org> wrote: >>> >>>> On Nov 2

Re: [ovs-dev] [PATCH v2 5/8] system-tests: Add IPv6 FTP system test.

> On Nov 25, 2015, at 3:52 PM, Joe Stringer <j...@ovn.org> wrote: > > Apologies, I missed this one. > > On 6 November 2015 at 16:10, Jarno Rajahalme <jrajaha...@nicira.com> wrote: >> Signed-off-by: Jarno Rajahalme <jrajaha...@nicira.com>

Re: [ovs-dev] [PATCH v2 2/8] ofproto: Enable in-place modification for recirc actions.

> On Nov 24, 2015, at 3:56 PM, Ben Pfaff <b...@ovn.org> wrote: > > On Tue, Nov 24, 2015 at 02:25:47PM -0800, Jarno Rajahalme wrote: >> >>> On Nov 24, 2015, at 1:53 PM, Ben Pfaff <b...@ovn.org> wrote: >>> >>> On Tue, Nov 24, 2015 at 01:10:35

Re: [ovs-dev] [PATCH v2 7/8] packets: Reorder CS_* flags to remove gap.

> On Nov 24, 2015, at 10:40 AM, Ben Pfaff <b...@ovn.org> wrote: > > On Fri, Nov 06, 2015 at 04:10:54PM -0800, Jarno Rajahalme wrote: >> This changes the conntrack state flags used in the OpenFlow interface >> to match the ones we currently use in the datapath.

Re: [ovs-dev] [PATCH v2 2/2] ovs-ofctl: Support multiple tables in replace-flows and diff-flows.

> On Nov 24, 2015, at 4:22 PM, Ben Pfaff <b...@ovn.org> wrote: > > On Tue, Nov 24, 2015 at 10:21:41AM -0800, Jarno Rajahalme wrote: >> >>> On Nov 24, 2015, at 10:15 AM, Jarno Rajahalme <ja...@ovn.org> wrote: >>> >>> >>>>

[ovs-dev] [PATCH net-next v3 1/8] netfilter: Remove IP_CT_NEW_REPLY definition.

Remove the definition of IP_CT_NEW_REPLY from the kernel as it does not make sense. This allows the definition of IP_CT_NUMBER to be simplified as well. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- include/uapi/linux/netfilter/nf_conntrack_common.h | 12 +--- net/openv

[ovs-dev] [PATCH net-next v3 0/8] openvswitch: NAT support.

here. The flow table above is an OpenFlow table, and the rules therein are translated to kernel flow entries on-demand by ovs-vswitchd. Jarno Rajahalme (8): netfilter: Remove IP_CT_NEW_REPLY definition. netfilter: Factor out nf_ct_get_info(). netfilter: Allow calling into nat helper

Re: [ovs-dev] [PATCH v2 8/8] conntrack action: Add support for NAT.

> On Nov 24, 2015, at 1:51 PM, Ben Pfaff <b...@ovn.org> wrote: > > On Fri, Nov 06, 2015 at 04:10:55PM -0800, Jarno Rajahalme wrote: >> Extend OVS conntrack interface to cover NAT. New nested nat action >> may be included with a CT action. A bare nat action only mang

Re: [ovs-dev] [PATCH v3 1/2] ofproto: Allow xlate_actions() to fail.

> On Nov 24, 2015, at 5:02 PM, Joe Stringer <j...@ovn.org> wrote: > > On 24 November 2015 at 13:41, Jarno Rajahalme <ja...@ovn.org> wrote: >> Sometimes xlate_actions() fails due to too deep recursion, too many >> MPLS labels, or missing recirculation context.

Re: [ovs-dev] [PATCH v3 1/2] ofproto: Allow xlate_actions() to fail.

> On Nov 25, 2015, at 11:23 AM, Jarno Rajahalme <ja...@ovn.org> wrote: > >> >> On Nov 25, 2015, at 11:11 AM, Jarno Rajahalme <ja...@ovn.org >> <mailto:ja...@ovn.org>> wrote: >> >> >>> On Nov 25, 2015, at 10:52 AM, Joe Stringer

Re: [ovs-dev] [PATCH v3 1/2] ofproto: Allow xlate_actions() to fail.

> On Nov 24, 2015, at 5:02 PM, Joe Stringer <j...@ovn.org> wrote: > > On 24 November 2015 at 13:41, Jarno Rajahalme <ja...@ovn.org> wrote: >> Sometimes xlate_actions() fails due to too deep recursion, too many >> MPLS labels, or missing recirculation context.

Re: [ovs-dev] [PATCH v3 1/2] ofproto: Allow xlate_actions() to fail.

> On Nov 25, 2015, at 10:52 AM, Joe Stringer <j...@ovn.org> wrote: > > On 25 November 2015 at 10:31, Jarno Rajahalme <ja...@ovn.org > <mailto:ja...@ovn.org>> wrote: >> >>> On Nov 24, 2015, at 5:02 PM, Joe Stringer <j...@ovn.org> wrote: >>

Re: [ovs-dev] [PATCH v3 1/2] ofproto: Allow xlate_actions() to fail.

> On Nov 25, 2015, at 11:11 AM, Jarno Rajahalme <ja...@ovn.org> wrote: > > >> On Nov 25, 2015, at 10:52 AM, Joe Stringer <j...@ovn.org >> <mailto:j...@ovn.org>> wrote: >> >> On 25 November 2015 at 10:31, Jarno Rajahalme <ja...@ovn.org

Re: [ovs-dev] [PATCH v2 2/8] ofproto: Enable in-place modification for recirc actions.

> On Nov 24, 2015, at 1:53 PM, Ben Pfaff <b...@ovn.org> wrote: > > On Tue, Nov 24, 2015 at 01:10:35PM -0800, Jarno Rajahalme wrote: >> >>> On Nov 24, 2015, at 10:27 AM, Ben Pfaff <b...@ovn.org> wrote: >>> >>> On Fri, Nov 06, 2015 at 04:10:

Re: [ovs-dev] [PATCH v2 1/8] ofproto: Allow xlate_actions() to fail.

I’ll post a new version of this and the related next patch separately in a minute, Jarno > On Nov 24, 2015, at 11:26 AM, Jarno Rajahalme <ja...@ovn.org> wrote: > > >> On Nov 24, 2015, at 10:17 AM, Ben Pfaff <b...@ovn.org> wrote: >> >> On Fri,

Re: [ovs-dev] [PATCH v2 4/8] system-tests: Use '--bundle'

> On Nov 24, 2015, at 10:33 AM, Ben Pfaff <b...@ovn.org> wrote: > > On Fri, Nov 06, 2015 at 04:10:51PM -0800, Jarno Rajahalme wrote: >> Use OpenFlow bundles for setting up flow tables. This has the benefit >> that when debugging test failures, no packet gets proce

[ovs-dev] [PATCH v3 2/2] ofproto: Enable in-place modification for recirc actions.

When modifying an existing datapath flow with recirculation actions, the references to old (if any) recirculation actions need to be freed, and references to new recirculation actions need to be stored. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> Acked-by: Joe Stringer <joestrin...@n

Re: [ovs-dev] [PATCH v2 2/8] ofproto: Enable in-place modification for recirc actions.

> On Nov 24, 2015, at 10:27 AM, Ben Pfaff <b...@ovn.org> wrote: > > On Fri, Nov 06, 2015 at 04:10:49PM -0800, Jarno Rajahalme wrote: >> When modifying an existing datapath flow with recirculation actions, >> the references to old (if any) recirculation actions need to

Re: [ovs-dev] [PATCH v2 3/8] system-tests: Make bridge creation more consistent.

> On Nov 24, 2015, at 10:32 AM, Ben Pfaff <b...@ovn.org> wrote: > > On Fri, Nov 06, 2015 at 04:10:50PM -0800, Jarno Rajahalme wrote: >> Create all bridges with the same set of supported OpenFlow protocols >> and fail-safe-mode secure, so that each test explicitly

[ovs-dev] [PATCH v3 1/2] ofproto: Allow xlate_actions() to fail.

43b2f131a229 (ofproto: Allow in-place modifications of datapath flows). Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- ofproto/ofproto-dpif-upcall.c | 2 +- ofproto/ofproto-dpif-xlate.c | 123 +- ofproto/ofproto-dpif-xlate.h | 16 +- o

Re: [ovs-dev] [PATCH v2 2/2] ovs-ofctl: Support multiple tables in replace-flows and diff-flows.

> On Nov 24, 2015, at 9:25 AM, Ben Pfaff <b...@ovn.org> wrote: > > On Thu, Nov 19, 2015 at 01:33:18PM -0800, Jarno Rajahalme wrote: >> Currently ovs-ofctl replace-flows and diff-flows commands only support >> flows in table 0. Extend this to cover all possibl

Re: [ovs-dev] [PATCH v2 2/2] ovs-ofctl: Support multiple tables in replace-flows and diff-flows.

> On Nov 24, 2015, at 9:40 AM, Jarno Rajahalme <ja...@ovn.org> wrote: > > >> On Nov 24, 2015, at 9:25 AM, Ben Pfaff <b...@ovn.org> wrote: >> >> On Thu, Nov 19, 2015 at 01:33:18PM -0800, Jarno Rajahalme wrote: >>> Currently ovs-ofctl replace-flow

Re: [ovs-dev] [PATCH v2 2/2] ovs-ofctl: Support multiple tables in replace-flows and diff-flows.

> On Nov 24, 2015, at 10:15 AM, Jarno Rajahalme <ja...@ovn.org> wrote: > > >> On Nov 24, 2015, at 9:40 AM, Jarno Rajahalme <ja...@ovn.org> wrote: >> >> >>> On Nov 24, 2015, at 9:25 AM, Ben Pfaff <b...@ovn.org> wrote: >>> >

Re: [ovs-dev] [PATCH v2 1/2] openflow: Remove OFPG11_*

> On Nov 24, 2015, at 9:15 AM, Ben Pfaff <b...@ovn.org> wrote: > > On Thu, Nov 19, 2015 at 01:33:17PM -0800, Jarno Rajahalme wrote: >> Protocol-independent symbols OFPG_* were already defined in >> openflow-common.h, so remove the protocol version dependent symbols.

Re: [ovs-dev] [PATCH v2 1/8] ofproto: Allow xlate_actions() to fail.

> On Nov 24, 2015, at 10:17 AM, Ben Pfaff <b...@ovn.org> wrote: > > On Fri, Nov 06, 2015 at 04:10:48PM -0800, Jarno Rajahalme wrote: >> Sometimes xlate_actions() fails due to too deep recursion, too many >> MPLS labels, or missing recirculation context. M

[ovs-dev] [PATCH v3 3/4] ofproto: Meter translation.

Translate OpenFlow METER instructions to datapath meter actions. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- lib/dpif.c | 38 +-- lib/ofp-actions.c| 1 + lib/ofp-actions.h| 1 + ofproto/ofproto-dpif-xlate.

[ovs-dev] [PATCH v3 2/4] odp-execute: Support dropping packets.

likely to appear as new kinds of action are added later. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- lib/dp-packet.h | 13 -- lib/dpif-netdev.c | 53 +- lib/dpif.c| 6 +++-- lib/netdev-bsd.c | 8 +- lib/netdev-

[ovs-dev] [PATCH v3 1/4] dpif: Meter framework.

Add DPIF-level infrastructure for meters. Allow meter_set to modify the meter configuration (e.g. set the burst size if unspecified). Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- datapath/linux/compat/include/linux/openvswitch.h | 8 ++- lib/dpif-ne

[ovs-dev] [PATCH v3 0/4] Meter implementation for userspace datapath.

for further optimizations. This version addresses all the feedback received for version 2. Jarno Rajahalme (4): dpif: Meter framework. odp-execute: Support dropping packets. ofproto: Meter translation. dpif-netdev: Simple DROP meter implementation. datapath/linux/compat/include/linux

[ovs-dev] [PATCH v3 4/4] dpif-netdev: Simple DROP meter implementation.

of the meter bands are hit, we need to process the packets individually. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- lib/dpif-netdev.c| 379 +++ tests/dpif-netdev.at | 108 ++- 2 files changed, 453 insertions(+), 34 deletions(-)

Re: [ovs-dev] [PATCH 3/6] ofproto: Check actions also for packet outs and traces.

> On Aug 12, 2014, at 3:53 PM, Ben Pfaff <b...@nicira.com> wrote: > > On Tue, Aug 05, 2014 at 04:38:54PM -0700, Jarno Rajahalme wrote: >> Make the packet out and trace processing perform the same actions >> checks as flow mod processing does. >> >> This

[ovs-dev] [PATCH v2 1/2] openflow: Remove OFPG11_*

Protocol-independent symbols OFPG_* were already defined in openflow-common.h, so remove the protocol version dependent symbols. Found by inspection. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- include/openflow/openflow-1.1.h | 18 ++ lib/ofp-parse.c

[ovs-dev] [PATCH v2 2/2] ovs-ofctl: Support multiple tables in replace-flows and diff-flows.

Currently ovs-ofctl replace-flows and diff-flows commands only support flows in table 0. Extend this to cover all possible tables. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- tests/ovs-ofctl.at| 60 utilities/ovs-ofctl.c

[ovs-dev] [PATCH] AUTHORS: Update email address.

Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- AUTHORS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AUTHORS b/AUTHORS index c10b19f..29d184c 100644 --- a/AUTHORS +++ b/AUTHORS @@ -84,7 +84,7 @@ Isaku Yamahata yamah...@valinux.co.jp J

Re: [ovs-dev] [PATCH] ovs-ofctl: replace-flows and diff-flows support for multiple tables

> On Oct 19, 2015, at 8:50 AM, Ben Pfaff wrote: > > On Sun, Oct 18, 2015 at 04:22:22PM -0700, Shashank Shanbhag wrote: >> Fix replace-flows and diff-flows to modify/diff flows in multiple tables. >> Add a --tables(-T) option that allows the user to specify a comma-separated >>

Re: [ovs-dev] [PATCH] AUTHORS: Update email address.

> On Nov 19, 2015, at 1:55 PM, Russell Bryant <russell@gmail.com> wrote: > > On 11/19/2015 04:51 PM, Jarno Rajahalme wrote: >> Signed-off-by: Jarno Rajahalme <ja...@ovn.org> >> --- >> AUTHORS | 2 +- >> 1 file changed, 1 insertion(+), 1 dele

Re: [ovs-dev] [PATCH 1/6] utilities/ovs-ofctl: Fix meter requests.

> On Aug 12, 2014, at 3:48 PM, Ben Pfaff <b...@nicira.com> wrote: > > On Tue, Aug 05, 2014 at 04:38:52PM -0700, Jarno Rajahalme wrote: >> Meter requests should use dump/stats transaction, instead of >> transact_noreply, which caused the output to go to stderr and an e

Re: [ovs-dev] [PATCHv2 3/6] ofproto-dpif: Shortcut common case in rule_check().

I was about to propose this for the patch 2/6, Acked-by: Jarno Rajahalme <ja...@ovn.org> > On Nov 11, 2015, at 11:39 AM, Joe Stringer <joestrin...@nicira.com> wrote: > > Typically the datapath will support all available features, so check > that first before attemp

Re: [ovs-dev] [PATCH 3/3] ofproto-dpif: Validate ct action support.

> On Nov 11, 2015, at 10:21 AM, Joe Stringer <joestrin...@nicira.com> wrote: > > On 10 November 2015 at 13:56, Joe Stringer <joestrin...@nicira.com> wrote: >> On 9 November 2015 at 17:25, Jarno Rajahalme <ja...@ovn.org> wrote: >>> >>>&g

Re: [ovs-dev] [PATCHv2 0/6] Improve ct match/action verification.

> On Nov 11, 2015, at 11:39 AM, Joe Stringer wrote: > > There are currently a few holes in how OVS verifies connection tracking fields > and actions, pointed out by Ravindra Kenchappa. This series aims to verify > ct_state,ct_zone,ct_mark,ct_label match fields and the

Re: [ovs-dev] [PATCHv2 1/6] ofproto-dpif: Reject partial ct_labels if unsupported.

Acked-by: Jarno Rajahalme <ja...@ovn.org> > On Nov 11, 2015, at 11:39 AM, Joe Stringer <joestrin...@nicira.com> wrote: > > If only half of a ct_label is present in a miniflow/minimask (eg, only > matching on one specific bit), then rule_check() would allow the

Re: [ovs-dev] [PATCHv2 2/6] ofproto-dpif: Validate ct_* field masks.

With one comment to consider below: Acked-by: Jarno Rajahalme <ja...@ovn.org> > On Nov 11, 2015, at 11:39 AM, Joe Stringer <joestrin...@nicira.com> wrote: > > When inserting rules that match on connection tracking fields, datapath > support must be checked before allo

Re: [ovs-dev] [PATCHv2 4/6] ofp-actions: Refactor ofpact_get_mf_dst().

reject OpenFlow flows with conntrack actions when conntrack is > unsupported by the datapath. > > Signed-off-by: Joe Stringer <joestrin...@nicira.com> > Acked-by: Jarno Rajahalme <jrajaha...@nicira.com> > --- > lib/ofp-actions.c | 18 +++--- > lib/ofp-actions.h |

Re: [ovs-dev] [PATCHv2 5/6] ofproto-provider: Add action validation.

With a comment below, Acked-by: Jarno Rajahalme <ja...@ovn.org> > On Nov 11, 2015, at 11:39 AM, Joe Stringer <joestrin...@nicira.com> wrote: > > Add an ofproto-level function to allow implementations to reject > specific action types based on internal implementation d

Re: [ovs-dev] [PATCHv2 5/6] ofproto-provider: Add action validation.

I would urge Ben to check this up as well, though. Jarno > On Nov 11, 2015, at 2:23 PM, Jarno Rajahalme <ja...@ovn.org> wrote: > > With a comment below, > > Acked-by: Jarno Rajahalme <ja...@ovn.org> > >> On Nov 11, 2015, at 11:39 AM, Joe Stringer <jo

Re: [ovs-dev] [PATCHv2 6/6] ofproto: Validate ct actions support.

LGTM, However, I would urge Ben to offer his opinion to this design, Acked-by: Jarno Rajahalme <ja...@ovn.org> > On Nov 11, 2015, at 11:39 AM, Joe Stringer <joestrin...@nicira.com> wrote: > > Disallow installing rules that execute ct() if conntrack is unsupported > in

Re: [ovs-dev] [RFC PATCH net-next v2 7/8] openvswitch: Delay conntrack helper call for new connections.

> On Nov 9, 2015, at 5:26 AM, Patrick McHardy <ka...@trash.net> wrote: > > On 06.11, Jarno Rajahalme wrote: >> There is no need to help connections that are not confirmed, so we can >> delay helping new connections to the time when they are confirmed. >> This

<    5   6   7   8   9   10   11   12   13   14   >