Re: [ovs-dev] [Regression] openvswitch: Add eventmask support to CT action.

2018-09-24 Thread Jarno Rajahalme 

> On Sep 21, 2018, at 2:37 AM, Joseph Salisbury 
>  wrote:
> 
> Hi Jarno,
> 
> A kernel bug report was opened against Ubuntu [0].  This bug is a
> regression introduced in v4.12-rc1.  The latest mainline kernel was
> tested and still exhibits the bug.  The following commit was identified
> as the cause of the regression:
> 
> 120645513f55 ("openvswitch: Add eventmask support to CT action.")
> 
> I was hoping to get your feedback, since you are the patch author.  Do
> you think gathering any additional data will help diagnose this issue?
> 
> 
> Thanks,
> 
> Joe
> 
> http://pad.lv/1736390
> 

I spent a while looking what could cause an i386-only issue like reported due 
to this commit, but could not come up with anything solid. Essentially the 
commit is setting the ‘ctmask’ field of a CT eceche extension. The purpose of 
the ‘ctmask’ is to limit the type of conntrack events for which a report Is 
delivered to any monitors in userspace. With a non-default (default is 
all-ones) ‘ctmask’ the code paths taken in nf_conntrack_eventmask_report() and 
nf_ct_deliver_cached_events() are changed to skip the generation of event 
reports for some event types. While it is hard to see how this could manifest 
as a bug in i386, this should be the only effect of the commit referred to 
above.

OVS probes for the kernel support of this feature and only uses the 
OVS_CT_ATTR_EVENTMASK attribute if support for it in the kernel is detected. 
The option of reverting the commit will cause additional CPU use and potential 
buffering issues for CT event monitors in userspace. If you need to revert the 
commit please try to do so only for the affected architecture (i386).

However, while reviewing all the uses of ‘ctmask’ and the associated 
nf_ct_ecache_ext_add() calls in the kernel with Joe we figured it would be 
worth trying a change where ‘ctmask’ is set in the CT template instead on the 
actual CT entry directly. This is a long shot in the sense of changing the 
behavior, but the only thing we could come up now. I have attached the patch 
below, please try it in your test rig.

commit a717743bd355b3a25a83b196403db9d010b311b2 (HEAD -> 
ovs-set-ctmask-in-template)
Author: Jarno Rajahalme 
Date:   Mon Sep 24 14:34:26 2018 -0700

openvswitch: Set CT mask in template

Set the conntrack event mask in the template rather than on the conntrack
entry itself. init_conntrack() (called via nf_conntrack_in()) will pick
the event mask from the template.

Signed-off-by: Jarno Rajahalme 

diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 86a75105af1a..ae1fb06828da 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -1169,21 +1169,6 @@ static int ovs_ct_commit(struct net *net, struct 
sw_flow_key *key,
}
}
 #endif
-
-   /* Set the conntrack event mask if given.  NEW and DELETE events have
-* their own groups, but the NFNLGRP_CONNTRACK_UPDATE group listener
-* typically would receive many kinds of updates.  Setting the event
-* mask allows those events to be filtered.  The set event mask will
-* remain in effect for the lifetime of the connection unless changed
-* by a further CT action with both the commit flag and the eventmask
-* option. */
-   if (info->have_eventmask) {
-   struct nf_conntrack_ecache *cache = nf_ct_ecache_find(ct);
-
-   if (cache)
-   cache->ctmask = info->eventmask;
-   }
-
/* Apply changes before confirming the connection so that the initial
 * conntrack NEW netlink event carries the values given in the CT
 * action.
@@ -1625,6 +1610,20 @@ int ovs_ct_copy_action(struct net *net, const struct 
nlattr *attr,
return -ENOMEM;
}
 
+   /* Set the conntrack event mask if given.  NEW and DELETE events have
+* their own groups, but the NFNLGRP_CONNTRACK_UPDATE group listener
+* typically would receive many kinds of updates.  Setting the event
+* mask allows those events to be filtered.  The set event mask will
+* remain in effect for the lifetime of the connection unless changed
+* by a further CT action with both the commit flag and the eventmask
+* option. */
+   if (ct_info.have_eventmask) {
+   if (!nf_ct_ecache_ext_add(ct_info.ct, ct_info.eventmask, 0, 
GFP_KERNEL)) {
+   OVS_NLERR(log, "Failed to allocate ecache for conntrack 
template");
+   return -ENOMEM;
+   }
+   }
+
__set_bit(IPS_CONFIRMED_BIT, _info.ct->status);
nf_conntrack_get(_info.ct->ct_general);
 

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] ovs-ofctl: Avoid read overrun in ofperr_decode_msg().

2017-06-13 Thread Jarno Rajahalme 
Seems like I leaped from the fact that error message’s payload must contain at 
least 64 bytes of the message causing the error (or, less, if the message 
length was less than 64), to the erroneous notion that the whole error message 
would only need 64 bytes of storage. Thanks for fixing this.

Acked-by: Jarno Rajahlame <ja...@ovn.org <mailto:ja...@ovn.org>>

> On Jun 13, 2017, at 4:04 PM, Ben Pfaff <b...@ovn.org> wrote:
> 
> vconn_add_bundle_error() was keeping at most 64 bytes of an OpenFlow
> error message, then it was passing it to ofperr_decode_msg(), which assumed
> that the full message was available.  This led to a buffer overread.
> There's no good reason why it was only keeping the first 64 bytes, so this
> commit changes it to keep the whole error message, sidestepping the
> problem.
> 
> struct vconn_bundle_error only existed for this special case, so remove it
> in favor of a chain of ofpbufs.
> 
> Found via gcc's address sanitizer.
> 
> Reported-by: Lance Richardson <lrich...@redhat.com>
> CC: Jarno Rajahalme <ja...@ovn.org>
> Fixes: 506c1ddb3404 ("vconn: Better bundle error management.")
> Signed-off-by: Ben Pfaff <b...@ovn.org>
> ---
> include/openvswitch/vconn.h | 12 
> lib/vconn.c | 25 -
> utilities/ovs-ofctl.c   | 10 ++
> 3 files changed, 14 insertions(+), 33 deletions(-)
> 
> diff --git a/include/openvswitch/vconn.h b/include/openvswitch/vconn.h
> index 40ca9edfe868..90f9bad2c1c9 100644
> --- a/include/openvswitch/vconn.h
> +++ b/include/openvswitch/vconn.h
> @@ -61,18 +61,6 @@ int vconn_dump_flows(struct vconn *, const struct 
> ofputil_flow_stats_request *,
>  enum ofputil_protocol,
>  struct ofputil_flow_stats **fsesp, size_t *n_fsesp);
> 
> -/* Bundle errors must be free()d by the caller. */
> -struct vconn_bundle_error {
> -struct ovs_list list_node;
> -
> -/* OpenFlow header and some of the message contents for error reporting. 
> */
> -union {
> -struct ofp_header ofp_msg;
> -uint8_t ofp_msg_data[64];
> -};
> -};
> -
> -/* Bundle errors must be free()d by the caller. */
> int vconn_bundle_transact(struct vconn *, struct ovs_list *requests,
>   uint16_t bundle_flags,
>   struct ovs_list *errors);
> diff --git a/lib/vconn.c b/lib/vconn.c
> index 6997eaa96e2c..8a9f0ca8fa96 100644
> --- a/lib/vconn.c
> +++ b/lib/vconn.c
> @@ -744,18 +744,6 @@ vconn_recv_block(struct vconn *vconn, struct ofpbuf 
> **msgp)
> return retval;
> }
> 
> -static void
> -vconn_add_bundle_error(const struct ofp_header *oh, struct ovs_list *errors)
> -{
> -if (errors) {
> -struct vconn_bundle_error *err = xmalloc(sizeof *err);
> -size_t len = ntohs(oh->length);
> -
> -memcpy(err->ofp_msg_data, oh, MIN(len, sizeof err->ofp_msg_data));
> -ovs_list_push_back(errors, >list_node);
> -}
> -}
> -
> static int
> vconn_recv_xid__(struct vconn *vconn, ovs_be32 xid, struct ofpbuf **replyp,
>  struct ovs_list *errors)
> @@ -781,13 +769,13 @@ vconn_recv_xid__(struct vconn *vconn, ovs_be32 xid, 
> struct ofpbuf **replyp,
> 
> error = ofptype_decode(, oh);
> if (!error && type == OFPTYPE_ERROR) {
> -vconn_add_bundle_error(oh, errors);
> +ovs_list_push_back(errors, >list_node);
> } else {
> VLOG_DBG_RL(_ofmsg_rl, "%s: received reply with xid %08"PRIx32
> " != expected %08"PRIx32,
> vconn->name, ntohl(recv_xid), ntohl(xid));
> +ofpbuf_delete(reply);
> }
> -ofpbuf_delete(reply);
> }
> }
> 
> @@ -1078,7 +1066,8 @@ vconn_bundle_reply_validate(struct ofpbuf *reply,
> }
> 
> if (type == OFPTYPE_ERROR) {
> -vconn_add_bundle_error(oh, errors);
> +struct ofpbuf *copy = ofpbuf_clone(reply);
> +ovs_list_push_back(errors, >list_node);
> return ofperr_decode_msg(oh, NULL);
> }
> if (type != OFPTYPE_BUNDLE_CONTROL) {
> @@ -1150,13 +1139,13 @@ vconn_recv_error(struct vconn *vconn, struct ovs_list 
> *errors)
> oh = reply->data;
> ofperr = ofptype_decode(, oh);
> if (!ofperr && type == OFPTYPE_ERROR) {
> -vconn_add_bundle_error(oh, errors);
> +ovs_list_push_back(errors, >list_node);
> } else {
> VLOG_DBG_RL(_ofmsg_rl,
> "%s: received unexpected rep

Re: [ovs-dev] [PATCH v5] tunneling: Avoid recirculation on datapath by computing the recirculate actions at translate time.

2017-05-10 Thread Jarno Rajahalme 
> 
> On May 10, 2017, at 12:59 PM, Andy Zhou  > wrote:
> 
> On Wed, May 10, 2017 at 7:56 AM, William Tu  > wrote:
>>> It may be cleaner if we add a new trunc action for the datapath, say
>>> trunc2  that applies
>>> to all outputs within the clone.
>>> 
>>> So the translation will look like: clone(trunc2, native tunnel
>>> translation). Would this
>>> approach work?
>>> 
>> 
>> Or how about we apply actual packet truncation when clone action
>> follows truncate action?
>> Now we apply actual packet truncation when:
>> actions=trunc, output
>> actions=trunc, tunnel_push
>> actions=trunc, sample
> 
>> 
>> If we add clone as another truncate target, then
>> actions = trunc(100), clone(tnl(...)),  actionX,
>> Inside clone will see packet of size 100, and actionX sees original
>> size. Then I think we don't need to introduce trunc2?
> 
> This is a reasonable approach. Thanks for the suggestion.
> 
> Picking up the topic of trunc on patch port.
> 
> Instead of banning trunc output to a patch port, any down side of
> translating that
> to trunc, clone()? After all, native tunneling
> looks a lot like patch port conceptually.
> 

Right, why should truncated OUTPUT to a patch port behave any different from 
any other OUTPUT port?

  Jarno

> 
>> 
>> Regards,
>> William
>> 
 
 Without the "Avoid recirculation" patch we have two datapath flows, 
 because the
 packet is recirculated. At the end of the first flow the packet size is 
 changed
 and the packet with modified size enters the OF pipeline again.
 
 What is the reason not to change packet size when truncate action is 
 applied?
 
>>> 
>>> One of the reasons could be that we introduced trunc before clone. 
>>> Otherwise, a
>>> clone(trunc2, output:x) is equivalent to trunc, output:x.  Note that
>>> the trunc datapath
>>> action is different than other datapath actions, which usually applies
>>> to all following
>>> actions. Native tunneling may be the first use case that motivates
>>> trunc2, which should
>>> have the normal datapath action behavior.
>>> 
> ___
> dev mailing list
> d...@openvswitch.org 
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev 
> 
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v5] tunneling: Avoid recirculation on datapath by computing the recirculate actions at translate time.

2017-05-10 Thread Jarno Rajahalme 

> On May 10, 2017, at 12:59 PM, Andy Zhou  wrote:
> 
> On Wed, May 10, 2017 at 7:56 AM, William Tu  > wrote:
>>> It may be cleaner if we add a new trunc action for the datapath, say
>>> trunc2  that applies
>>> to all outputs within the clone.
>>> 
>>> So the translation will look like: clone(trunc2, native tunnel
>>> translation). Would this
>>> approach work?
>>> 
>> 
>> Or how about we apply actual packet truncation when clone action
>> follows truncate action?
>> Now we apply actual packet truncation when:
>> actions=trunc, output
>> actions=trunc, tunnel_push
>> actions=trunc, sample
> 
>> 
>> If we add clone as another truncate target, then
>> actions = trunc(100), clone(tnl(...)),  actionX,
>> Inside clone will see packet of size 100, and actionX sees original
>> size. Then I think we don't need to introduce trunc2?
> 
> This is a reasonable approach. Thanks for the suggestion.
> 
> Picking up the topic of trunc on patch port.
> 
> Instead of banning trunc output to a patch port, any down side of
> translating that
> to trunc, clone()? After all, native tunneling
> looks a lot like patch port conceptually.
> 

Right, why should truncated OUTPUT to a patch port behave any different from 
any other OUTPUT port?

  Jarno

> 
>> 
>> Regards,
>> William
>> 
 
 Without the "Avoid recirculation" patch we have two datapath flows, 
 because the
 packet is recirculated. At the end of the first flow the packet size is 
 changed
 and the packet with modified size enters the OF pipeline again.
 
 What is the reason not to change packet size when truncate action is 
 applied?
 
>>> 
>>> One of the reasons could be that we introduced trunc before clone. 
>>> Otherwise, a
>>> clone(trunc2, output:x) is equivalent to trunc, output:x.  Note that
>>> the trunc datapath
>>> action is different than other datapath actions, which usually applies
>>> to all following
>>> actions. Native tunneling may be the first use case that motivates
>>> trunc2, which should
>>> have the normal datapath action behavior.
>>> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 2/2] revalidator: Fix logging of xlate_key() failure.

2017-05-01 Thread Jarno Rajahalme 
Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On May 1, 2017, at 12:58 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> This was being logged using xlate_strerror(), but the return code is
> actually an errno code. Use ovs_strerror() instead.
> 
> Fixes: dd0dc9eda0e0 ("revalidator: Reuse xlate_ukey from deletion.")
> Signed-off-by: Joe Stringer <j...@ovn.org>
> ---
> ofproto/ofproto-dpif-upcall.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
> index 2e23fe702281..21916731fa07 100644
> --- a/ofproto/ofproto-dpif-upcall.c
> +++ b/ofproto/ofproto-dpif-upcall.c
> @@ -2217,8 +2217,8 @@ push_dp_ops(struct udpif *udpif, struct ukey_op *ops, 
> size_t n_ops)
> if (error) {
> static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
> 
> -VLOG_WARN_RL(, "xlate_actions failed (%s)!",
> - xlate_strerror(error));
> +VLOG_WARN_RL(, "xlate_key failed (%s)!",
> + ovs_strerror(error));
> } else {
> xlate_out_uninit();
> if (netflow) {
> -- 
> 2.11.1
> 

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 1/2] revalidator: Revalidate ukeys created from flows.

2017-05-01 Thread Jarno Rajahalme 
Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On May 1, 2017, at 12:58 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> If there is no active ukey for a particular datapath flow, and it is
> dumped from the datapath, then the revalidator threads will assemble a
> ukey based on the datapath flow. This will allow tracking of the stats
> for proper attribution, and future validation of the flow.
> 
> However, until now when creating the ukey in this context, the ukey's
> 'reval_seq' has been set to the current udpif's reval_seq. This implies
> that the flow has been validated against the current flow table.
> However, this is not true - The flow appeared in the datapath without
> any prior knowledge in this OVS instance so we should set up the
> reval_seq of the ukey to ensure that the flow will be validated during
> the current dump/revalidation cycle.
> 
> Refer also revalidate_ukey().
> 
> Fixes: 23597df05226 ("upcall: Create ukeys in handler threads.")
> Signed-off-by: Joe Stringer <j...@ovn.org>
> ---
> ofproto/ofproto-dpif-upcall.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
> index 18be901d0b8a..2e23fe702281 100644
> --- a/ofproto/ofproto-dpif-upcall.c
> +++ b/ofproto/ofproto-dpif-upcall.c
> @@ -1612,7 +1612,7 @@ ukey_create_from_dpif_flow(const struct udpif *udpif,
> }
> 
> dump_seq = seq_read(udpif->dump_seq);
> -reval_seq = seq_read(udpif->reval_seq);
> +reval_seq = seq_read(udpif->reval_seq) - 1; /* Ensure revalidation. */
> ofpbuf_use_const(, >actions, flow->actions_len);
> *ukey = ukey_create__(flow->key, flow->key_len,
>   flow->mask, flow->mask_len, flow->ufid_present,
> -- 
> 2.11.1
> 

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [patch_v7 2/9] dpdk: Remove batch sorting in userspace conntrack.

2017-05-01 Thread Jarno Rajahalme 
Would be nice to have a commit message, with the motivation for the change.

  Jarno

> On Mar 24, 2017, at 2:15 AM, Darrell Ball  wrote:
> 
> Signed-off-by: Darrell Ball 
> Acked-by: Flavio Leitner 
> ---
> lib/conntrack.c | 58 +++--
> 1 file changed, 11 insertions(+), 47 deletions(-)
> 
> diff --git a/lib/conntrack.c b/lib/conntrack.c
> index 4f490fb..9a0763e 100644
> --- a/lib/conntrack.c
> +++ b/lib/conntrack.c
> @@ -318,22 +318,9 @@ conntrack_execute(struct conntrack *ct, struct 
> dp_packet_batch *pkt_batch,
> {
> struct dp_packet **pkts = pkt_batch->packets;
> size_t cnt = pkt_batch->count;
> -#if !defined(__CHECKER__) && !defined(_WIN32)
> -const size_t KEY_ARRAY_SIZE = cnt;
> -#else
> -enum { KEY_ARRAY_SIZE = NETDEV_MAX_BURST };
> -#endif
> -struct conn_lookup_ctx ctxs[KEY_ARRAY_SIZE];
> -int8_t bucket_list[CONNTRACK_BUCKETS];
> -struct {
> -unsigned bucket;
> -unsigned long maps;
> -} arr[KEY_ARRAY_SIZE];
> +struct conn_lookup_ctx ctx;
> long long now = time_msec();
> size_t i = 0;
> -uint8_t arrcnt = 0;
> -
> -BUILD_ASSERT_DECL(sizeof arr[0].maps * CHAR_BIT >= NETDEV_MAX_BURST);
> 
> if (helper) {
> static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 5);
> @@ -342,48 +329,25 @@ conntrack_execute(struct conntrack *ct, struct 
> dp_packet_batch *pkt_batch,
> /* Continue without the helper */
> }
> 
> -memset(bucket_list, INT8_C(-1), sizeof bucket_list);
> for (i = 0; i < cnt; i++) {
> -unsigned bucket;
> 
> -if (!conn_key_extract(ct, pkts[i], dl_type, [i], zone)) {
> +if (!conn_key_extract(ct, pkts[i], dl_type, , zone)) {
> write_ct_md(pkts[i], CS_INVALID, zone, NULL, NULL);
> continue;
> }
> 
> -bucket = hash_to_bucket(ctxs[i].hash);
> -if (bucket_list[bucket] == INT8_C(-1)) {
> -bucket_list[bucket] = arrcnt;
> -
> -arr[arrcnt].maps = 0;
> -ULLONG_SET1(arr[arrcnt].maps, i);
> -arr[arrcnt++].bucket = bucket;
> -} else {
> -ULLONG_SET1(arr[bucket_list[bucket]].maps, i);
> -}
> -}
> -
> -for (i = 0; i < arrcnt; i++) {
> -struct conntrack_bucket *ctb = >buckets[arr[i].bucket];
> -size_t j;
> -
> +struct conntrack_bucket *ctb = >buckets[i];
> ct_lock_lock(>lock);
> +conn_key_lookup(ctb, , now);
> +struct conn *conn = process_one(ct, pkts[i], , zone,
> +force, commit, now);
> 
> -ULLONG_FOR_EACH_1(j, arr[i].maps) {
> -struct conn *conn;
> -
> -conn_key_lookup(ctb, [j], now);
> -
> -conn = process_one(ct, pkts[j], [j], zone, force, commit,
> -   now);
> -
> -if (conn && setmark) {
> -set_mark(pkts[j], conn, setmark[0], setmark[1]);
> -}
> +if (conn && setmark) {
> +set_mark(pkts[i], conn, setmark[0], setmark[1]);
> +}
> 
> -if (conn && setlabel) {
> -set_label(pkts[j], conn, [0], [1]);
> -}
> +if (conn && setlabel) {
> +set_label(pkts[i], conn, [0], [1]);
> }
> ct_lock_unlock(>lock);
> }
> -- 
> 1.9.1
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v2] config: Define OVS_CT_EVENT_* mask macros.

2017-04-28 Thread Jarno Rajahalme 

> On Apr 28, 2017, at 5:56 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 28 April 2017 at 17:46, Jarno Rajahalme <ja...@ovn.org> wrote:
>> Unconditionally define OVS_CT_EVENT_* macros for the datapath netlink
>> interface so that we do not need to include platform dependent files.
>> This fixes the build on non-Linux (and non-Windows) platforms.
>> 
>> Also define a macro for the default set of events set by OVS userspace.
>> 
>> Reported-by: Joe Stringer <j...@ovn.org>
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>> ---
> 
> Thanks, this approach looks more robust, and it fixes the current
> breakage on travis:
> https://travis-ci.org/joestringer/openvswitch/builds/227028848
> 
> Acked-by: Joe Stringer <j...@ovn.org>

Thanks, pushed to master,

  Jarno

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [RFC PATCH] config: Compat for older kernels not having IPCT_LABEL.

2017-04-28 Thread Jarno Rajahalme 

> On Apr 28, 2017, at 4:53 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 28 April 2017 at 15:49, Jarno Rajahalme <ja...@ovn.org 
> <mailto:ja...@ovn.org>> wrote:
>> Detect the presence of enum ip_conntrack_events member IPCT_LABEL at
>> configure time, and define it in the generated odp-netlink.h if
>> missing.  This allows OVS userspace to be compiled with older Linux
>> kernel headers, such as those used in Travis userspace builds.
>> 
>> Reported-by: Joe Stringer <j...@ovn.org>
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>> ---
>> acinclude.m4| 7 ++-
>> build-aux/extract-odp-netlink-h | 4 
>> 2 files changed, 10 insertions(+), 1 deletion(-)
>> 
>> diff --git a/acinclude.m4 b/acinclude.m4
>> index 7e4acc9..ea25e08 100644
>> --- a/acinclude.m4
>> +++ b/acinclude.m4
>> @@ -322,7 +322,8 @@ dnl Looks for STRUCTURE in FILE. If it is found, greps 
>> for REGEX within the
>> dnl structure definition. If this is successful, runs IF-MATCH, otherwise
>> dnl IF_NO_MATCH. If IF-MATCH is empty then it defines to
>> dnl OVS_DEFINE(HAVE__WITH_), with  and 
>> -dnl translated to uppercase.
>> +dnl translated to uppercase.  Note that this works equally well for finding
>> +dnl enum definitions.
>> AC_DEFUN([OVS_FIND_FIELD_IFELSE], [
>>   AC_MSG_CHECKING([whether $2 has member $3 in $1])
>>   if test -f $1; then
>> @@ -551,6 +552,10 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
>>   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], 
>> [nf_ct_nat_ext_add])
>>   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], 
>> [nf_nat_alloc_null_binding])
>>   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_seqadj.h], 
>> [nf_ct_seq_adjust])
>> +  
>> OVS_FIND_FIELD_IFELSE([$KSRC/include/uapi/linux/netfilter/nf_conntrack_common.h],
>> +[ip_conntrack_events], [IPCT_LABEL],
>> +[AC_DEFINE([HAVE_IPCT_LABEL], [1],
>> +  [Define to 1 if the kernel headers have the IPCT_LABEL defined in enum 
>> ip_conntrack_events])])
> 
> I haven't tried this, but doesn't it require you to configure with
> "--with-linux" to get $KSRC ?

Thanks for noticing this. I did a totally different approach for v2 that will 
work on all platforms.

  Jarno


___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH v2] config: Define OVS_CT_EVENT_* mask macros.

2017-04-28 Thread Jarno Rajahalme 
Unconditionally define OVS_CT_EVENT_* macros for the datapath netlink
interface so that we do not need to include platform dependent files.
This fixes the build on non-Linux (and non-Windows) platforms.

Also define a macro for the default set of events set by OVS userspace.

Reported-by: Joe Stringer <j...@ovn.org>
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 build-aux/extract-odp-netlink-h | 19 +--
 ofproto/ofproto-dpif-xlate.c|  4 +---
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/build-aux/extract-odp-netlink-h b/build-aux/extract-odp-netlink-h
index 7fb6ce8..a509adb 100755
--- a/build-aux/extract-odp-netlink-h
+++ b/build-aux/extract-odp-netlink-h
@@ -19,9 +19,24 @@ $i\
 #ifdef _WIN32\
 #include "OvsDpInterfaceExt.h"\
 #include "OvsDpInterfaceCtExt.h"\
-#else\
-#include "linux/netfilter/nf_conntrack_common.h"\
 #endif\
+\
+/* IPCT_* enums may not be defined in all platforms, so do not use them. */\
+#define OVS_CT_EVENT_NEW   (1 << 0)   /* 1 << IPCT_NEW */\
+#define OVS_CT_EVENT_RELATED   (1 << 1)   /* 1 << IPCT_RELATED */\
+#define OVS_CT_EVENT_DESTROY   (1 << 2)   /* 1 << IPCT_DESTROY */\
+#define OVS_CT_EVENT_REPLY (1 << 3)   /* 1 << IPCT_REPLY */\
+#define OVS_CT_EVENT_ASSURED   (1 << 4)   /* 1 << IPCT_ASSURED */\
+#define OVS_CT_EVENT_PROTOINFO (1 << 5)   /* 1 << IPCT_PROTOINFO */\
+#define OVS_CT_EVENT_HELPER(1 << 6)   /* 1 << IPCT_HELPER */\
+#define OVS_CT_EVENT_MARK  (1 << 7)   /* 1 << IPCT_MARK */\
+#define OVS_CT_EVENT_SEQADJ(1 << 8)   /* 1 << IPCT_SEQADJ */\
+#define OVS_CT_EVENT_SECMARK   (1 << 9)   /* 1 << IPCT_SECMARK */\
+#define OVS_CT_EVENT_LABEL (1 << 10)  /* 1 << IPCT_LABEL */\
+\
+#define OVS_CT_EVENTMASK_DEFAULT \\\
+  (OVS_CT_EVENT_NEW | OVS_CT_EVENT_RELATED | OVS_CT_EVENT_DESTROY |\\\
+   OVS_CT_EVENT_MARK | OVS_CT_EVENT_LABEL)\
 
 # Use OVS's own struct eth_addr instead of a 6-byte char array.
 s,,"openvswitch/types.h"\
diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
index 32cb022..16dae15 100644
--- a/ofproto/ofproto-dpif-xlate.c
+++ b/ofproto/ofproto-dpif-xlate.c
@@ -5363,9 +5363,7 @@ compose_conntrack_action(struct xlate_ctx *ctx, struct 
ofpact_conntrack *ofc)
 OVS_CT_ATTR_FORCE_COMMIT : OVS_CT_ATTR_COMMIT);
 if (ctx->xbridge->support.ct_eventmask) {
 nl_msg_put_u32(ctx->odp_actions, OVS_CT_ATTR_EVENTMASK,
-   1 << IPCT_NEW | 1 << IPCT_RELATED |
-   1 << IPCT_DESTROY | 1 << IPCT_MARK |
-   1 << IPCT_LABEL);
+   OVS_CT_EVENTMASK_DEFAULT);
 }
 }
 nl_msg_put_u16(ctx->odp_actions, OVS_CT_ATTR_ZONE, zone);
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [v2] vswitchd: Add --cleanup option to the 'appctl exit' command

2017-04-28 Thread Jarno Rajahalme 
Some types noted below, otherwise:

Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Apr 26, 2017, at 3:38 PM, Andy Zhou <az...@ovn.org> wrote:
> 
> 'appctl exit' stops the running vswitchd daemon, without releasing
> the datapath resources (such as bridges and ports) that vswitchd
> has created.  This is expected when vswitchd is to be relaunched, to
> reduce the perturbation of exiting traffic and connections.
> 
> However, when vswitchd is intended to be shutdown permanently, it
> is desirable not to leak datapath resources.  In theory, this can be
> achieved by removing the corresponding configurations from
> OVSDB before shutting down vswitchd. However it is not always
> possible in practice. Sometimes it is convenient and robust for
> vswitchd to release all datapath resources that it has configured.
> Add 'appctl exit --cleanup' option for this use case.
> 
> Signed-off-by: Andy Zhou <az...@ovn.org>
> 
> ---
> v1->v2:
>   remove 'appctl quit', Change to 'appctl exit --cleanup'
>   Add more details to the commit message.
> ---
> NEWS   |  1 +
> ofproto/ofproto-dpif.c | 11 +++
> ofproto/ofproto-provider.h |  2 +-
> ofproto/ofproto.c  |  2 +-
> vswitchd/bridge.c  |  4 ++--
> vswitchd/bridge.h  |  4 +++-
> vswitchd/ovs-vswitchd.8.in |  7 +--
> vswitchd/ovs-vswitchd.c| 23 ---
> 8 files changed, 36 insertions(+), 18 deletions(-)
> 
> diff --git a/NEWS b/NEWS
> index ea97d84a2dea..ee50c6660468 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -26,6 +26,7 @@ Post-v2.7.0
>  * Bundles now support hashing by just nw_src or nw_dst.
>  * The "learn" action now supports a "limit" option (see ovs-ofctl(8)).
>  * The port status bit OFPPS_LIVE now reflects link aliveness.
> +   - Add --cleanup option to command 'ovs-appctl exit' (see ovs-vswitchd(8)).
> 
> v2.7.0 - 21 Feb 2017
> -
> diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
> index c73c2738c91c..bd2eaa60d36b 100644
> --- a/ofproto/ofproto-dpif.c
> +++ b/ofproto/ofproto-dpif.c
> @@ -645,7 +645,7 @@ dealloc(struct ofproto *ofproto_)
> }
> 
> static void
> -close_dpif_backer(struct dpif_backer *backer)
> +close_dpif_backer(struct dpif_backer *backer, bool del)
> {
> ovs_assert(backer->refcount > 0);
> 
> @@ -661,6 +661,9 @@ close_dpif_backer(struct dpif_backer *backer)
> shash_find_and_delete(_dpif_backers, backer->type);
> free(backer->type);
> free(backer->dp_version_string);
> +if (del) {
> +dpif_delete(backer->dpif);
> +}
> dpif_close(backer->dpif);
> free(backer);
> }
> @@ -772,7 +775,7 @@ open_dpif_backer(const char *type, struct dpif_backer 
> **backerp)
> if (error) {
> VLOG_ERR("failed to listen on datapath of type %s: %s",
>  type, ovs_strerror(error));
> -close_dpif_backer(backer);
> +close_dpif_backer(backer, false);
> return error;
> }
> 
> @@ -1452,7 +1455,7 @@ add_internal_flows(struct ofproto_dpif *ofproto)
> }
> 
> static void
> -destruct(struct ofproto *ofproto_)
> +destruct(struct ofproto *ofproto_, bool del)
> {
> struct ofproto_dpif *ofproto = ofproto_dpif_cast(ofproto_);
> struct ofproto_async_msg *am;
> @@ -1505,7 +1508,7 @@ destruct(struct ofproto *ofproto_)
> 
> seq_destroy(ofproto->ams_seq);
> 
> -close_dpif_backer(ofproto->backer);
> +close_dpif_backer(ofproto->backer, del);
> }
> 
> static int
> diff --git a/ofproto/ofproto-provider.h b/ofproto/ofproto-provider.h
> index b7b12cdfd5f4..ef993d0afc4d 100644
> --- a/ofproto/ofproto-provider.h
> +++ b/ofproto/ofproto-provider.h
> @@ -828,7 +828,7 @@ struct ofproto_class {
>  */
> struct ofproto *(*alloc)(void);
> int (*construct)(struct ofproto *ofproto);
> -void (*destruct)(struct ofproto *ofproto);
> +void (*destruct)(struct ofproto *ofproto, bool del);
> void (*dealloc)(struct ofproto *ofproto);
> 
> /* Performs any periodic activity required by 'ofproto'.  It should:
> diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
> index ca0f3e49bd67..7bc7b7f99d0d 100644
> --- a/ofproto/ofproto.c
> +++ b/ofproto/ofproto.c
> @@ -1651,7 +1651,7 @@ ofproto_destroy(struct ofproto *p, bool del)
> free(usage);
> }
> 
> -p->ofproto_class->destruct(p);
> +p->ofproto_class->destruct(p, del);
> 
> /* We should not postpone this because it involves deleting a listening
>  * socket which we may want to reopen soon. 'connmgr' may be used by other
> diff

Re: [ovs-dev] [PATCH] travis: Break Mac OS build for format specifier warnings.

2017-04-28 Thread Jarno Rajahalme 
Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Mar 20, 2017, at 10:10 PM, Ben Pfaff <b...@ovn.org> wrote:
> 
> Until now, the Travis build for Mac OS X has been configured to ignore
> format specifier warnings.  These warnings have now been fixed, so this
> commit changes such warnings to error.
> 
> Suggested-by: Daniele Di Proietto <diproiet...@ovn.org>
> Signed-off-by: Ben Pfaff <b...@ovn.org>
> ---
> .travis/osx-build.sh | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/.travis/osx-build.sh b/.travis/osx-build.sh
> index 4db9c8d048a4..f11d7b9af5d6 100755
> --- a/.travis/osx-build.sh
> +++ b/.travis/osx-build.sh
> @@ -2,7 +2,7 @@
> 
> set -o errexit
> 
> -CFLAGS="-Werror -Wno-error=format $CFLAGS"
> +CFLAGS="-Werror $CFLAGS"
> EXTRA_OPTS=""
> 
> function configure_ovs()
> -- 
> 2.10.2
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] compat: Remove unused netdevice backport code.

2017-04-28 Thread Jarno Rajahalme 
Maybe mention in the commit message that these are unused due to older than 
X.Y.Z Linux kernel versions not being supported any more.

Acked-by: Jarno Rajahalme <ja...@ovn.org>


> On Feb 8, 2017, at 4:50 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> Signed-off-by: Joe Stringer <j...@ovn.org>
> ---
> datapath/linux/compat/include/linux/netdevice.h |  5 --
> datapath/linux/compat/netdevice.c   | 71 -
> 2 files changed, 76 deletions(-)
> 
> diff --git a/datapath/linux/compat/include/linux/netdevice.h 
> b/datapath/linux/compat/include/linux/netdevice.h
> index 9982fd7f686e..75315dc16e02 100644
> --- a/datapath/linux/compat/include/linux/netdevice.h
> +++ b/datapath/linux/compat/include/linux/netdevice.h
> @@ -89,11 +89,6 @@ struct sk_buff *rpl_skb_gso_segment(struct sk_buff *skb, 
> netdev_features_t featu
> }
> #endif
> 
> -#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,38)
> -#define netif_skb_features rpl_netif_skb_features
> -netdev_features_t rpl_netif_skb_features(struct sk_buff *skb);
> -#endif
> -
> #ifdef HAVE_NETIF_NEEDS_GSO_NETDEV
> #define netif_needs_gso rpl_netif_needs_gso
> static inline bool netif_needs_gso(struct sk_buff *skb,
> diff --git a/datapath/linux/compat/netdevice.c 
> b/datapath/linux/compat/netdevice.c
> index e28b878eea16..c0ffbbd31bee 100644
> --- a/datapath/linux/compat/netdevice.c
> +++ b/datapath/linux/compat/netdevice.c
> @@ -4,77 +4,6 @@
> 
> #include "gso.h"
> 
> -#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,38)
> -#ifndef HAVE_CAN_CHECKSUM_PROTOCOL
> -static bool can_checksum_protocol(netdev_features_t features, __be16 
> protocol)
> -{
> - return  ((features & NETIF_F_GEN_CSUM) ||
> - ((features & NETIF_F_V4_CSUM) &&
> - protocol == htons(ETH_P_IP)) ||
> - ((features & NETIF_F_V6_CSUM) &&
> - protocol == htons(ETH_P_IPV6)) ||
> - ((features & NETIF_F_FCOE_CRC) &&
> - protocol == htons(ETH_P_FCOE)));
> -}
> -#endif
> -
> -static inline int illegal_highdma(struct net_device *dev, struct sk_buff 
> *skb)
> -{
> -#ifdef CONFIG_HIGHMEM
> - int i;
> -
> - if (dev->features & NETIF_F_HIGHDMA)
> - return 0;
> -
> - for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
> - if (PageHighMem(skb_shinfo(skb)->frags[i].page))
> - return 1;
> -
> -#endif
> - return 0;
> -}
> -
> -static netdev_features_t harmonize_features(struct sk_buff *skb,
> - __be16 protocol,
> - netdev_features_t features)
> -{
> - if (!can_checksum_protocol(features, protocol)) {
> - features &= ~NETIF_F_ALL_CSUM;
> - features &= ~NETIF_F_SG;
> - } else if (illegal_highdma(skb->dev, skb)) {
> - features &= ~NETIF_F_SG;
> - }
> -
> - return features;
> -}
> -
> -netdev_features_t rpl_netif_skb_features(struct sk_buff *skb)
> -{
> - unsigned long vlan_features = skb->dev->vlan_features;
> -
> - __be16 protocol = skb->protocol;
> - netdev_features_t features = skb->dev->features;
> -
> - if (protocol == htons(ETH_P_8021Q)) {
> - struct vlan_ethhdr *veh = (struct vlan_ethhdr *)skb->data;
> - protocol = veh->h_vlan_encapsulated_proto;
> - } else if (!skb_vlan_tag_present(skb)) {
> - return harmonize_features(skb, protocol, features);
> - }
> -
> - features &= (vlan_features | NETIF_F_HW_VLAN_TX);
> -
> - if (protocol != htons(ETH_P_8021Q)) {
> - return harmonize_features(skb, protocol, features);
> - } else {
> - features &= NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST |
> - NETIF_F_GEN_CSUM | NETIF_F_HW_VLAN_TX;
> - return harmonize_features(skb, protocol, features);
> - }
> -}
> -EXPORT_SYMBOL_GPL(rpl_netif_skb_features);
> -#endif   /* kernel version < 2.6.38 */
> -
> #ifdef OVS_USE_COMPAT_GSO_SEGMENTATION
> struct sk_buff *rpl__skb_gso_segment(struct sk_buff *skb,
>   netdev_features_t features,
> -- 
> 2.11.0
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [RFC PATCH] config: Compat for older kernels not having IPCT_LABEL.

2017-04-28 Thread Jarno Rajahalme 
Detect the presence of enum ip_conntrack_events member IPCT_LABEL at
configure time, and define it in the generated odp-netlink.h if
missing.  This allows OVS userspace to be compiled with older Linux
kernel headers, such as those used in Travis userspace builds.

Reported-by: Joe Stringer <j...@ovn.org>
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 acinclude.m4| 7 ++-
 build-aux/extract-odp-netlink-h | 4 
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/acinclude.m4 b/acinclude.m4
index 7e4acc9..ea25e08 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -322,7 +322,8 @@ dnl Looks for STRUCTURE in FILE. If it is found, greps for 
REGEX within the
 dnl structure definition. If this is successful, runs IF-MATCH, otherwise
 dnl IF_NO_MATCH. If IF-MATCH is empty then it defines to
 dnl OVS_DEFINE(HAVE__WITH_), with  and 
-dnl translated to uppercase.
+dnl translated to uppercase.  Note that this works equally well for finding
+dnl enum definitions.
 AC_DEFUN([OVS_FIND_FIELD_IFELSE], [
   AC_MSG_CHECKING([whether $2 has member $3 in $1])
   if test -f $1; then
@@ -551,6 +552,10 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_ct_nat_ext_add])
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], 
[nf_nat_alloc_null_binding])
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_seqadj.h], 
[nf_ct_seq_adjust])
+  
OVS_FIND_FIELD_IFELSE([$KSRC/include/uapi/linux/netfilter/nf_conntrack_common.h],
+[ip_conntrack_events], [IPCT_LABEL],
+[AC_DEFINE([HAVE_IPCT_LABEL], [1],
+  [Define to 1 if the kernel headers have the IPCT_LABEL defined in enum 
ip_conntrack_events])])
 
   OVS_GREP_IFELSE([$KSRC/include/linux/random.h], [prandom_u32])
   OVS_GREP_IFELSE([$KSRC/include/linux/random.h], [prandom_u32_max])
diff --git a/build-aux/extract-odp-netlink-h b/build-aux/extract-odp-netlink-h
index 7fb6ce8..60c0c0f 100755
--- a/build-aux/extract-odp-netlink-h
+++ b/build-aux/extract-odp-netlink-h
@@ -21,6 +21,10 @@ $i\
 #include "OvsDpInterfaceCtExt.h"\
 #else\
 #include "linux/netfilter/nf_conntrack_common.h"\
+/* Allow building userspace with older kernel headers. */\
+#ifndef HAVE_IPCT_LABEL\
+#define IPCT_LABEL 10\
+#endif\
 #endif\
 
 # Use OVS's own struct eth_addr instead of a 6-byte char array.
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v5] xlate: Use OVS_CT_ATTR_EVENTMASK.

2017-04-28 Thread Jarno Rajahalme 

> On Apr 28, 2017, at 12:31 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 27 April 2017 at 17:21, Jarno Rajahalme <ja...@ovn.org 
> <mailto:ja...@ovn.org>> wrote:
>> Specify the event mask with CT commit including bits for CT features
>> exposed at the OVS interface (mark and label changes in addition to
>> basic creation and destruction of conntrack entries).
>> 
>> Without this any listener of conntrack update events will typically
>> (depending on system configuration) receive events for each L4 (e.g.,
>> TCP) state machine change, which can multiply the number of events
>> received per connection.
>> 
>> By including the new, related, and destroy events any listener of new
>> conntrack events gets notified of new related and non-related
>> connections, and any listener of destroy events will get notified of
>> deleted (typically timed out) conntrack entries.
>> 
>> By including the flags for mark and labels, any listener of conntrack
>> update events gets notified whenever the connmark or conntrack labels
>> are changed from the values reported within the new events.
>> 
>> VMware-BZ: #1837218
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>> Acked-by: Joe Stringer <j...@ovn.org>
>> ---
>> v5: Use addresses in the loopback range and zero port numbers in the probe
>>to avoid hitting any real conntrack entries.
> 
> Thanks for spinning this new version out, it seems unlikely to clash
> with existing connections now. LGTM.

Thanks, pushed to master.

  Jarno

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [action upcall meter v2 5/5] ofproto: Meter slowpath action when action upcall meters are configured

2017-04-28 Thread Jarno Rajahalme 
With the white-space nits below:

Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Apr 28, 2017, at 2:01 AM, Andy Zhou <az...@ovn.org> wrote:
> 
> If a slow path action is a controller action, meter it when the
> controller meter is configured.  For other kinds of slow path actions,
> meter it when the slowpath meter is configured.
> 
> Note, this patch only considers the meters configuration of the
> packet's input bridge, which may not be the same bridge that the
> action is generated.
> 
> Signed-off-by: Andy Zhou <az...@ovn.org>
> 
> ---
> v1->v2:  fix style issues
> in test, dump and verify meter stats
> ---
> ofproto/ofproto-dpif-upcall.c | 34 +++---
> tests/ofproto-dpif.at | 38 ++
> 2 files changed, 69 insertions(+), 3 deletions(-)
> 
> diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
> index a3b650d38050..185d8acbc9a3 100644
> --- a/ofproto/ofproto-dpif-upcall.c
> +++ b/ofproto/ofproto-dpif-upcall.c
> @@ -1025,7 +1025,8 @@ classify_upcall(enum dpif_upcall_type type, const 
> struct nlattr *userdata)
> static void
> compose_slow_path(struct udpif *udpif, struct xlate_out *xout,
>   const struct flow *flow, odp_port_t odp_in_port,
> -  struct ofpbuf *buf)
> +  struct ofpbuf *buf, uint32_t slowpath_meter_id,
> +  uint32_t controller_meter_id)
> {
> union user_action_cookie cookie;
> odp_port_t port;
> @@ -1039,8 +1040,28 @@ compose_slow_path(struct udpif *udpif, struct 
> xlate_out *xout,
> ? ODPP_NONE
> : odp_in_port;
> pid = dpif_port_get_pid(udpif->dpif, port, flow_hash_5tuple(flow, 0));
> +
> +size_t offset;
> +size_t ac_offset;
> +uint32_t meter_id = xout->slow & SLOW_CONTROLLER ? controller_meter_id
> + : slowpath_meter_id;
> +
> +if (meter_id != UINT32_MAX) {
> +/* If slowpath meter is configured, generate clone(meter, userspace)
> + * action.   */

Too much white space at the end of the comment.

> +offset = nl_msg_start_nested(buf, OVS_ACTION_ATTR_SAMPLE);
> +nl_msg_put_u32(buf, OVS_SAMPLE_ATTR_PROBABILITY, UINT32_MAX);
> +ac_offset = nl_msg_start_nested(buf, OVS_SAMPLE_ATTR_ACTIONS);
> +nl_msg_put_u32(buf, OVS_ACTION_ATTR_METER, meter_id);
> +}
> +
> odp_put_userspace_action(pid, , sizeof cookie.slow_path,
>  ODPP_NONE, false, buf);
> +
> +if (meter_id != UINT32_MAX) {
> +nl_msg_end_nested(buf, ac_offset);
> +nl_msg_end_nested(buf, offset);
> +}
> }
> 
> /* If there is no error, the upcall must be destroyed with upcall_uninit()
> @@ -1143,10 +1164,12 @@ upcall_xlate(struct udpif *udpif, struct upcall 
> *upcall,
> ofpbuf_use_const(>put_actions,
>  odp_actions->data, odp_actions->size);
> } else {
> +uint32_t smid = upcall->ofproto->up.slowpath_meter_id;
> +uint32_t cmid = upcall->ofproto->up.controller_meter_id;
> /* upcall->put_actions already initialized by upcall_receive(). */
> compose_slow_path(udpif, >xout, upcall->flow,
>   upcall->flow->in_port.odp_port,
> -  >put_actions);
> +  >put_actions, smid, cmid);
> }
> 
> /* This function is also called for slow-pathed flows.  As we are only
> @@ -1972,9 +1995,14 @@ revalidate_ukey__(struct udpif *udpif, const struct 
> udpif_key *ukey,
> }
> 
> if (xoutp->slow) {
> +struct ofproto_dpif *ofproto;
> +ofproto = xlate_lookup_ofproto(udpif->backer, , NULL);
> +uint32_t smid= ofproto->up.slowpath_meter_id;
> +uint32_t cmid= ofproto->up.controller_meter_id;
> +

2x whitespace error.

> ofpbuf_clear(odp_actions);
> compose_slow_path(udpif, xoutp, , ctx.flow.in_port.odp_port,
> -  odp_actions);
> +  odp_actions, smid, cmid);
> }
> 
> if (odp_flow_key_to_mask(ukey->mask, ukey->mask_len, _mask, )
> diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
> index 22cb533b57bb..06c4e3bbf5f8 100644
> --- a/tests/ofproto-dpif.at
> +++ b/tests/ofproto-dpif.at
> @@ -1658,6 +1658,44 @@ NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=14 
> in_port=1 (via action) data_len
> vlan_tci=0x,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,dl_type=0x1234
> ])
> 
> +AT_CHECK([ovs-appctl revalidator/purge])
> +AT_CHECK([ovs-ofctl moni

Re: [ovs-dev] [action upcall meter v2 4/5] ofproto: Meter sample action when configured.

2017-04-28 Thread Jarno Rajahalme 
Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Apr 28, 2017, at 2:01 AM, Andy Zhou <az...@ovn.org> wrote:
> 
> When slowpath meter is configured, add meter action when translate
> sample action.
> 
> Signed-off-by: Andy Zhou <az...@ovn.org>
> 
> ---
> v1->v2: Fix test case 1128 failure.
> ---
> ofproto/ofproto-dpif-xlate.c | 14 --
> tests/ofproto-dpif.at| 14 ++
> 2 files changed, 26 insertions(+), 2 deletions(-)
> 
> diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
> index d8c6a7ccb38c..f34413b9bc94 100644
> --- a/ofproto/ofproto-dpif-xlate.c
> +++ b/ofproto/ofproto-dpif-xlate.c
> @@ -2850,8 +2850,14 @@ compose_sample_action(struct xlate_ctx *ctx,
> return 0;
> }
> 
> -/* No need to generate sample action for 100% sampling rate. */
> -bool is_sample = probability < UINT32_MAX;
> +/* If the slow path meter is configured by the controller,
> + * insert a meter action before the user space action.  */
> +struct ofproto *ofproto = >xin->ofproto->up;
> +uint32_t meter_id = ofproto->slowpath_meter_id;
> +
> +/* When meter action is not required, avoid generate sample action
> + * for 100% sampling rate.  */
> +bool is_sample = probability < UINT32_MAX || meter_id != UINT32_MAX;
> size_t sample_offset, actions_offset;
> if (is_sample) {
> sample_offset = nl_msg_start_nested(ctx->odp_actions,
> @@ -2862,6 +2868,10 @@ compose_sample_action(struct xlate_ctx *ctx,
>  OVS_SAMPLE_ATTR_ACTIONS);
> }
> 
> +if (meter_id != UINT32_MAX) {
> +nl_msg_put_u32(ctx->odp_actions, OVS_ACTION_ATTR_METER, meter_id);
> +}
> +
> odp_port_t odp_port = ofp_port_to_odp_port(
> ctx->xbridge, ctx->xin->flow.in_port.ofp_port);
> uint32_t pid = dpif_port_get_pid(ctx->xbridge->dpif, odp_port,
> diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
> index 9f7c6beb0c58..22cb533b57bb 100644
> --- a/tests/ofproto-dpif.at
> +++ b/tests/ofproto-dpif.at
> @@ -6490,6 +6490,20 @@ flow-dump from non-dpdk interfaces:
> packets:2, bytes:68, used:0.001s, 
> actions:userspace(pid=0,ipfix(output_port=4294967295))
> ])
> 
> +AT_CHECK([ovs-appctl revalidator/purge])
> +dnl
> +dnl Add a slowpath meter. The userspace action should be metered.
> +AT_CHECK([ovs-ofctl -O OpenFlow13 add-meter br0 'meter=slowpath pktps burst 
> stats bands=type=drop rate=3 burst_size=1'])
> +
> +dnl Send some packets that should be sampled and metered.
> +for i in `seq 1 3`; do
> +AT_CHECK([ovs-appctl netdev-dummy/receive p1 
> 'in_port(1),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800)'])
> +done
> +AT_CHECK([ovs-appctl dpctl/dump-flows | sed 's/.*\(packets:\)/\1/' | sed 
> 's/used:[[0-9]].[[0-9]]*s/used:0.001s/'], [0], [dnl
> +flow-dump from non-dpdk interfaces:
> +packets:2, bytes:68, used:0.001s, 
> actions:sample(sample=100.0%,actions(meter(0),userspace(pid=0,ipfix(output_port=4294967295
> +])
> +
> dnl Remove the IPFIX configuration.
> AT_CHECK([ovs-vsctl clear bridge br0 ipfix])
> AT_CHECK([ovs-appctl revalidator/purge])
> -- 
> 1.8.3.1
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [action upcall meter v2 2/5] ofproto-dpif: Add 'meter_ids' to backer

2017-04-28 Thread Jarno Rajahalme 
With a note below:

Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Apr 28, 2017, at 2:01 AM, Andy Zhou <az...@ovn.org> wrote:
> 
> Add 'meter_ids', an id-pool object to manage datapath meter id, i.e.
> provider_meter_id.
> 
> Currently, only userspace datapath supports meter, and it implements
> the provider_meter_id management. Moving this function to 'backer'
> allows other datapath implementation to share the same logic.
> 
> Signed-off-by: Andy Zhou <az...@ovn.org>
> 
> ---
> v1-v2: fix typos
> ---
> lib/dpif-netdev.c  | 24 
> ofproto/ofproto-dpif.c | 44 ++--
> ofproto/ofproto-dpif.h |  4 
> 3 files changed, 46 insertions(+), 26 deletions(-)
> 
> diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
> index b3a080628d2b..f4de737e3751 100644
> --- a/lib/dpif-netdev.c
> +++ b/lib/dpif-netdev.c
> @@ -260,7 +260,6 @@ struct dp_netdev {
> /* Meters. */
> struct ovs_mutex meter_locks[N_METER_LOCKS];
> struct dp_meter *meters[MAX_METERS]; /* Meter bands. */
> -uint32_t meter_free; /* Next free meter. */
> 
> /* Protects access to ofproto-dpif-upcall interface during revalidator
>  * thread synchronization. */
> @@ -3896,9 +3895,6 @@ dpif_netdev_meter_set(struct dpif *dpif, 
> ofproto_meter_id *meter_id,
> struct dp_meter *meter;
> int i;
> 
> -if (mid == UINT32_MAX) {
> -mid = dp->meter_free;
> -}
> if (mid >= MAX_METERS) {
> return EFBIG; /* Meter_id out of range. */
> }
> @@ -3958,21 +3954,6 @@ dpif_netdev_meter_set(struct dpif *dpif, 
> ofproto_meter_id *meter_id,
> dp->meters[mid] = meter;
> meter_unlock(dp, mid);
> 
> -meter_id->uint32 = mid; /* Store on success. */
> -
> -/* Find next free meter */
> -if (dp->meter_free == mid) { /* Now taken. */
> -do {
> -if (++mid >= MAX_METERS) { /* Wrap around */
> -mid = 0;
> -}
> -if (mid == dp->meter_free) { /* Full circle */
> -mid = MAX_METERS;
> -break;
> -}
> -} while (dp->meters[mid]);
> -dp->meter_free = mid; /* Next free meter or MAX_METERS */
> -}
> return 0;
> }
> return ENOMEM;
> @@ -4027,11 +4008,6 @@ dpif_netdev_meter_del(struct dpif *dpif,
> meter_lock(dp, meter_id);
> dp_delete_meter(dp, meter_id);
> meter_unlock(dp, meter_id);
> -
> -/* Keep free meter index as low as possible */
> -if (meter_id < dp->meter_free) {
> -dp->meter_free = meter_id;
> -}
> }
> return error;
> }
> diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
> index c73c2738c91c..30f18b302a77 100644
> --- a/ofproto/ofproto-dpif.c
> +++ b/ofproto/ofproto-dpif.c
> @@ -662,6 +662,7 @@ close_dpif_backer(struct dpif_backer *backer)
> free(backer->type);
> free(backer->dp_version_string);
> dpif_close(backer->dpif);
> +id_pool_destroy(backer->meter_ids);
> free(backer);
> }
> 
> @@ -787,6 +788,15 @@ open_dpif_backer(const char *type, struct dpif_backer 
> **backerp)
> = check_variable_length_userdata(backer);
> backer->dp_version_string = dpif_get_dp_version(backer->dpif);
> 
> +/* Manage Datapath meter IDs if supported. */
> +struct ofputil_meter_features features;
> +dpif_meter_get_features(backer->dpif, );
> +if (features.max_meters) {
> +backer->meter_ids = id_pool_create(0, features.max_meters);
> +} else {
> +backer->meter_ids = NULL;
> +}
> +
> return error;
> }
> 
> @@ -5439,6 +5449,17 @@ meter_set(struct ofproto *ofproto_, ofproto_meter_id 
> *meter_id,
> {
> struct ofproto_dpif *ofproto = ofproto_dpif_cast(ofproto_);
> 
> +/* Provider ID unknown. Use backer to allocate a new DP meter */
> +if (meter_id->uint32 == UINT32_MAX) {
> +if (!ofproto->backer->meter_ids) {
> +return EFBIG; /* Datapath does not support meter.  */
> +}
> +
> +if(!id_pool_alloc_id(ofproto->backer->meter_ids, _id->uint32)) 
> {
> +return ENOMEM; /* Can't allocate a DP meter. */
> +}
> +}
> +
> switch (dpif_meter_set(ofproto->backer->dpif, meter_id, config)) {
> case 0:
> return 0;
> @@ -5468,12 +5489,31 @@ meter_get(const struct ofproto *ofproto_, 
> ofproto_meter_id meter_id,
> return OFPERR_OFPMMFC_UNKNOWN_MET

Re: [ovs-dev] [action upcall meters 2/5] ofproto-dpif: Use backer to manage datapath meter allocation

2017-04-28 Thread Jarno Rajahalme 

> On Apr 27, 2017, at 11:48 PM, Andy Zhou <az...@ovn.org> wrote:
> 
> On Thu, Apr 27, 2017 at 3:23 PM, Jarno Rajahalme <ja...@ovn.org 
> <mailto:ja...@ovn.org>> wrote:
>> 
>>> On Apr 14, 2017, at 12:46 PM, Andy Zhou <az...@ovn.org> wrote:
>>> 
>>> Add 'meter_ids', an id-pool object to manage datapath meter id.
>>> 
>>> Currently, only userspace datapath supports meter, and it implements
>>> the provider_meter_id management. Moving this function to 'backer'
>>> allows other datapath implementation to share the same logic.
>>> 
>>> Signed-off-by: Andy Zhou <az...@ovn.org>
>>> ---
>>> lib/dpif-netdev.c  | 24 
>>> ofproto/ofproto-dpif.c | 44 ++--
>>> ofproto/ofproto-dpif.h |  4 
>>> 3 files changed, 46 insertions(+), 26 deletions(-)
>>> 
>>> diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
>>> index a14a2ebb5b2a..d5417162b7af 100644
>>> --- a/lib/dpif-netdev.c
>>> +++ b/lib/dpif-netdev.c
>>> @@ -260,7 +260,6 @@ struct dp_netdev {
>>>/* Meters. */
>>>struct ovs_mutex meter_locks[N_METER_LOCKS];
>>>struct dp_meter *meters[MAX_METERS]; /* Meter bands. */
>>> -uint32_t meter_free; /* Next free meter. */
>>> 
>>>/* Protects access to ofproto-dpif-upcall interface during revalidator
>>> * thread synchronization. */
>>> @@ -3896,9 +3895,6 @@ dpif_netdev_meter_set(struct dpif *dpif, 
>>> ofproto_meter_id *meter_id,
>>>struct dp_meter *meter;
>>>int i;
>>> 
>>> -if (mid == UINT32_MAX) {
>>> -mid = dp->meter_free;
>>> -}
>>>if (mid >= MAX_METERS) {
>>>return EFBIG; /* Meter_id out of range. */
>>>}
>>> @@ -3958,21 +3954,6 @@ dpif_netdev_meter_set(struct dpif *dpif, 
>>> ofproto_meter_id *meter_id,
>>>dp->meters[mid] = meter;
>>>meter_unlock(dp, mid);
>>> 
>>> -meter_id->uint32 = mid; /* Store on success. */
>>> -
>>> -/* Find next free meter */
>>> -if (dp->meter_free == mid) { /* Now taken. */
>>> -do {
>>> -if (++mid >= MAX_METERS) { /* Wrap around */
>>> -mid = 0;
>>> -}
>>> -if (mid == dp->meter_free) { /* Full circle */
>>> -mid = MAX_METERS;
>>> -break;
>>> -}
>>> -} while (dp->meters[mid]);
>>> -dp->meter_free = mid; /* Next free meter or MAX_METERS */
>>> -}
>>>return 0;
>>>}
>>>return ENOMEM;
>>> @@ -4027,11 +4008,6 @@ dpif_netdev_meter_del(struct dpif *dpif,
>>>meter_lock(dp, meter_id);
>>>dp_delete_meter(dp, meter_id);
>>>meter_unlock(dp, meter_id);
>>> -
>>> -/* Keep free meter index as low as possible */
>>> -if (meter_id < dp->meter_free) {
>>> -dp->meter_free = meter_id;
>>> -}
>>>}
>>>return error;
>>> }
>>> diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
>>> index 6a5ffb94fa94..a026d4913731 100644
>>> --- a/ofproto/ofproto-dpif.c
>>> +++ b/ofproto/ofproto-dpif.c
>>> @@ -662,6 +662,7 @@ close_dpif_backer(struct dpif_backer *backer)
>>>free(backer->type);
>>>free(backer->dp_version_string);
>>>dpif_close(backer->dpif);
>>> +id_pool_destroy(backer->meter_ids);
>>>free(backer);
>>> }
>>> 
>>> @@ -787,6 +788,15 @@ open_dpif_backer(const char *type, struct dpif_backer 
>>> **backerp)
>>>= check_variable_length_userdata(backer);
>>>backer->dp_version_string = dpif_get_dp_version(backer->dpif);
>>> 
>>> +/* Manage Datpath meter IDs if supported. */
>> 
>> ->”Datapath"
> Thanks, Fixed.
>> 
>>> +struct ofputil_meter_features features;
>>> +dpif_meter_get_features(backer->dpif, );
>>> +if (features.max_meters) {
>>> +backer->meter_ids = id_pool_create(0, features.max_meters);
>>> +} else {
>>> +backer->meter_ids = NULL;
>>> +}
>>> +
>>>return error;
>>> }
&g

Re: [ovs-dev] [action upcall meters 1/5] ofproto: Store meters using hmap

2017-04-28 Thread Jarno Rajahalme 

> On Apr 27, 2017, at 11:28 PM, Andy Zhou <az...@ovn.org> wrote:
> 
> On Thu, Apr 27, 2017 at 3:14 PM, Jarno Rajahalme <ja...@ovn.org 
> <mailto:ja...@ovn.org>> wrote:
>> This incremental needed to satisfy GCC 4.9.2, due to ‘meter’ potentially 
>> being used uninitialized:
>> 
>> diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
>> index 2e80db8..eb060d0 100644
>> --- a/ofproto/ofproto.c
>> +++ b/ofproto/ofproto.c
>> @@ -6564,7 +6564,7 @@ handle_meter_request(struct ofconn *ofconn, const 
>> struct ofp_header *request,
>> struct ofproto *ofproto = ofconn_get_ofproto(ofconn);
>> struct ovs_list replies;
>> uint32_t meter_id;
>> -struct meter *meter;
>> +struct meter *meter = NULL;
>> 
>> ofputil_decode_meter_request(request, _id);
>> 
> 
> Thanks for letting me know.  I don't have gcc-4.9.2 installed on my system.
> 
> I am not sure GCC is right here. meter can only be used when  meter_id
> != OFPM13_ALL,
> but meter is always set in this case.
> 

You are right, but GCC 4.9.2 is not clever enough to figure that out.

> How about I fold the following to document the reason why meter is set to 
> NULL:
> 
> diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
> index c5c841a11ae5..41f1a74b194e 100644
> --- a/ofproto/ofproto.c
> +++ b/ofproto/ofproto.c
> @@ -6618,6 +6618,11 @@ handle_meter_request(struct ofconn *ofconn, const 
> struct
> /* Meter does not exist. */
> return OFPERR_OFPMMFC_UNKNOWN_METER;
> }
> +} else {
> +meter = NULL;   /* GCC 4.9.2 complains about 'meter' can
> +   otentially used uninitialized. Logically,

Add the leading ‘p’ :-)

> +   this is not possible, since meter is only used
> +   when meter_id != OFPM13_ALL. */
> }
> 
> ofpmp_init(, request);
> 
>> 
>> Otherwise:
>> 
>> Acked-by: Jarno Rajahalme <ja...@ovn.org <mailto:ja...@ovn.org>>
> 
> Thanks for the review.
>> 
>>> On Apr 14, 2017, at 12:46 PM, Andy Zhou <az...@ovn.org> wrote:
>>> 
>>> Currently, meters are stored in a fixed pointer array. It is not
>>> very efficient since the controller, at least in theory, can
>>> pick any meter id (up to the limits to uint32_t), not necessarily
>>> within the lower end of a region, or in close range to each other.
>>> In particular, OFPM_SLOWPATH and OFPM_CONTROLLER meters are specified
>>> at the high region.
>>> 
>>> Switching to using hmap. Ofproto layer does not restrict
>>> the number of meters that controller can add, nor does it care
>>> about the value of meter_id. Datapth limits the number of meters
>>> ofproto layer can support at run time.
>>> 
>>> Signed-off-by: Andy Zhou <az...@ovn.org>
>>> ---
>>> ofproto/ofproto-provider.h |   7 +-
>>> ofproto/ofproto.c  | 242 
>>> +++--
>>> 2 files changed, 146 insertions(+), 103 deletions(-)
>>> 
>>> diff --git a/ofproto/ofproto-provider.h b/ofproto/ofproto-provider.h
>>> index b7b12cdfd5f4..000326d7f79d 100644
>>> --- a/ofproto/ofproto-provider.h
>>> +++ b/ofproto/ofproto-provider.h
>>> @@ -109,12 +109,9 @@ struct ofproto {
>>>/* List of expirable flows, in all flow tables. */
>>>struct ovs_list expirable OVS_GUARDED_BY(ofproto_mutex);
>>> 
>>> -/* Meter table.
>>> - * OpenFlow meters start at 1.  To avoid confusion we leave the first
>>> - * pointer in the array un-used, and index directly with the OpenFlow
>>> - * meter_id. */
>>> +/* Meter table.  */
>>>struct ofputil_meter_features meter_features;
>>> -struct meter **meters; /* 'meter_features.max_meter' + 1 pointers. */
>>> +struct hmap meters; /* uint32_t indexed 'struct meter *'.  
>>> */
>>> 
>>>/* OpenFlow connections. */
>>>struct connmgr *connmgr;
>>> diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
>>> index 7440d5b52092..8c4c7e67f213 100644
>>> --- a/ofproto/ofproto.c
>>> +++ b/ofproto/ofproto.c
>>> @@ -281,7 +281,8 @@ static uint64_t pick_fallback_dpid(void);
>>> static void ofproto_destroy__(struct ofproto *);
>>> static void update_mtu(struct ofproto *, struct ofport *);
>>> static void update_mtu_ofproto(struct ofproto *);
>>> -static void meter_delete(struct ofproto *, uint32_t first, ui

Re: [ovs-dev] [PATCH] tests: ICMP related to original direction test.

2017-04-27 Thread Jarno Rajahalme 

> On Apr 27, 2017, at 4:55 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 10 March 2017 at 16:10, Jarno Rajahalme <ja...@ovn.org> wrote:
>> Normally ICMPP responses are in the reply direction of a conntrack
> 
> 's/ICMPP/ICMP/'
> 
>> entry.  This test exercises an ICMP response to the original direction
>> of the conntrack entry.
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>> ---
> 
> Somehow this slipped past my radar. Might want to roll in the
> incremental I posted below, but otherwise LGTM.
> 
> Acked-by: Joe Stringer <j...@ovn.org>
> 

Thanks for the review!

Applied to master,

  Jarno

> diff --git a/tests/system-traffic.at b/tests/system-traffic.at
> index 62eb7bda7e31..f66ed10501a5 100644
> --- a/tests/system-traffic.at
> +++ b/tests/system-traffic.at
> @@ -1392,7 +1392,7 @@ priority=1,action=drop
> table=1,ip,action=ct(zone=34673,table=2)
> table=2,in_port=2,udp,action=ct(commit,zone=34673),1
> table=2,in_port=1,udp,action=ct(commit,zone=34673),2
> -table=2,in_port=2,icmp,action=1
> +table=2,in_port=2,ct_state=+rel,icmp,action=1
> ])
> 
> AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> @@ -1421,7 +1421,7 @@ AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip
> | sort | grep -v drop], [0], [d
> table=1, n_packets=4, n_bytes=224, ip actions=ct(table=2,zone=34673)
> table=2, n_packets=1, n_bytes=42, udp,in_port=1
> actions=ct(commit,zone=34673),output:2
> table=2, n_packets=1, n_bytes=42, udp,in_port=2
> actions=ct(commit,zone=34673),output:1
> - table=2, n_packets=2, n_bytes=140, icmp,in_port=2 actions=output:1
> + table=2, n_packets=2, n_bytes=140, ct_state=+rel,icmp,in_port=2
> actions=output:1
> NXST_FLOW reply:
> ])

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH v5] xlate: Use OVS_CT_ATTR_EVENTMASK.

2017-04-27 Thread Jarno Rajahalme 
Specify the event mask with CT commit including bits for CT features
exposed at the OVS interface (mark and label changes in addition to
basic creation and destruction of conntrack entries).

Without this any listener of conntrack update events will typically
(depending on system configuration) receive events for each L4 (e.g.,
TCP) state machine change, which can multiply the number of events
received per connection.

By including the new, related, and destroy events any listener of new
conntrack events gets notified of new related and non-related
connections, and any listener of destroy events will get notified of
deleted (typically timed out) conntrack entries.

By including the flags for mark and labels, any listener of conntrack
update events gets notified whenever the connmark or conntrack labels
are changed from the values reported within the new events.

VMware-BZ: #1837218
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
---
v5: Use addresses in the loopback range and zero port numbers in the probe
to avoid hitting any real conntrack entries.

build-aux/extract-odp-netlink-h |  2 ++
 ofproto/ofproto-dpif-xlate.c|  6 
 ofproto/ofproto-dpif.c  | 63 +
 ofproto/ofproto-dpif.h  |  5 +++-
 4 files changed, 75 insertions(+), 1 deletion(-)

diff --git a/build-aux/extract-odp-netlink-h b/build-aux/extract-odp-netlink-h
index 907a70a..7fb6ce8 100755
--- a/build-aux/extract-odp-netlink-h
+++ b/build-aux/extract-odp-netlink-h
@@ -19,6 +19,8 @@ $i\
 #ifdef _WIN32\
 #include "OvsDpInterfaceExt.h"\
 #include "OvsDpInterfaceCtExt.h"\
+#else\
+#include "linux/netfilter/nf_conntrack_common.h"\
 #endif\
 
 # Use OVS's own struct eth_addr instead of a 6-byte char array.
diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
index d8c6a7c..ab5eef8 100644
--- a/ofproto/ofproto-dpif-xlate.c
+++ b/ofproto/ofproto-dpif-xlate.c
@@ -5351,6 +5351,12 @@ compose_conntrack_action(struct xlate_ctx *ctx, struct 
ofpact_conntrack *ofc)
 if (ofc->flags & NX_CT_F_COMMIT) {
 nl_msg_put_flag(ctx->odp_actions, ofc->flags & NX_CT_F_FORCE ?
 OVS_CT_ATTR_FORCE_COMMIT : OVS_CT_ATTR_COMMIT);
+if (ctx->xbridge->support.ct_eventmask) {
+nl_msg_put_u32(ctx->odp_actions, OVS_CT_ATTR_EVENTMASK,
+   1 << IPCT_NEW | 1 << IPCT_RELATED |
+   1 << IPCT_DESTROY | 1 << IPCT_MARK |
+   1 << IPCT_LABEL);
+}
 }
 nl_msg_put_u16(ctx->odp_actions, OVS_CT_ATTR_ZONE, zone);
 put_ct_mark(>xin->flow, ctx->odp_actions, ctx->wc);
diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index c73c273..23896f0 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -1241,6 +1241,68 @@ check_clone(struct dpif_backer *backer)
 return !error;
 }
 
+/* Tests whether 'backer''s datapath supports the OVS_CT_ATTR_EVENTMASK
+ * attribute in OVS_ACTION_ATTR_CT. */
+static bool
+check_ct_eventmask(struct dpif_backer *backer)
+{
+struct dpif_execute execute;
+struct dp_packet packet;
+struct ofpbuf actions;
+struct flow flow = {
+.dl_type = CONSTANT_HTONS(ETH_TYPE_IP),
+.nw_proto = IPPROTO_UDP,
+.nw_ttl = 64,
+/* Use the broadcast address on the loopback address range 127/8 to
+ * avoid hitting any real conntrack entries.  We leave the UDP ports to
+ * zeroes for the same purpose. */
+.nw_src = CONSTANT_HTONL(0x7fff),
+.nw_dst = CONSTANT_HTONL(0x7fff),
+};
+size_t ct_start;
+int error;
+
+/* Compose CT action with eventmask attribute and check if datapath can
+ * decode the message.  */
+ofpbuf_init(, 64);
+ct_start = nl_msg_start_nested(, OVS_ACTION_ATTR_CT);
+/* Eventmask has no effect without the commit flag, but currently the
+ * datapath will accept an eventmask even without commit.  This is useful
+ * as we do not want to persist the probe connection in the conntrack
+ * table. */
+nl_msg_put_u32(, OVS_CT_ATTR_EVENTMASK, ~0);
+nl_msg_end_nested(, ct_start);
+
+/* Compose a dummy UDP packet. */
+dp_packet_init(, 0);
+flow_compose(, );
+
+/* Execute the actions.  On older datapaths this fails with EINVAL, on
+ * newer datapaths it succeeds. */
+execute.actions = actions.data;
+execute.actions_len = actions.size;
+execute.packet = 
+execute.flow = 
+execute.needs_help = false;
+execute.probe = true;
+execute.mtu = 0;
+
+error = dpif_execute(backer->dpif, );
+
+dp_packet_uninit();
+ofpbuf_uninit();
+
+if (error) {
+VLOG_INFO("%s: Datapath does not support eventmask in conntrack 
action",
+  dpif_name(backer->dpif));

Re: [ovs-dev] [PATCH v3] xlate: Use OVS_CT_ATTR_EVENTMASK.

2017-04-27 Thread Jarno Rajahalme 

> On Apr 27, 2017, at 4:15 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 27 April 2017 at 14:48, Jarno Rajahalme <ja...@ovn.org 
> <mailto:ja...@ovn.org>> wrote:
>> Specify the event mask with CT commit including bits for CT features
>> exposed at the OVS interface (mark and label changes in addition to
>> basic creation and destruction of conntrack entries).
>> 
>> Without this any listener of conntrack update events will typically
>> (depending on system configuration) receive events for each L4 (e.g.,
>> TCP) state machine change, which can multiply the number of events
>> received per connection.
>> 
>> By including the new, related, and destroy events any listener of new
>> conntrack events gets notified of new related and non-related
>> connections, and any listener of destroy events will get notified of
>> deleted (typically timed out) conntrack entries.
>> 
>> By including the flags for mark and labels, any listener of conntrack
>> update events gets notified whenever the connmark or conntrack labels
>> are changed from the values reported within the new events.
>> 
>> VMware-BZ: #1837218
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>> Acked-by: Joe Stringer <j...@ovn.org>
>> ---
> 
> Did you try building with sparse? I'm seeing:
> 
> ofproto/ofproto-dpif.c:1256:19: error: incorrect type in initializer
> (different base types)
> ofproto/ofproto-dpif.c:1256:19: expected restricted ovs_be32 [usertype] nw_src
> ofproto/ofproto-dpif.c:1256:19: got int
> ofproto/ofproto-dpif.c:1257:19: error: incorrect type in initializer
> (different base types)
> ofproto/ofproto-dpif.c:1257:19: expected restricted ovs_be32 [usertype] nw_dst
> ofproto/ofproto-dpif.c:1257:19: got int
> ofproto/ofproto-dpif.c:1258:19: error: incorrect type in initializer
> (different base types)
> ofproto/ofproto-dpif.c:1258:19: expected restricted ovs_be16 [usertype] tp_src
> ofproto/ofproto-dpif.c:1258:19: got int
> ofproto/ofproto-dpif.c:1259:19: error: incorrect type in initializer
> (different base types)
> ofproto/ofproto-dpif.c:1259:19: expected restricted ovs_be16 [usertype] tp_dst
> ofproto/ofproto-dpif.c:1259:19: got int

Thanks for reporting this! I’ve been unlucky getting sparse to not give me a 
ton of meaningless errors…

Posted a v4 fixing this,

  Jarno

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH v4] xlate: Use OVS_CT_ATTR_EVENTMASK.

2017-04-27 Thread Jarno Rajahalme 
Specify the event mask with CT commit including bits for CT features
exposed at the OVS interface (mark and label changes in addition to
basic creation and destruction of conntrack entries).

Without this any listener of conntrack update events will typically
(depending on system configuration) receive events for each L4 (e.g.,
TCP) state machine change, which can multiply the number of events
received per connection.

By including the new, related, and destroy events any listener of new
conntrack events gets notified of new related and non-related
connections, and any listener of destroy events will get notified of
deleted (typically timed out) conntrack entries.

By including the flags for mark and labels, any listener of conntrack
update events gets notified whenever the connmark or conntrack labels
are changed from the values reported within the new events.

VMware-BZ: #1837218
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
---
v4: Added the missing byte swap operations.

build-aux/extract-odp-netlink-h |  2 ++
 ofproto/ofproto-dpif-xlate.c|  6 
 ofproto/ofproto-dpif.c  | 62 +
 ofproto/ofproto-dpif.h  |  5 +++-
 4 files changed, 74 insertions(+), 1 deletion(-)

diff --git a/build-aux/extract-odp-netlink-h b/build-aux/extract-odp-netlink-h
index 907a70a..7fb6ce8 100755
--- a/build-aux/extract-odp-netlink-h
+++ b/build-aux/extract-odp-netlink-h
@@ -19,6 +19,8 @@ $i\
 #ifdef _WIN32\
 #include "OvsDpInterfaceExt.h"\
 #include "OvsDpInterfaceCtExt.h"\
+#else\
+#include "linux/netfilter/nf_conntrack_common.h"\
 #endif\
 
 # Use OVS's own struct eth_addr instead of a 6-byte char array.
diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
index d8c6a7c..ab5eef8 100644
--- a/ofproto/ofproto-dpif-xlate.c
+++ b/ofproto/ofproto-dpif-xlate.c
@@ -5351,6 +5351,12 @@ compose_conntrack_action(struct xlate_ctx *ctx, struct 
ofpact_conntrack *ofc)
 if (ofc->flags & NX_CT_F_COMMIT) {
 nl_msg_put_flag(ctx->odp_actions, ofc->flags & NX_CT_F_FORCE ?
 OVS_CT_ATTR_FORCE_COMMIT : OVS_CT_ATTR_COMMIT);
+if (ctx->xbridge->support.ct_eventmask) {
+nl_msg_put_u32(ctx->odp_actions, OVS_CT_ATTR_EVENTMASK,
+   1 << IPCT_NEW | 1 << IPCT_RELATED |
+   1 << IPCT_DESTROY | 1 << IPCT_MARK |
+   1 << IPCT_LABEL);
+}
 }
 nl_msg_put_u16(ctx->odp_actions, OVS_CT_ATTR_ZONE, zone);
 put_ct_mark(>xin->flow, ctx->odp_actions, ctx->wc);
diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index c73c273..23a8575 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -1241,6 +1241,67 @@ check_clone(struct dpif_backer *backer)
 return !error;
 }
 
+/* Tests whether 'backer''s datapath supports the OVS_CT_ATTR_EVENTMASK
+ * attribute in OVS_ACTION_ATTR_CT. */
+static bool
+check_ct_eventmask(struct dpif_backer *backer)
+{
+struct dpif_execute execute;
+struct dp_packet packet;
+struct ofpbuf actions;
+struct flow flow = {
+.dl_type = CONSTANT_HTONS(ETH_TYPE_IP),
+.nw_proto = IPPROTO_UDP,
+.nw_ttl = 64,
+.nw_src = CONSTANT_HTONL(0x0a010101),
+.nw_dst = CONSTANT_HTONL(0x0a010102),
+.tp_src = CONSTANT_HTONS(42387),
+.tp_dst = CONSTANT_HTONS(13264)
+};
+size_t ct_start;
+int error;
+
+/* Compose CT action with eventmask attribute and check if datapath can
+ * decode the message.  */
+ofpbuf_init(, 64);
+ct_start = nl_msg_start_nested(, OVS_ACTION_ATTR_CT);
+/* Eventmask has no effect without the commit flag, but currently the
+ * datapath will accept an eventmask even without commit.  This is useful
+ * as we do not want to persist the probe connection in the conntrack
+ * table. */
+nl_msg_put_u32(, OVS_CT_ATTR_EVENTMASK, ~0);
+nl_msg_end_nested(, ct_start);
+
+/* Compose a dummy UDP packet. */
+dp_packet_init(, 0);
+flow_compose(, );
+
+/* Execute the actions.  On older datapaths this fails with EINVAL, on
+ * newer datapaths it succeeds. */
+execute.actions = actions.data;
+execute.actions_len = actions.size;
+execute.packet = 
+execute.flow = 
+execute.needs_help = false;
+execute.probe = true;
+execute.mtu = 0;
+
+error = dpif_execute(backer->dpif, );
+
+dp_packet_uninit();
+ofpbuf_uninit();
+
+if (error) {
+VLOG_INFO("%s: Datapath does not support eventmask in conntrack 
action",
+  dpif_name(backer->dpif));
+} else {
+VLOG_INFO("%s: Datapath supports eventmask in conntrack action",
+  dpif_name(backer->dpif));
+}
+
+return !error;
+}
+
 #define CHECK_FEATURE__(NAME, SUPPO

Re: [ovs-dev] [action upcall meters 5/5] ofproto: Meter slowpath action when action upcall meters are configured

2017-04-27 Thread Jarno Rajahalme 
See comments below.

  Jarno

> On Apr 14, 2017, at 12:46 PM, Andy Zhou  wrote:
> 
> If a slow path action is a controller action, meter it when the
> controller meter is configured.  For other kinds of slow path actions,
> meter it when the slowpath meter is configured.
> 
> Note, this patch only considers the meters configuration of the
> packet's input bridge, which may not be the same bridge that the
> action is generated.
> 
> Signed-off-by: Andy Zhou 
> ---
> ofproto/ofproto-dpif-upcall.c | 34 +++---
> ofproto/ofproto-dpif-xlate.c  | 12 ++--
> tests/ofproto-dpif.at | 31 +++
> 3 files changed, 68 insertions(+), 9 deletions(-)
> 
> diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
> index 3b28f9a22939..37f345b235b1 100644
> --- a/ofproto/ofproto-dpif-upcall.c
> +++ b/ofproto/ofproto-dpif-upcall.c
> @@ -1018,7 +1018,8 @@ classify_upcall(enum dpif_upcall_type type, const 
> struct nlattr *userdata)
> static void
> compose_slow_path(struct udpif *udpif, struct xlate_out *xout,
>   const struct flow *flow, odp_port_t odp_in_port,
> -  struct ofpbuf *buf)
> +  struct ofpbuf *buf, uint32_t slowpath_meter_id,
> +  uint32_t controller_meter_id)
> {
> union user_action_cookie cookie;
> odp_port_t port;
> @@ -1032,8 +1033,28 @@ compose_slow_path(struct udpif *udpif, struct 
> xlate_out *xout,
> ? ODPP_NONE
> : odp_in_port;
> pid = dpif_port_get_pid(udpif->dpif, port, flow_hash_5tuple(flow, 0));
> +
> +size_t offset;
> +size_t ac_offset;
> +uint32_t meter_id = xout->slow & SLOW_CONTROLLER ? controller_meter_id
> + : slowpath_meter_id;
> +
> +if (meter_id != UINT32_MAX) {
> +/* If slowpath meter is configured, generate clone(meter, userspace)
> + * action.   */
> +offset = nl_msg_start_nested(buf, OVS_ACTION_ATTR_SAMPLE);
> +nl_msg_put_u32(buf, OVS_SAMPLE_ATTR_PROBABILITY, UINT32_MAX);
> +ac_offset = nl_msg_start_nested(buf, OVS_SAMPLE_ATTR_ACTIONS);
> +nl_msg_put_u32(buf, OVS_ACTION_ATTR_METER, meter_id);
> +}
> +
> odp_put_userspace_action(pid, , sizeof cookie.slow_path,
>  ODPP_NONE, false, buf);
> +
> +if (meter_id != UINT32_MAX) {
> +nl_msg_end_nested(buf, ac_offset);
> +nl_msg_end_nested(buf, offset);
> +}
> }
> 
> /* If there is no error, the upcall must be destroyed with upcall_uninit()
> @@ -1136,10 +1157,12 @@ upcall_xlate(struct udpif *udpif, struct upcall 
> *upcall,
> ofpbuf_use_const(>put_actions,
>  odp_actions->data, odp_actions->size);
> } else {
> +uint32_t smid= upcall->ofproto->up.slowpath_meter_id;

white space error.

> +uint32_t cmid = upcall->ofproto->up.controller_meter_id;
> /* upcall->put_actions already initialized by upcall_receive(). */
> compose_slow_path(udpif, >xout, upcall->flow,
>   upcall->flow->in_port.odp_port,
> -  >put_actions);
> +  >put_actions, smid, cmid);
> }
> 
> /* This function is also called for slow-pathed flows.  As we are only
> @@ -1956,9 +1979,14 @@ revalidate_ukey__(struct udpif *udpif, const struct 
> udpif_key *ukey,
> }
> 
> if (xoutp->slow) {
> +struct ofproto_dpif *ofproto;
> +ofproto = xlate_lookup_ofproto(udpif->backer, , NULL);
> +uint32_t smid= ofproto->up.slowpath_meter_id;
> +uint32_t cmid= ofproto->up.controller_meter_id;
> +
> ofpbuf_clear(odp_actions);
> compose_slow_path(udpif, xoutp, , ctx.flow.in_port.odp_port,
> -  odp_actions);
> +  odp_actions, smid, cmid);
> }
> 
> if (odp_flow_key_to_mask(ukey->mask, ukey->mask_len, _mask, )
> diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
> index 52e0d3f1b0bb..416012ab6930 100644
> --- a/ofproto/ofproto-dpif-xlate.c
> +++ b/ofproto/ofproto-dpif-xlate.c
> @@ -2849,8 +2849,13 @@ compose_sample_action(struct xlate_ctx *ctx,
> return 0;
> }
> 
> +/* If the slow path meter is configured by the controller,
> + * Insert a meter action before the user space action.   */
> +struct ofproto *ofproto = >xin->ofproto->up;
> +uint32_t meter_id = ofproto->slowpath_meter_id;
> +
> /* No need to generate sample action for 100% sampling rate. */
> -bool is_sample = probability < UINT32_MAX;
> +bool is_sample = probability < UINT32_MAX || meter_id != UINT32_MAX;

This seems to fix the problem in the previous patch.

> size_t sample_offset, actions_offset;
> if (is_sample) {
> sample_offset = nl_msg_start_nested(ctx->odp_actions,
> @@ -2861,11 +2866,6 @@ compose_sample_action(struct xlate_ctx *ctx,
>

Re: [ovs-dev] [action upcall meters 4/5] ofproto: Meter sample action when configured.

2017-04-27 Thread Jarno Rajahalme 
This breaks the test "ofproto-dpif - Bridge IPFIX sanity check” (currently test 
#1128), which appears to be the tests case that is being modified.

More comments below.

> On Apr 14, 2017, at 12:46 PM, Andy Zhou  wrote:
> 
> When slowpath meter is configured, add meter action when translate
> sample action.
> 
> Signed-off-by: Andy Zhou 
> ---
> ofproto/ofproto-dpif-xlate.c |  9 +
> tests/ofproto-dpif.at| 14 ++
> 2 files changed, 23 insertions(+)
> 
> diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
> index a24aef9a43a1..52e0d3f1b0bb 100644
> --- a/ofproto/ofproto-dpif-xlate.c
> +++ b/ofproto/ofproto-dpif-xlate.c
> @@ -2861,6 +2861,15 @@ compose_sample_action(struct xlate_ctx *ctx,
>  OVS_SAMPLE_ATTR_ACTIONS);
> }
> 
> +/* If the slow path meter is configured by the controller,
> + * Insert a meter action before the user space action.   */
> +struct ofproto *ofproto = >xin->ofproto->up;
> +uint32_t meter_id = ofproto->slowpath_meter_id;
> +
> +if (meter_id != UINT32_MAX) {
> +nl_msg_put_u32(ctx->odp_actions, OVS_ACTION_ATTR_METER, meter_id);
> +}
> +
> odp_port_t odp_port = ofp_port_to_odp_port(
> ctx->xbridge, ctx->xin->flow.in_port.ofp_port);
> uint32_t pid = dpif_port_get_pid(ctx->xbridge->dpif, odp_port,
> diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
> index 0c2ea384b422..3c3037b16548 100644
> --- a/tests/ofproto-dpif.at
> +++ b/tests/ofproto-dpif.at
> @@ -6491,6 +6491,20 @@ flow-dump from non-dpdk interfaces:
> packets:2, bytes:68, used:0.001s, 
> actions:userspace(pid=0,ipfix(output_port=4294967295))
> ])
> 
> +AT_CHECK([ovs-appctl revalidator/purge])
> +dnl
> +dnl Add a slowpath meter. The userspace action should be metered.
> +AT_CHECK([ovs-ofctl -O OpenFlow13 add-meter br0 'meter=slowpath pktps burst 
> stats bands=type=drop rate=3 burst_size=1'])
> +
> +dnl Send some packets that should be sampled and metered.
> +for i in `seq 1 3`; do
> +AT_CHECK([ovs-appctl netdev-dummy/receive p1 
> 'in_port(1),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800)'])
> +done
> +AT_CHECK([ovs-appctl dpctl/dump-flows | sed 's/.*\(packets:\)/\1/' | sed 
> 's/used:[[0-9]].[[0-9]]*s/used:0.001s/'], [0], [dnl
> +flow-dump from non-dpdk interfaces:
> +packets:2, bytes:68, used:0.001s, 
> actions:sample(sample=100.0%,actions(meter(0),userspace(pid=0,ipfix(output_port=4294967295
> +])
> +

This is the test failure:

-packets:2, bytes:68, used:0.001s, 
actions:sample(sample=100.0%,actions(meter(0),userspace(pid=0,ipfix(output_port=4294967295
+packets:2, bytes:68, used:0.001s, 
actions:meter(0),userspace(pid=0,ipfix(output_port=4294967295))

Applied to current master the sample envelope is not being inserted when 
probability is 100%. However, when using a meter the sample envelope is needed 
in all cases, as if the meter drops the packet, we still need to continue 
execution if there are further actions after the sample action.


> dnl Remove the IPFIX configuration.
> AT_CHECK([ovs-vsctl clear bridge br0 ipfix])
> AT_CHECK([ovs-appctl revalidator/purge])
> -- 
> 1.8.3.1
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [action upcall meters 3/5] ofproto: Support action upcall meters

2017-04-27 Thread Jarno Rajahalme 
With small nits below:

Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Apr 14, 2017, at 12:46 PM, Andy Zhou <az...@ovn.org> wrote:
> 
> Allow action upcall meters, i.e. slowpath and controller meters,
> to be added and displayed.
> 
> Keep track of datapath meter ID of those action upcall meters in
> ofproto to aid action translation. Later patches will make use of them.
> 
> Signed-off-by: Andy Zhou <az...@ovn.org>
> ---
> lib/ofp-print.c| 33 ++---
> ofproto/ofproto-provider.h |  4 
> ofproto/ofproto.c  | 52 ++
> 3 files changed, 82 insertions(+), 7 deletions(-)
> 
> diff --git a/lib/ofp-print.c b/lib/ofp-print.c
> index a8cdfcbf20b1..140af05950b7 100644
> --- a/lib/ofp-print.c
> +++ b/lib/ofp-print.c
> @@ -1333,11 +1333,36 @@ ofp_print_meter_band(struct ds *s, uint16_t flags,
> }
> 
> static void
> +ofp_print_meter_id(struct ds *s, uint32_t meter_id, char seperator)
> +{
> +if (meter_id <= OFPM13_MAX) {
> +ds_put_format(s, "meter%c%"PRIu32, seperator, meter_id);
> +} else {
> +const char *name;
> +switch (meter_id) {
> +case OFPM13_SLOWPATH:
> +name = "slowpath";
> +break;
> +case OFPM13_CONTROLLER:
> +name = "controller";
> +break;
> +case OFPM13_ALL:
> +name = "ALL”;

We require lower case “all” when parsing, so better print that way also.

> +break;
> +default:
> +name = "unknown";
> +}
> +ds_put_format(s, "meter%c%s", seperator, name);
> +}
> +}
> +
> +static void
> ofp_print_meter_stats(struct ds *s, const struct ofputil_meter_stats *ms)
> {
> uint16_t i;
> 
> -ds_put_format(s, "meter:%"PRIu32" ", ms->meter_id);
> +ofp_print_meter_id(s, ms->meter_id, ':');
> +ds_put_char(s, ' ');
> ds_put_format(s, "flow_count:%"PRIu32" ", ms->flow_count);
> ds_put_format(s, "packet_in_count:%"PRIu64" ", ms->packet_in_count);
> ds_put_format(s, "byte_in_count:%"PRIu64" ", ms->byte_in_count);
> @@ -1358,7 +1383,8 @@ ofp_print_meter_config(struct ds *s, const struct 
> ofputil_meter_config *mc)
> {
> uint16_t i;
> 
> -ds_put_format(s, "meter=%"PRIu32" ", mc->meter_id);
> +ofp_print_meter_id(s, mc->meter_id, '=');
> +ds_put_char(s, ' ');
> 
> ofp_print_meter_flags(s, mc->flags);
> 
> @@ -1412,8 +1438,9 @@ ofp_print_meter_stats_request(struct ds *s, const 
> struct ofp_header *oh)
> uint32_t meter_id;
> 
> ofputil_decode_meter_request(oh, _id);
> +ds_put_char(s, ' ');
> 
> -ds_put_format(s, " meter=%"PRIu32, meter_id);
> +ofp_print_meter_id(s, meter_id, '=');
> }
> 
> static const char *
> diff --git a/ofproto/ofproto-provider.h b/ofproto/ofproto-provider.h
> index 000326d7f79d..688a9e5d32eb 100644
> --- a/ofproto/ofproto-provider.h
> +++ b/ofproto/ofproto-provider.h
> @@ -112,6 +112,10 @@ struct ofproto {
> /* Meter table.  */
> struct ofputil_meter_features meter_features;
> struct hmap meters; /* uint32_t indexed 'struct meter *'.  */
> +uint32_t slowpath_meter_id; /* Datapath slowpath meter.  UINT32_MAX
> +   if not defined.  */
> +uint32_t controller_meter_id;   /* Datapath controller meter. UINT32_MAX
> +   if not defined.  */
> 
> /* OpenFlow connections. */
> struct connmgr *connmgr;
> diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
> index 8c4c7e67f213..abbb849a384b 100644
> --- a/ofproto/ofproto.c
> +++ b/ofproto/ofproto.c
> @@ -568,6 +568,8 @@ ofproto_create(const char *datapath_name, const char 
> *datapath_type,
> memset(>meter_features, 0, sizeof ofproto->meter_features);
> }
> hmap_init(>meters);
> +ofproto->slowpath_meter_id = UINT32_MAX;
> +ofproto->controller_meter_id = UINT32_MAX;
> 
> /* Set the initial tables version. */
> ofproto_bump_tables_version(ofproto);
> @@ -6232,9 +6234,33 @@ ofproto_get_meter(const struct ofproto *ofproto, 
> uint32_t meter_id)
> return NULL;
> }
> 
> +static uint32_t *
> +ofproto_upcall_meter_ptr(struct ofproto *ofproto, uint32_t meter_id)
> +{
> +switch(meter_id) {
> +case OFPM13_SLOWPATH:
> +return >slowpath_meter_id;
> +break;
> +case OFPM13_CONTROLLER:
> +r

Re: [ovs-dev] [action upcall meters 2/5] ofproto-dpif: Use backer to manage datapath meter allocation

2017-04-27 Thread Jarno Rajahalme 

> On Apr 14, 2017, at 12:46 PM, Andy Zhou  wrote:
> 
> Add 'meter_ids', an id-pool object to manage datapath meter id.
> 
> Currently, only userspace datapath supports meter, and it implements
> the provider_meter_id management. Moving this function to 'backer'
> allows other datapath implementation to share the same logic.
> 
> Signed-off-by: Andy Zhou 
> ---
> lib/dpif-netdev.c  | 24 
> ofproto/ofproto-dpif.c | 44 ++--
> ofproto/ofproto-dpif.h |  4 
> 3 files changed, 46 insertions(+), 26 deletions(-)
> 
> diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
> index a14a2ebb5b2a..d5417162b7af 100644
> --- a/lib/dpif-netdev.c
> +++ b/lib/dpif-netdev.c
> @@ -260,7 +260,6 @@ struct dp_netdev {
> /* Meters. */
> struct ovs_mutex meter_locks[N_METER_LOCKS];
> struct dp_meter *meters[MAX_METERS]; /* Meter bands. */
> -uint32_t meter_free; /* Next free meter. */
> 
> /* Protects access to ofproto-dpif-upcall interface during revalidator
>  * thread synchronization. */
> @@ -3896,9 +3895,6 @@ dpif_netdev_meter_set(struct dpif *dpif, 
> ofproto_meter_id *meter_id,
> struct dp_meter *meter;
> int i;
> 
> -if (mid == UINT32_MAX) {
> -mid = dp->meter_free;
> -}
> if (mid >= MAX_METERS) {
> return EFBIG; /* Meter_id out of range. */
> }
> @@ -3958,21 +3954,6 @@ dpif_netdev_meter_set(struct dpif *dpif, 
> ofproto_meter_id *meter_id,
> dp->meters[mid] = meter;
> meter_unlock(dp, mid);
> 
> -meter_id->uint32 = mid; /* Store on success. */
> -
> -/* Find next free meter */
> -if (dp->meter_free == mid) { /* Now taken. */
> -do {
> -if (++mid >= MAX_METERS) { /* Wrap around */
> -mid = 0;
> -}
> -if (mid == dp->meter_free) { /* Full circle */
> -mid = MAX_METERS;
> -break;
> -}
> -} while (dp->meters[mid]);
> -dp->meter_free = mid; /* Next free meter or MAX_METERS */
> -}
> return 0;
> }
> return ENOMEM;
> @@ -4027,11 +4008,6 @@ dpif_netdev_meter_del(struct dpif *dpif,
> meter_lock(dp, meter_id);
> dp_delete_meter(dp, meter_id);
> meter_unlock(dp, meter_id);
> -
> -/* Keep free meter index as low as possible */
> -if (meter_id < dp->meter_free) {
> -dp->meter_free = meter_id;
> -}
> }
> return error;
> }
> diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
> index 6a5ffb94fa94..a026d4913731 100644
> --- a/ofproto/ofproto-dpif.c
> +++ b/ofproto/ofproto-dpif.c
> @@ -662,6 +662,7 @@ close_dpif_backer(struct dpif_backer *backer)
> free(backer->type);
> free(backer->dp_version_string);
> dpif_close(backer->dpif);
> +id_pool_destroy(backer->meter_ids);
> free(backer);
> }
> 
> @@ -787,6 +788,15 @@ open_dpif_backer(const char *type, struct dpif_backer 
> **backerp)
> = check_variable_length_userdata(backer);
> backer->dp_version_string = dpif_get_dp_version(backer->dpif);
> 
> +/* Manage Datpath meter IDs if supported. */

->”Datapath"

> +struct ofputil_meter_features features;
> +dpif_meter_get_features(backer->dpif, );
> +if (features.max_meters) {
> +backer->meter_ids = id_pool_create(0, features.max_meters);
> +} else {
> +backer->meter_ids = NULL;
> +}
> +
> return error;
> }
> 
> @@ -5385,6 +5395,17 @@ meter_set(struct ofproto *ofproto_, ofproto_meter_id 
> *meter_id,
> {
> struct ofproto_dpif *ofproto = ofproto_dpif_cast(ofproto_);
> 
> +/* Provider ID unknown. Use backer to allocate a new DP meter */
> +if (meter_id->uint32 == UINT32_MAX) {
> +if (!ofproto->backer->meter_ids) {
> +return EFBIG; /* Datapath does not support meter.  */
> +}
> +
> +if(!id_pool_alloc_id(ofproto->backer->meter_ids, _id->uint32)) 
> {
> +return ENOMEM; /* Can't allocate a DP meter. */
> +}
> +}
> +
> switch (dpif_meter_set(ofproto->backer->dpif, meter_id, config)) {
> case 0:
> return 0;
> @@ -5414,12 +5435,31 @@ meter_get(const struct ofproto *ofproto_, 
> ofproto_meter_id meter_id,
> return OFPERR_OFPMMFC_UNKNOWN_METER;
> }
> 
> +struct free_meter_id_args {
> +struct ofproto_dpif *ofproto;
> +ofproto_meter_id meter_id;
> +};
> +
> +static void
> +free_meter_id(struct free_meter_id_args *args)
> +{
> +struct ofproto_dpif *ofproto = args->ofproto;
> +
> +dpif_meter_del(ofproto->backer->dpif, args->meter_id, NULL, 0);
> +id_pool_free_id(ofproto->backer->meter_ids, args->meter_id.uint32);
> +free(args);
> +}
> +
> static void
> meter_del(struct ofproto *ofproto_, ofproto_meter_id meter_id)
> {
> -struct ofproto_dpif *ofproto = ofproto_dpif_cast(ofproto_);
> +struct

Re: [ovs-dev] [action upcall meters 1/5] ofproto: Store meters using hmap

2017-04-27 Thread Jarno Rajahalme 
This incremental needed to satisfy GCC 4.9.2, due to ‘meter’ potentially being 
used uninitialized:

diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
index 2e80db8..eb060d0 100644
--- a/ofproto/ofproto.c
+++ b/ofproto/ofproto.c
@@ -6564,7 +6564,7 @@ handle_meter_request(struct ofconn *ofconn, const struct 
ofp_header *request,
 struct ofproto *ofproto = ofconn_get_ofproto(ofconn);
 struct ovs_list replies;
 uint32_t meter_id;
-struct meter *meter;
+struct meter *meter = NULL;
 
 ofputil_decode_meter_request(request, _id);
 

Otherwise:

Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Apr 14, 2017, at 12:46 PM, Andy Zhou <az...@ovn.org> wrote:
> 
> Currently, meters are stored in a fixed pointer array. It is not
> very efficient since the controller, at least in theory, can
> pick any meter id (up to the limits to uint32_t), not necessarily
> within the lower end of a region, or in close range to each other.
> In particular, OFPM_SLOWPATH and OFPM_CONTROLLER meters are specified
> at the high region.
> 
> Switching to using hmap. Ofproto layer does not restrict
> the number of meters that controller can add, nor does it care
> about the value of meter_id. Datapth limits the number of meters
> ofproto layer can support at run time.
> 
> Signed-off-by: Andy Zhou <az...@ovn.org>
> ---
> ofproto/ofproto-provider.h |   7 +-
> ofproto/ofproto.c  | 242 +++--
> 2 files changed, 146 insertions(+), 103 deletions(-)
> 
> diff --git a/ofproto/ofproto-provider.h b/ofproto/ofproto-provider.h
> index b7b12cdfd5f4..000326d7f79d 100644
> --- a/ofproto/ofproto-provider.h
> +++ b/ofproto/ofproto-provider.h
> @@ -109,12 +109,9 @@ struct ofproto {
> /* List of expirable flows, in all flow tables. */
> struct ovs_list expirable OVS_GUARDED_BY(ofproto_mutex);
> 
> -/* Meter table.
> - * OpenFlow meters start at 1.  To avoid confusion we leave the first
> - * pointer in the array un-used, and index directly with the OpenFlow
> - * meter_id. */
> +/* Meter table.  */
> struct ofputil_meter_features meter_features;
> -struct meter **meters; /* 'meter_features.max_meter' + 1 pointers. */
> +struct hmap meters; /* uint32_t indexed 'struct meter *'.  */
> 
> /* OpenFlow connections. */
> struct connmgr *connmgr;
> diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
> index 7440d5b52092..8c4c7e67f213 100644
> --- a/ofproto/ofproto.c
> +++ b/ofproto/ofproto.c
> @@ -281,7 +281,8 @@ static uint64_t pick_fallback_dpid(void);
> static void ofproto_destroy__(struct ofproto *);
> static void update_mtu(struct ofproto *, struct ofport *);
> static void update_mtu_ofproto(struct ofproto *);
> -static void meter_delete(struct ofproto *, uint32_t first, uint32_t last);
> +static void meter_delete(struct ofproto *, uint32_t);
> +static void meter_delete_all(struct ofproto *);
> static void meter_insert_rule(struct rule *);
> 
> /* unixctl. */
> @@ -566,8 +567,7 @@ ofproto_create(const char *datapath_name, const char 
> *datapath_type,
> } else {
> memset(>meter_features, 0, sizeof ofproto->meter_features);
> }
> -ofproto->meters = xzalloc((ofproto->meter_features.max_meters + 1)
> -  * sizeof(struct meter *));
> +hmap_init(>meters);
> 
> /* Set the initial tables version. */
> ofproto_bump_tables_version(ofproto);
> @@ -1635,12 +1635,8 @@ ofproto_destroy(struct ofproto *p, bool del)
> return;
> }
> 
> -if (p->meters) {
> -meter_delete(p, 1, p->meter_features.max_meters);
> -p->meter_features.max_meters = 0;
> -free(p->meters);
> -p->meters = NULL;
> -}
> +meter_delete_all(p);
> +hmap_destroy(>meters);
> 
> ofproto_flush__(p);
> HMAP_FOR_EACH_SAFE (ofport, next_ofport, hmap_node, >ports) {
> @@ -6211,14 +6207,37 @@ handle_flow_monitor_cancel(struct ofconn *ofconn, 
> const struct ofp_header *oh)
>  * 'provider_meter_id' is for the provider's private use.
>  */
> struct meter {
> +struct hmap_node node;  /* In ofproto->meters. */
> long long int created;  /* Time created. */
> struct ovs_list rules;  /* List of "struct rule_dpif"s. */
> +uint32_t id;/* OpenFlow meter_id. */
> ofproto_meter_id provider_meter_id;
> uint16_t flags; /* Meter flags. */
> uint16_t n_bands;   /* Number of meter bands. */
> struct ofputil_meter_band *bands;
> };
> 
> +static struct meter *
> +ofproto_get_meter(const struct ofproto *ofproto, uint32_t meter_id)
> +{
> +struct me

[ovs-dev] [PATCH v3] xlate: Use OVS_CT_ATTR_EVENTMASK.

2017-04-27 Thread Jarno Rajahalme 
Specify the event mask with CT commit including bits for CT features
exposed at the OVS interface (mark and label changes in addition to
basic creation and destruction of conntrack entries).

Without this any listener of conntrack update events will typically
(depending on system configuration) receive events for each L4 (e.g.,
TCP) state machine change, which can multiply the number of events
received per connection.

By including the new, related, and destroy events any listener of new
conntrack events gets notified of new related and non-related
connections, and any listener of destroy events will get notified of
deleted (typically timed out) conntrack entries.

By including the flags for mark and labels, any listener of conntrack
update events gets notified whenever the connmark or conntrack labels
are changed from the values reported within the new events.

VMware-BZ: #1837218
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
---
v3: Added feature probing to not use the new attribute on datapaths
the do not support it.

 build-aux/extract-odp-netlink-h |  2 ++
 ofproto/ofproto-dpif-xlate.c|  6 
 ofproto/ofproto-dpif.c  | 62 +
 ofproto/ofproto-dpif.h  |  5 +++-
 4 files changed, 74 insertions(+), 1 deletion(-)

diff --git a/build-aux/extract-odp-netlink-h b/build-aux/extract-odp-netlink-h
index 907a70a..7fb6ce8 100755
--- a/build-aux/extract-odp-netlink-h
+++ b/build-aux/extract-odp-netlink-h
@@ -19,6 +19,8 @@ $i\
 #ifdef _WIN32\
 #include "OvsDpInterfaceExt.h"\
 #include "OvsDpInterfaceCtExt.h"\
+#else\
+#include "linux/netfilter/nf_conntrack_common.h"\
 #endif\
 
 # Use OVS's own struct eth_addr instead of a 6-byte char array.
diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
index d8c6a7c..ab5eef8 100644
--- a/ofproto/ofproto-dpif-xlate.c
+++ b/ofproto/ofproto-dpif-xlate.c
@@ -5351,6 +5351,12 @@ compose_conntrack_action(struct xlate_ctx *ctx, struct 
ofpact_conntrack *ofc)
 if (ofc->flags & NX_CT_F_COMMIT) {
 nl_msg_put_flag(ctx->odp_actions, ofc->flags & NX_CT_F_FORCE ?
 OVS_CT_ATTR_FORCE_COMMIT : OVS_CT_ATTR_COMMIT);
+if (ctx->xbridge->support.ct_eventmask) {
+nl_msg_put_u32(ctx->odp_actions, OVS_CT_ATTR_EVENTMASK,
+   1 << IPCT_NEW | 1 << IPCT_RELATED |
+   1 << IPCT_DESTROY | 1 << IPCT_MARK |
+   1 << IPCT_LABEL);
+}
 }
 nl_msg_put_u16(ctx->odp_actions, OVS_CT_ATTR_ZONE, zone);
 put_ct_mark(>xin->flow, ctx->odp_actions, ctx->wc);
diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index c73c273..b052b04 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -1241,6 +1241,67 @@ check_clone(struct dpif_backer *backer)
 return !error;
 }
 
+/* Tests whether 'backer''s datapath supports the OVS_CT_ATTR_EVENTMASK
+ * attribute in OVS_ACTION_ATTR_CT. */
+static bool
+check_ct_eventmask(struct dpif_backer *backer)
+{
+struct dpif_execute execute;
+struct dp_packet packet;
+struct ofpbuf actions;
+struct flow flow = {
+.dl_type = htons(ETH_TYPE_IP),
+.nw_ttl = 64,
+.nw_proto = IPPROTO_UDP,
+.nw_src = 0x0a010101,
+.nw_dst = 0x0a010102,
+.tp_src = 42387,
+.tp_dst = 13264,
+};
+size_t ct_start;
+int error;
+
+/* Compose CT action with eventmask attribute and check if datapath can
+ * decode the message.  */
+ofpbuf_init(, 64);
+ct_start = nl_msg_start_nested(, OVS_ACTION_ATTR_CT);
+/* Eventmask has no effect without the commit flag, but currently the
+ * datapath will accept an eventmask even without commit.  This is useful
+ * as we do not want to persist the probe connection in the conntrack
+ * table. */
+nl_msg_put_u32(, OVS_CT_ATTR_EVENTMASK, ~0);
+nl_msg_end_nested(, ct_start);
+
+/* Compose a dummy UDP packet. */
+dp_packet_init(, 0);
+flow_compose(, );
+
+/* Execute the actions.  On older datapaths this fails with EINVAL, on
+ * newer datapaths it succeeds. */
+execute.actions = actions.data;
+execute.actions_len = actions.size;
+execute.packet = 
+execute.flow = 
+execute.needs_help = false;
+execute.probe = true;
+execute.mtu = 0;
+
+error = dpif_execute(backer->dpif, );
+
+dp_packet_uninit();
+ofpbuf_uninit();
+
+if (error) {
+VLOG_INFO("%s: Datapath does not support eventmask in conntrack 
action",
+  dpif_name(backer->dpif));
+} else {
+VLOG_INFO("%s: Datapath supports eventmask in conntrack action",
+  dpif_name(backer->dpif));
+}
+
+return !error;
+}
+
 #define CHECK_FEATURE__(NAME, SUPPORT, FIELD, VALUE)

Re: [ovs-dev] [PATCH] datapath-windows: Add missing IPCT_LABEL.

2017-04-27 Thread Jarno Rajahalme 
Pushed to master,

  Jarno

> On Apr 27, 2017, at 11:07 AM, Sairam Venugopal <vsai...@vmware.com> wrote:
> 
> Thanks for adding this in.
> 
> Acked-by: Sairam Venugopal <vsai...@vmware.com>
> 
> 
> 
> 
> 
> On 4/19/17, 7:01 PM, "ovs-dev-boun...@openvswitch.org on behalf of Jarno 
> Rajahalme" <ovs-dev-boun...@openvswitch.org on behalf of ja...@ovn.org> wrote:
> 
>> Add the missing enum definition for IPCT_LABEL.
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>> ---
>> datapath-windows/include/OvsDpInterfaceCtExt.h | 1 +
>> 1 file changed, 1 insertion(+)
>> 
>> diff --git a/datapath-windows/include/OvsDpInterfaceCtExt.h 
>> b/datapath-windows/include/OvsDpInterfaceCtExt.h
>> index 2795edc..3b94778 100644
>> --- a/datapath-windows/include/OvsDpInterfaceCtExt.h
>> +++ b/datapath-windows/include/OvsDpInterfaceCtExt.h
>> @@ -132,6 +132,7 @@ enum ip_conntrack_events {
>>IPCT_MARK,
>>IPCT_NATSEQADJ,
>>IPCT_SECMARK,
>> +IPCT_LABEL,
>> };
>> 
>> enum ip_conntrack_expect_events {
>> -- 
>> 2.1.4
>> 
>> ___
>> dev mailing list
>> d...@openvswitch.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev=DwICAg=uilaK90D4TOVoH58JNXRgQ=Z6vowHUOjP5ysP_g372c49Nqc1vEKqHKNBkR5Q5Z7uo=R8iw4Jr-HMBdatGO514ei63gCELrhnMK2QS9dEZUYCA=IjblaY4BjRXCwAXsMU3BHL3ShZjfcICvbBGlg1afGfY=
>>  

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 3/4] compat: Fix build error in kernels 4.10+

2017-04-27 Thread Jarno Rajahalme 

> On Apr 27, 2017, at 1:08 PM, Greg Rose  wrote:
> 
> This is an alternative solution patch for the issue reported by
> Raymond Burkholder and the patch submitted by Guoshuai Li.  It uses
> the acinclude.m4 configuration file to check for the net parameter
> that was added  to the ipv4 and ipv6 frags init functions in the 4.10
> Linux kernel to check whether DEFRAG_ENABLE_TAKES_NET should be
> set and then checks for that at compile time.
> 
> Reported-by: Raymond Burkholder 
> CC: Guoshuai Li 
> Signed-off-by: Greg Rose 
> ---
> datapath/linux/compat/ip_fragment.c| 14 ++
> datapath/linux/compat/nf_conntrack_reasm.c | 14 ++
> 2 files changed, 28 insertions(+)
> 
> diff --git a/datapath/linux/compat/ip_fragment.c 
> b/datapath/linux/compat/ip_fragment.c
> index b0f5d0e..fccd992 100644
> --- a/datapath/linux/compat/ip_fragment.c
> +++ b/datapath/linux/compat/ip_fragment.c
> @@ -729,18 +729,32 @@ int rpl_ip_defrag(struct net *net, struct sk_buff *skb, 
> u32 user)
>   return -ENOMEM;
> }
> 
> +#ifdef HAVE_DEFRAG_ENABLE_TAKES_NET
> +static int __net_init ipv4_frags_init_net(struct net *net)
> +{
> + nf_defrag_ipv4_enable(net);
> +
> + return 0;
> +}
> +#endif
> +

Did you consider Joe’s proposal to pass the error return to the caller? If it 
makes sense, then maybe we could use nf_ functions directly and not define the 
_init_net() functions at all (as the stubs prototype is the same as the _enable 
function prototype, except for the “__net_init” attribute)?

> static void __net_exit ipv4_frags_exit_net(struct net *net)
> {
>   inet_frags_exit_net(>ipv4.frags, _frags);
> }
> 
> static struct pernet_operations ip4_frags_ops = {
> +#ifdef HAVE_DEFRAG_ENABLE_TAKES_NET
> + .init = ipv4_frags_init_net,
> +#endif
>   .exit = ipv4_frags_exit_net,
> };
> 
> int __init rpl_ipfrag_init(void)
> {
> +#ifndef HAVE_DEFRAG_ENABLE_TAKES_NET
>   nf_defrag_ipv4_enable();
> +#endif
>   register_pernet_subsys(_frags_ops);
>   ip4_frags.hashfn = ip4_hashfn;
>   ip4_frags.constructor = ip4_frag_init;
> diff --git a/datapath/linux/compat/nf_conntrack_reasm.c 
> b/datapath/linux/compat/nf_conntrack_reasm.c
> index 0bc4d9e..701faf5 100644
> --- a/datapath/linux/compat/nf_conntrack_reasm.c
> +++ b/datapath/linux/compat/nf_conntrack_reasm.c
> @@ -558,12 +558,24 @@ out_unlock:
>   return ret;
> }
> 
> +#ifdef HAVE_DEFRAG_ENABLE_TAKES_NET
> +static int nf_ct_net_init(struct net *net)
> +{
> + nf_defrag_ipv6_enable(net);
> +
> + return 0;
> +}
> +#endif
> +
> static void nf_ct_net_exit(struct net *net)
> {
>   inet_frags_exit_net(>nf_frag.frags, _frags);
> }
> 
> static struct pernet_operations nf_ct_net_ops = {
> +#ifdef HAVE_DEFRAG_ENABLE_TAKES_NET
> + .init = nf_ct_net_init,
> +#endif
>   .exit = nf_ct_net_exit,
> };
> 
> @@ -571,7 +583,9 @@ int rpl_nf_ct_frag6_init(void)
> {
>   int ret = 0;
> 
> +#ifndef HAVE_DEFRAG_ENABLE_TAKES_NET
>   nf_defrag_ipv6_enable();
> +#endif
>   nf_frags.hashfn = nf_hashfn;
>   nf_frags.constructor = ip6_frag_init;
>   nf_frags.destructor = NULL;
> -- 
> 1.8.3.1
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v2 1/2] xlate: Use OVS_CT_ATTR_EVENTMASK.

2017-04-27 Thread Jarno Rajahalme 

> On Apr 27, 2017, at 10:18 AM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 24 April 2017 at 19:09, Jarno Rajahalme <ja...@ovn.org 
> <mailto:ja...@ovn.org>> wrote:
>> Specify the event mask with CT commit including bits for CT features
>> exposed at the OVS interface (mark and label changes in addition to
>> basic creation and destruction of conntrack entries).
>> 
>> Without this any listener of conntrack update events will typically
>> (depending on system configuration) receive events for each L4 (e.g.,
>> TCP) state machine change, which can multiply the number of events
>> received per connection.
>> 
>> By including the new, related, and destroy events any listener of new
>> conntrack events gets notified of new related and non-related
>> connections, and any listener of destroy events will get notified of
>> deleted (typically timed out) conntrack entries.
>> 
>> By including the flags for mark and labels, any listener of conntrack
>> update events gets notified whenever the connmark or conntrack labels
>> are chnaged from the values reported within the new events.
> 
> s/chnaged/changed/
> 
>> 
>> VMware-BZ: #1837218
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org <mailto:ja...@ovn.org>>
>> ---
> 
> 
> Acked-by: Joe Stringer <j...@ovn.org <mailto:j...@ovn.org>>

Thanks for the review!

I need a review on the related windows-datapath change (“datapath-windows: Add 
missing IPCT_LABEL.”) before I can push this!

  Jarno

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] datapath: Delete conntrack entry clashing with an expectation.

2017-04-27 Thread Jarno Rajahalme 

> On Apr 27, 2017, at 10:36 AM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 26 April 2017 at 13:13, Jarno Rajahalme <ja...@ovn.org> wrote:
>> Upstream commit:
>> 
>>commit cf5d70918877c6a6655dc1e92e2ebb661ce904fd
>>Author: Jarno Rajahalme <ja...@ovn.org>
>>Date:   Fri Apr 14 14:26:38 2017 -0700
>> 
>>openvswitch: Delete conntrack entry clashing with an expectation.
>> 
>>Conntrack helpers do not check for a potentially clashing conntrack
>>entry when creating a new expectation.  Also, nf_conntrack_in() will
>>check expectations (via init_conntrack()) only if a conntrack entry
>>can not be found.  The expectation for a packet which also matches an
>>existing conntrack entry will not be removed by conntrack, and is
>>currently handled inconsistently by OVS, as OVS expects the
>>expectation to be removed when the connection tracking entry matching
>>that expectation is confirmed.
>> 
>>It should be noted that normally an IP stack would not allow reuse of
>>a 5-tuple of an old (possibly lingering) connection for a new data
>>connection, so this is somewhat unlikely corner case.  However, it is
>>possible that a misbehaving source could cause conntrack entries be
>>created that could then interfere with new related connections.
>> 
>>Fix this in the OVS module by deleting the clashing conntrack entry
>>after an expectation has been matched.  This causes the following
>>nf_conntrack_in() call also find the expectation and remove it when
>>creating the new conntrack entry, as well as the forthcoming reply
>>direction packets to match the new related connection instead of the
>>old clashing conntrack entry.
>> 
>>Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
>>Reported-by: Yang Song <yangs...@vmware.com>
>>Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>>Acked-by: Joe Stringer <j...@ovn.org>
>>Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>> ---
> 
> Acked-by: Joe Stringer <j...@ovn.org>

Thanks for the review, pushed to master,

  Jarno


___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v2 2/2] datapath: nf_connlabels_replace() backport.

2017-04-27 Thread Jarno Rajahalme 

> On Apr 27, 2017, at 10:31 AM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 24 April 2017 at 19:09, Jarno Rajahalme <ja...@ovn.org> wrote:
>> Linux 4.7 changed nf_connlabels_replace() to trigger conntrack event
>> for a label change only when the labels actually changed.  Without
>> this change an update event is triggered even if the labels already
>> have the values they are being set to.
>> 
>> There is no way we can detect this functional change from Linux
>> headers, so provide replacements that work the same for older Linux
>> releases regardless if a distribution provides backports or not.
>> 
>> VMware-BZ: #1837218
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>> ---
> 
> I assume that by "Linux 4.7", you're actually referring to the following 
> commit?
> 5a8145f7b222 ("netfilter: labels: don't emit ct event if labels were
> not changed")
> 
> It might be helpful for future reference (including review) to refer
> to this commit in the code comment below.
> 

Right, thanks for suggesting this. I added this to both the commit message and 
the code comment.

> Otherwise LGTM.
> 
> Acked-by: Joe Stringer <j...@ovn.org>

Pushed to master,

  Jarno

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 2/2] datapath: Add eventmask support to CT action.

2017-04-27 Thread Jarno Rajahalme 

> On Apr 27, 2017, at 10:15 AM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 24 April 2017 at 13:50, Jarno Rajahalme <ja...@ovn.org> wrote:
>> Upstream commit:
>> 
>>commit 120645513f55a4ac5543120d9e79925d30a0156f
>>Author: Jarno Rajahalme <ja...@ovn.org>
>>Date:   Fri Apr 21 16:48:06 2017 -0700
>> 
>>openvswitch: Add eventmask support to CT action.
>> 
>>Add a new optional conntrack action attribute OVS_CT_ATTR_EVENTMASK,
>>which can be used in conjunction with the commit flag
>>(OVS_CT_ATTR_COMMIT) to set the mask of bits specifying which
>>conntrack events (IPCT_*) should be delivered via the Netfilter
>>netlink multicast groups.  Default behavior depends on the system
>>configuration, but typically a lot of events are delivered.  This can be
>>very chatty for the NFNLGRP_CONNTRACK_UPDATE group, even if only some
>>types of events are of interest.
>> 
>>Netfilter core init_conntrack() adds the event cache extension, so we
>>only need to set the ctmask value.  However, if the system is
>>configured without support for events, the setting will be skipped due
>>to extension not being found.
>> 
>>Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>>    Reviewed-by: Greg Rose <gvrose8...@gmail.com>
>>Acked-by: Joe Stringer <j...@ovn.org>
>>Signed-off-by: David S. Miller <da...@davemloft.net>
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
> 
> Acked-by: Joe Stringer <j...@ovn.org>

Thanks for the review, series pushed to master.

  Jarno

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 2/2] revalidator: Improve logging for transition_ukey().

2017-04-26 Thread Jarno Rajahalme 

> On Apr 26, 2017, at 6:03 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> There are a few cases where more introspection into ukey transitions
> would be relevant for logging or assertion. Track the SOURCE_LOCATOR and
> thread id when states are transitioned and use these for logging.
> 
> Suggested-by: Jarno Rajahalme <ja...@ovn.org>
> Signed-off-by: Joe Stringer <j...@ovn.org>
> ---
> ofproto/ofproto-dpif-upcall.c | 17 -
> 1 file changed, 16 insertions(+), 1 deletion(-)
> 
> diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
> index ccf15a3c80b3..8aff613161d9 100644
> --- a/ofproto/ofproto-dpif-upcall.c
> +++ b/ofproto/ofproto-dpif-upcall.c
> @@ -281,6 +281,10 @@ struct udpif_key {
> uint64_t reval_seq OVS_GUARDED;   /* Tracks udpif->reval_seq. */
> enum ukey_state state OVS_GUARDED;/* Tracks ukey lifetime. */
> 
> +/* 'state' debug information. */
> +unsigned int state_thread OVS_GUARDED;/* Thread that transitions. */
> +const char *state_where OVS_GUARDED;  /* transition_ukey() locator. 
> */
> +
> /* Datapath flow actions as nlattrs.  Protected by RCU.  Read with
>  * ukey_get_actions(), and write with ukey_set_actions(). */
> OVSRCU_TYPE(struct ofpbuf *) actions;
> @@ -1484,6 +1488,8 @@ ukey_create__(const struct nlattr *key, size_t key_len,
> ukey->dump_seq = dump_seq;
> ukey->reval_seq = reval_seq;
> ukey->state = UKEY_CREATED;
> +ukey->state_thread = ovsthread_id_self();
> +ukey->state_where = OVS_SOURCE_LOCATOR;
> ukey->created = time_msec();
> memset(>stats, 0, sizeof ukey->stats);
> ukey->stats.used = used;
> @@ -1674,7 +1680,11 @@ static void
> transition_ukey(struct udpif_key *ukey, enum ukey_state dst)
> OVS_REQUIRES(ukey->mutex)
> {
> -ovs_assert(dst >= ukey->state);
> +if (dst >= ukey->state) {
> +VLOG_ABORT("Invalid ukey transition %d->%d (last transitioned from "
> +   "thread %u at %s)", ukey->state, dst, ukey->state_thread,
> +   ukey->state_where);
> +}
> if (ukey->state == dst && dst == UKEY_OPERATIONAL) {
> return;
> }
> @@ -1709,6 +1719,8 @@ transition_ukey(struct udpif_key *ukey, enum ukey_state 
> dst)
>  ds_cstr(), ukey->state, dst);
> ds_destroy();
> }
> +ukey->state_thread = ovsthread_id_self();
> +ukey->state_where = OVS_SOURCE_LOCATOR;

You’ll want to evaluate OVS_SOURCE_LOCATOR at the caller of the 
transition_ukey() instead. Top do that you’ll need to add a “const char *where” 
argument, and then make a macro that uses OVS_SOURCE_LOCATOR as that additional 
argument, and make the callers use the new macro instead of calling the 
function directly.

As is it will always report the same line (right here).

  Jarno

> }
> 
> static bool
> @@ -2327,6 +2339,9 @@ revalidate(struct revalidator *revalidator)
> /* The flow is now confirmed to be in the datapath. */
> transition_ukey(ukey, UKEY_OPERATIONAL);
> } else {
> +VLOG_INFO("Unexpected ukey transition from state %d "
> +  "(last transitioned from thread %u at %s)",
> +  ukey->state, ukey->state_thread, 
> ukey->state_where);
> ovs_mutex_unlock(>mutex);
> continue;
> }
> -- 
> 2.11.1
> 

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] datapath: Delete conntrack entry clashing with an expectation.

2017-04-26 Thread Jarno Rajahalme 
Upstream commit:

commit cf5d70918877c6a6655dc1e92e2ebb661ce904fd
Author: Jarno Rajahalme <ja...@ovn.org>
Date:   Fri Apr 14 14:26:38 2017 -0700

openvswitch: Delete conntrack entry clashing with an expectation.

Conntrack helpers do not check for a potentially clashing conntrack
entry when creating a new expectation.  Also, nf_conntrack_in() will
check expectations (via init_conntrack()) only if a conntrack entry
can not be found.  The expectation for a packet which also matches an
existing conntrack entry will not be removed by conntrack, and is
currently handled inconsistently by OVS, as OVS expects the
expectation to be removed when the connection tracking entry matching
that expectation is confirmed.

It should be noted that normally an IP stack would not allow reuse of
a 5-tuple of an old (possibly lingering) connection for a new data
connection, so this is somewhat unlikely corner case.  However, it is
possible that a misbehaving source could cause conntrack entries be
created that could then interfere with new related connections.

Fix this in the OVS module by deleting the clashing conntrack entry
after an expectation has been matched.  This causes the following
nf_conntrack_in() call also find the expectation and remove it when
creating the new conntrack entry, as well as the forthcoming reply
direction packets to match the new related connection instead of the
old clashing conntrack entry.

Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
Reported-by: Yang Song <yangs...@vmware.com>
    Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 datapath/conntrack.c | 30 +-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index 4c42a48..6f5690a 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -548,10 +548,38 @@ ovs_ct_expect_find(struct net *net, const struct 
nf_conntrack_zone *zone,
   u16 proto, const struct sk_buff *skb)
 {
struct nf_conntrack_tuple tuple;
+   struct nf_conntrack_expect *exp;
 
if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, 
))
return NULL;
-   return __nf_ct_expect_find(net, zone, );
+
+   exp = __nf_ct_expect_find(net, zone, );
+   if (exp) {
+   struct nf_conntrack_tuple_hash *h;
+
+   /* Delete existing conntrack entry, if it clashes with the
+* expectation.  This can happen since conntrack ALGs do not
+* check for clashes between (new) expectations and existing
+* conntrack entries.  nf_conntrack_in() will check the
+* expectations only if a conntrack entry can not be found,
+* which can lead to OVS finding the expectation (here) in the
+* init direction, but which will not be removed by the
+* nf_conntrack_in() call, if a matching conntrack entry is
+* found instead.  In this case all init direction packets
+* would be reported as new related packets, while reply
+* direction packets would be reported as un-related
+* established packets.
+*/
+   h = nf_conntrack_find_get(net, zone, );
+   if (h) {
+   struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
+
+   nf_ct_delete(ct, 0, 0);
+   nf_conntrack_put(>ct_general);
+   }
+   }
+
+   return exp;
 }
 
 /* This replicates logic from nf_conntrack_core.c that is not exported. */
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] xlate: Use OVS_CT_ATTR_EVENTMASK.

2017-04-24 Thread Jarno Rajahalme 
Specify the event mask with CT commit including bits for CT features
exposed at the OVS interface (mark and label changes in addition to
basic creation and destruction of conntrack entries).

VMware-BZ: #1837218
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
This patch depends on the following other patches currently in review:
- "datapath-windows: Add missing IPCT_LABEL."
- "datapath: Add eventmask support to CT action."

build-aux/extract-odp-netlink-h | 2 ++
 ofproto/ofproto-dpif-xlate.c| 3 +++
 2 files changed, 5 insertions(+)

diff --git a/build-aux/extract-odp-netlink-h b/build-aux/extract-odp-netlink-h
index 907a70a..7fb6ce8 100755
--- a/build-aux/extract-odp-netlink-h
+++ b/build-aux/extract-odp-netlink-h
@@ -19,6 +19,8 @@ $i\
 #ifdef _WIN32\
 #include "OvsDpInterfaceExt.h"\
 #include "OvsDpInterfaceCtExt.h"\
+#else\
+#include "linux/netfilter/nf_conntrack_common.h"\
 #endif\
 
 # Use OVS's own struct eth_addr instead of a 6-byte char array.
diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
index d8c6a7c..21f2f7a 100644
--- a/ofproto/ofproto-dpif-xlate.c
+++ b/ofproto/ofproto-dpif-xlate.c
@@ -5351,6 +5351,9 @@ compose_conntrack_action(struct xlate_ctx *ctx, struct 
ofpact_conntrack *ofc)
 if (ofc->flags & NX_CT_F_COMMIT) {
 nl_msg_put_flag(ctx->odp_actions, ofc->flags & NX_CT_F_FORCE ?
 OVS_CT_ATTR_FORCE_COMMIT : OVS_CT_ATTR_COMMIT);
+nl_msg_put_u32(ctx->odp_actions, OVS_CT_ATTR_EVENTMASK,
+   1 << IPCT_NEW | 1 << IPCT_RELATED | 1 << IPCT_DESTROY |
+   1 << IPCT_MARK | 1 << IPCT_LABEL);
 }
 nl_msg_put_u16(ctx->odp_actions, OVS_CT_ATTR_ZONE, zone);
 put_ct_mark(>xin->flow, ctx->odp_actions, ctx->wc);
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH 2/2] datapath: Add eventmask support to CT action.

2017-04-24 Thread Jarno Rajahalme 
Upstream commit:

commit 120645513f55a4ac5543120d9e79925d30a0156f
Author: Jarno Rajahalme <ja...@ovn.org>
Date:   Fri Apr 21 16:48:06 2017 -0700

openvswitch: Add eventmask support to CT action.

Add a new optional conntrack action attribute OVS_CT_ATTR_EVENTMASK,
which can be used in conjunction with the commit flag
(OVS_CT_ATTR_COMMIT) to set the mask of bits specifying which
conntrack events (IPCT_*) should be delivered via the Netfilter
netlink multicast groups.  Default behavior depends on the system
configuration, but typically a lot of events are delivered.  This can be
very chatty for the NFNLGRP_CONNTRACK_UPDATE group, even if only some
types of events are of interest.

Netfilter core init_conntrack() adds the event cache extension, so we
only need to set the ctmask value.  However, if the system is
configured without support for events, the setting will be skipped due
to extension not being found.

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Reviewed-by: Greg Rose <gvrose8...@gmail.com>
Acked-by: Joe Stringer <j...@ovn.org>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 datapath/conntrack.c  | 27 +++
 datapath/linux/compat/include/linux/openvswitch.h | 12 ++
 lib/dpif-netdev.c |  4 
 3 files changed, 43 insertions(+)

diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index f911fe8..95c3739 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -73,7 +73,9 @@ struct ovs_conntrack_info {
u8 nat : 3; /* enum ovs_ct_nat */
u8 random_fully_compat : 1; /* bool */
u8 force : 1;
+   u8 have_eventmask : 1;
u16 family;
+   u32 eventmask;  /* Mask of 1 << IPCT_*. */
struct md_mark mark;
struct md_labels labels;
 #ifdef CONFIG_NF_NAT_NEEDED
@@ -1041,6 +1043,20 @@ static int ovs_ct_commit(struct net *net, struct 
sw_flow_key *key,
if (!ct)
return 0;
 
+   /* Set the conntrack event mask if given.  NEW and DELETE events have
+* their own groups, but the NFNLGRP_CONNTRACK_UPDATE group listener
+* typically would receive many kinds of updates.  Setting the event
+* mask allows those events to be filtered.  The set event mask will
+* remain in effect for the lifetime of the connection unless changed
+* by a further CT action with both the commit flag and the eventmask
+* option. */
+   if (info->have_eventmask) {
+   struct nf_conntrack_ecache *cache = nf_ct_ecache_find(ct);
+
+   if (cache)
+   cache->ctmask = info->eventmask;
+   }
+
/* Apply changes before confirming the connection so that the initial
 * conntrack NEW netlink event carries the values given in the CT
 * action.
@@ -1277,6 +1293,8 @@ static const struct ovs_ct_len_tbl 
ovs_ct_attr_lens[OVS_CT_ATTR_MAX + 1] = {
/* NAT length is checked when parsing the nested attributes. */
[OVS_CT_ATTR_NAT]   = { .minlen = 0, .maxlen = INT_MAX },
 #endif
+   [OVS_CT_ATTR_EVENTMASK] = { .minlen = sizeof(u32),
+   .maxlen = sizeof(u32) },
 };
 
 static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info,
@@ -1355,6 +1373,11 @@ static int parse_ct(const struct nlattr *attr, struct 
ovs_conntrack_info *info,
break;
}
 #endif
+   case OVS_CT_ATTR_EVENTMASK:
+   info->have_eventmask = true;
+   info->eventmask = nla_get_u32(a);
+   break;
+
default:
OVS_NLERR(log, "Unknown conntrack attr (%d)",
  type);
@@ -1558,6 +1581,10 @@ int ovs_ct_action_to_attr(const struct 
ovs_conntrack_info *ct_info,
   ct_info->helper->name))
return -EMSGSIZE;
}
+   if (ct_info->have_eventmask &&
+   nla_put_u32(skb, OVS_CT_ATTR_EVENTMASK, ct_info->eventmask))
+   return -EMSGSIZE;
+
 #ifdef CONFIG_NF_NAT_NEEDED
if (ct_info->nat && !ovs_ct_nat_to_attr(ct_info, skb))
return -EMSGSIZE;
diff --git a/datapath/linux/compat/include/linux/openvswitch.h 
b/datapath/linux/compat/include/linux/openvswitch.h
index 8a6b729..72627f9 100644
--- a/datapath/linux/compat/include/linux/openvswitch.h
+++ b/datapath/linux/compat/include/linux/openvswitch.h
@@ -739,6 +739,17 @@ struct ovs_action_push_tnl {
  * nothing if the connection is already committed will check that the current
  * packet is in conntrack entry's original direction.  If directionality does
  * no

[ovs-dev] [PATCH 1/2] datapath: Typo fix.

2017-04-24 Thread Jarno Rajahalme 
Upstream commit:

commit abd0a4f2b41812e9ba334945e256909e3d28da57
Author: Jarno Rajahalme <ja...@ovn.org>
Date:   Fri Apr 21 16:48:05 2017 -0700

openvswitch: Typo fix.

Fix typo in a comment.

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Greg Rose <gvrose8...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 datapath/conntrack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index 4c42a48..f911fe8 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -383,7 +383,7 @@ static int ovs_ct_init_labels(struct nf_conn *ct, struct 
sw_flow_key *key,
}
 
/* Labels are included in the IPCTNL_MSG_CT_NEW event only if the
-* IPCT_LABEL bit it set in the event cache.
+* IPCT_LABEL bit is set in the event cache.
 */
nf_conntrack_event_cache(IPCT_LABEL, ct);
 
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] ovs-ofctl: Document group selection algorithm.

2017-04-24 Thread Jarno Rajahalme 
Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Apr 24, 2017, at 9:06 AM, Ben Pfaff <b...@ovn.org> wrote:
> 
> Signed-off-by: Ben Pfaff <b...@ovn.org>
> ---
> utilities/ovs-ofctl.8.in | 10 ++
> 1 file changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
> index 96232a5003e4..2e6679ebe98c 100644
> --- a/utilities/ovs-ofctl.8.in
> +++ b/utilities/ovs-ofctl.8.in
> @@ -1960,10 +1960,12 @@ other commands. The following keywords designated the 
> allowed types:
> .IP \fBall\fR
> Execute all buckets in the group.
> .IP \fBselect\fR
> -Execute one bucket in the group.
> -The switch should select the bucket in such a way that should implement
> -equal load sharing is achieved.  The switch may optionally select the
> -bucket based on bucket weights.
> +Execute one bucket in the group, balancing across the buckets
> +according to their weights.  To select a bucket, for each live bucket,
> +Open vSwitch hashes flow data with the bucket ID and multiplies by the
> +bucket weight to obtain a ``score,'' and then selects the bucket with
> +the highest score.  Use \fBselection_method\fR to control the flow
> +data used for selection.
> .IP \fBindirect\fR
> Executes the one bucket in the group.
> .IP \fBff\fR
> -- 
> 2.10.2
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v1] flow.c: Refactor the key_extract function in parsing frame.

2017-04-21 Thread Jarno Rajahalme 
As a policy, Linux kernel datapath changes other than backports need to go to 
upstream Linux first, new features to net-next tree, and bug fixes to net tree. 
See the documentation file ‘backporting-patches.rst’ in directory 
'Documentation/internals/contributing/‘ of the OVS tree for more detailed 
description of the process.

Also, the commit message should contain a clear motivation for the change. 
Changes that enhance readability may adversely affect datapath performance, so 
having a report on performance testing would be helpful in determining whether 
to apply the change.

Regards,

  Jarno

> On Apr 21, 2017, at 12:21 AM, Zhenyu Gao  wrote:
> 
> 1. Consume switch/case to judge type of frame instead of using if/else.
> 2. Add parse_ipv4hdr for ipv4 frame header parsing.
> 
> Signed-off-by: Zhenyu Gao 
> ---
> datapath/flow.c | 230 
> 1 file changed, 117 insertions(+), 113 deletions(-)
> 
> diff --git a/datapath/flow.c b/datapath/flow.c
> index 2bc1ad0..0b35de6 100644
> --- a/datapath/flow.c
> +++ b/datapath/flow.c
> @@ -250,6 +250,46 @@ static bool icmphdr_ok(struct sk_buff *skb)
> sizeof(struct icmphdr));
> }
> 
> +/**
> +  * Parse ipv4 header from an Ethernet frame.
> +  * Return ipv4 header length if successful, otherwise a negative errno 
> value.
> +  */
> +static int parse_ipv4hdr(struct sk_buff *skb, struct sw_flow_key *key)
> +{
> + int err;
> + struct iphdr *nh;
> + __be16 offset;
> +
> + err = check_iphdr(skb);
> + if (unlikely(err))
> + return err;
> +
> + nh = ip_hdr(skb);
> + key->ipv4.addr.src = nh->saddr;
> + key->ipv4.addr.dst = nh->daddr;
> +
> + key->ip.proto = nh->protocol;
> + key->ip.tos = nh->tos;
> + key->ip.ttl = nh->ttl;
> +
> + offset = nh->frag_off & htons(IP_OFFSET);
> + if (offset) {
> + key->ip.frag = OVS_FRAG_TYPE_LATER;
> + } else {
> + if (nh->frag_off & htons(IP_MF) ||
> + skb_shinfo(skb)->gso_type & SKB_GSO_UDP) {
> + key->ip.frag = OVS_FRAG_TYPE_FIRST;
> + } else {
> + key->ip.frag = OVS_FRAG_TYPE_NONE;
> + }
> + }
> + return ip_hdrlen(skb);
> +}
> +
> +/**
> +  * Parse ipv6 header from an Ethernet frame.
> +  * Return ipv6 header length if successful, otherwise a negative errno 
> value.
> +  */
> static int parse_ipv6hdr(struct sk_buff *skb, struct sw_flow_key *key)
> {
>   unsigned int nh_ofs = skb_network_offset(skb);
> @@ -283,7 +323,10 @@ static int parse_ipv6hdr(struct sk_buff *skb, struct 
> sw_flow_key *key)
>   else
>   key->ip.frag = OVS_FRAG_TYPE_FIRST;
>   } else {
> - key->ip.frag = OVS_FRAG_TYPE_NONE;
> + if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
> + key->ip.frag = OVS_FRAG_TYPE_FIRST;
> + else
> + key->ip.frag = OVS_FRAG_TYPE_NONE;
>   }
> 
>   /* Delayed handling of error in ipv6_skip_exthdr() as it
> @@ -561,42 +604,43 @@ static int key_extract(struct sk_buff *skb, struct 
> sw_flow_key *key)
>   key->eth.type = skb->protocol;
> 
>   /* Network layer. */
> - if (key->eth.type == htons(ETH_P_IP)) {
> - struct iphdr *nh;
> - __be16 offset;
> + switch(key->eth.type) {
> + case htons(ETH_P_IP):
> + case htons(ETH_P_IPV6): {
> + int nh_len;
> + if (key->eth.type == htons(ETH_P_IP)) {
> + nh_len = parse_ipv4hdr(skb, key);
> + } else {
> + nh_len = parse_ipv6hdr(skb, key);
> + }
> 
> - error = check_iphdr(skb);
> - if (unlikely(error)) {
> - memset(>ip, 0, sizeof(key->ip));
> - memset(>ipv4, 0, sizeof(key->ipv4));
> - if (error == -EINVAL) {
> + if (unlikely(nh_len < 0)) {
> + switch (nh_len) {
> + case -EINVAL:
> + memset(>ip, 0, sizeof(key->ip));
> + if (key->eth.type == htons(ETH_P_IP)) {
> + memset(>ipv4.addr, 0, 
> sizeof(key->ipv4.addr));
> + } else {
> + memset(>ipv6.addr, 0, 
> sizeof(key->ipv6.addr));
> + }
> + /* fall-through */
> + case -EPROTO:
>   skb->transport_header = skb->network_header;
>   error = 0;
> + break;
> + default:
> + error = nh_len;
>   }
>   return error;
>   }
> 
> - nh = ip_hdr(skb);

Re: [ovs-dev] [PATCH] bridge: Log interface deletion

2017-04-20 Thread Jarno Rajahalme 
Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Apr 20, 2017, at 5:39 PM, Andy Zhou <az...@ovn.org> wrote:
> 
> Currently, interface additions are logged but not deletion. This
> makes system debugging, such as confirming OVSDB transaction are
> timely replicated harder than necessary.
> 
> Signed-off-by: Andy Zhou <az...@ovn.org>
> ---
> vswitchd/bridge.c | 3 +++
> 1 file changed, 3 insertions(+)
> 
> diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
> index 867a26d8de19..81bd8074e593 100644
> --- a/vswitchd/bridge.c
> +++ b/vswitchd/bridge.c
> @@ -4317,6 +4317,9 @@ iface_destroy__(struct iface *iface)
> struct port *port = iface->port;
> struct bridge *br = port->bridge;
> 
> +VLOG_INFO("bridge %s: deleted interface %s on port %d",
> +  br->name, iface->name, iface->ofp_port);
> +
> if (br->ofproto && iface->ofp_port != OFPP_NONE) {
> ofproto_port_unregister(br->ofproto, iface->ofp_port);
> }
> -- 
> 1.8.3.1
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH v2 2/2] datapath: pass extended ACK struct to parsing functions

2017-04-20 Thread Jarno Rajahalme 

> On Apr 20, 2017, at 4:36 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 19 April 2017 at 16:54, Jarno Rajahalme <ja...@ovn.org 
> <mailto:ja...@ovn.org>> wrote:
>> From: Johannes Berg <johannes.b...@intel.com>
>> 
>> Upstream commit:
>> 
>>commit fceb6435e85298f747fee938415057af837f5a8a
>>Author: Johannes Berg <johannes.b...@intel.com>
>>Date:   Wed Apr 12 14:34:07 2017 +0200
>> 
>>netlink: pass extended ACK struct to parsing functions
>> 
>>Pass the new extended ACK reporting struct to all of the generic
>>netlink parsing functions. For now, pass NULL in almost all callers
>>(except for some in the core.)
>> 
>>Signed-off-by: Johannes Berg <johannes.b...@intel.com>
>>Signed-off-by: David S. Miller <da...@davemloft.net>
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>> ---
> 
> Acked-by: Joe Stringer <j...@ovn.org <mailto:j...@ovn.org>>

Thanks for the review, pushed to master,

  Jarno

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 6/6] rstp: Add the 'ovs-appctl rstp/show' command.

2017-04-20 Thread Jarno Rajahalme 
I’d like to see one of the existing RSTP test cases modified to use this new 
feature.

One more comment below,

  Jarno


> On Mar 31, 2017, at 8:11 PM, nickcooper-zhangtonghao  
> wrote:
> 
> The rstp/show command will help users and developers to
> get more details about rstp. This patch works together with
> the previous patches.
> 
> Signed-off-by: nickcooper-zhangtonghao 
> ---
> NEWS   |   4 +-
> lib/rstp.c | 113 +++--
> lib/rstp.h |   2 +-
> vswitchd/ovs-vswitchd.8.in |  11 -
> 4 files changed, 123 insertions(+), 7 deletions(-)
> 
> diff --git a/NEWS b/NEWS
> index 00c9106..a28b8da 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -15,7 +15,9 @@ Post-v2.7.0
>  "dot1q-tunnel" port VLAN mode.
>- OVN:
>  * Make the DHCPv4 router setting optional.
> -   - Add the command 'ovs-appctl stp/show' (see ovs-vswitchd(8)).
> +   - STP/RSTP
> + * Add the command 'ovs-appctl stp/show' and 'ovs-appctl rstp/show'
> +   (see ovs-vswitchd(8)).
> 
> v2.7.0 - 21 Feb 2017
> -
> diff --git a/lib/rstp.c b/lib/rstp.c
> index b942f6e..7a4f1ea 100644
> --- a/lib/rstp.c
> +++ b/lib/rstp.c
> @@ -120,6 +120,10 @@ static void rstp_port_set_mcheck__(struct rstp_port *, 
> bool mcheck)
> OVS_REQUIRES(rstp_mutex);
> static void reinitialize_port__(struct rstp_port *p)
> OVS_REQUIRES(rstp_mutex);
> +static void rstp_unixctl_tcn(struct unixctl_conn *, int argc,
> + const char *argv[], void *aux);
> +static void rstp_unixctl_show(struct unixctl_conn *, int argc,
> +  const char *argv[], void *aux);
> 
> const char *
> rstp_state_name(enum rstp_state state)
> @@ -208,9 +212,6 @@ rstp_port_get_number(const struct rstp_port *p)
> return number;
> }
> 
> -static void rstp_unixctl_tcn(struct unixctl_conn *, int argc,
> - const char *argv[], void *aux);
> -
> /* Decrements the State Machines' timers. */
> void
> rstp_tick_timers(struct rstp *rstp)
> @@ -246,6 +247,8 @@ rstp_init(void)
> 
> unixctl_command_register("rstp/tcn", "[bridge]", 0, 1, 
> rstp_unixctl_tcn,
>  NULL);
> +unixctl_command_register("rstp/show", "[bridge]", 0, 1,
> + rstp_unixctl_show, NULL);
> ovsthread_once_done();
> }
> }
> @@ -1398,7 +1401,7 @@ rstp_get_designated_root(const struct rstp *rstp)
>  * there is no such port.
>  */
> struct rstp_port *
> -rstp_get_root_port(struct rstp *rstp)
> +rstp_get_root_port(const struct rstp *rstp)
> OVS_EXCLUDED(rstp_mutex)
> {
> struct rstp_port *p;
> @@ -1545,3 +1548,105 @@ rstp_unixctl_tcn(struct unixctl_conn *conn, int argc,
> out:
> ovs_mutex_unlock(_mutex);
> }
> +
> +static void
> +rstp_bridge_id_details(struct ds *ds, const rstp_identifier bridge_id,
> +   const uint16_t hello_time, const uint16_t max_age,
> +   const uint16_t forward_delay)
> +OVS_REQUIRES(rstp_mutex)
> +{
> +uint16_t priority = bridge_id >> 48;
> +ds_put_format(ds, "\tstp-priority\t%"PRIu16"\n", priority);
> +
> +struct eth_addr mac;
> +const uint64_t mac_bits = (UINT64_C(1) << 48) - 1;
> +eth_addr_from_uint64(bridge_id & mac_bits, );
> +ds_put_format(ds, "\tstp-system-id\t"ETH_ADDR_FMT"\n", 
> ETH_ADDR_ARGS(mac));
> +ds_put_format(ds, "\tstp-hello-time\t%"PRIu16"s\n", hello_time);
> +ds_put_format(ds, "\tstp-max-age\t%"PRIu16"s\n", max_age);
> +ds_put_format(ds, "\tstp-fwd-delay\t%"PRIu16"s\n", forward_delay);
> +}
> +
> +static void
> +rstp_print_details(struct ds *ds, const struct rstp *rstp)
> +OVS_REQUIRES(rstp_mutex)
> +{
> +ds_put_format(ds, " %s \n", rstp->name);
> +ds_put_cstr(ds, "Root ID:\n");
> +
> +bool is_root = rstp_is_root_bridge(rstp);
> +struct rstp_port *p = rstp_get_root_port(rstp);
> +
> +rstp_identifier bridge_id =
> +is_root ? rstp->bridge_identifier : rstp_get_root_id(rstp);
> +uint16_t hello_time =
> +is_root ? rstp->bridge_hello_time : p->designated_times.hello_time;
> +uint16_t max_age =
> +is_root ? rstp->bridge_max_age : p->designated_times.max_age;
> +uint16_t forward_delay =
> +is_root ? rstp->bridge_forward_delay : 
> p->designated_times.forward_delay;
> +
> +rstp_bridge_id_details(ds, bridge_id, hello_time, max_age, 
> forward_delay);
> +if (is_root) {
> +ds_put_cstr(ds, "\tThis bridge is the root\n");
> +} else {
> +ds_put_format(ds, "\troot-port\t%s\n", p->port_name);
> +ds_put_format(ds, "\troot-path-cost\t%u\n",
> +  rstp_get_root_path_cost(rstp));
> +}
> +ds_put_cstr(ds, "\n");
> +
> +ds_put_cstr(ds, "Bridge ID:\n");
> +rstp_bridge_id_details(ds, rstp->bridge_identifier,
> +   rstp->bridge_hello_time,
> +

Re: [ovs-dev] [PATCH 5/6] rstp: Add rstp port name for human reading.

2017-04-20 Thread Jarno Rajahalme 
Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Mar 31, 2017, at 8:11 PM, nickcooper-zhangtonghao <n...@opencloud.tech> 
> wrote:
> 
> This patch is useful to debug rstp subsystem and log the
> port name instead of port number. This patch will also
> be used to display rstp info for next patches.
> 
> Signed-off-by: nickcooper-zhangtonghao <n...@opencloud.tech>
> ---
> lib/rstp-common.h  |  1 +
> lib/rstp.c | 14 +-
> lib/rstp.h |  3 ++-
> ofproto/ofproto-dpif.c |  2 +-
> 4 files changed, 17 insertions(+), 3 deletions(-)
> 
> diff --git a/lib/rstp-common.h b/lib/rstp-common.h
> index 27e8079..c108232 100644
> --- a/lib/rstp-common.h
> +++ b/lib/rstp-common.h
> @@ -262,6 +262,7 @@ struct rstp_port {
> struct rstp *rstp OVS_GUARDED_BY(rstp_mutex);
> struct hmap_node node OVS_GUARDED_BY(rstp_mutex); /* In rstp->ports. */
> void *aux OVS_GUARDED_BY(rstp_mutex);
> +char *port_name;
> struct rstp_bpdu received_bpdu_buffer OVS_GUARDED_BY(rstp_mutex);
> /*
>  * MAC status parameters
> diff --git a/lib/rstp.c b/lib/rstp.c
> index 6f1c1e3..b942f6e 100644
> --- a/lib/rstp.c
> +++ b/lib/rstp.c
> @@ -760,6 +760,14 @@ rstp_port_set_port_number__(struct rstp_port *port, 
> uint16_t port_number)
> }
> }
> 
> +static void
> +rstp_port_set_port_name__(struct rstp_port *port, const char *name)
> +OVS_REQUIRES(rstp_mutex)
> +{
> +free(port->port_name);
> +port->port_name = xstrdup(name);
> +}
> +
> /* Converts the link speed to a port path cost [Table 17-3]. */
> uint32_t
> rstp_convert_speed_to_cost(unsigned int speed)
> @@ -1173,6 +1181,7 @@ rstp_add_port(struct rstp *rstp)
> rstp_port_set_priority__(p, RSTP_DEFAULT_PORT_PRIORITY);
> rstp_port_set_port_number__(p, 0);
> p->aux = NULL;
> +p->port_name = NULL;
> rstp_initialize_port_defaults__(p);
> VLOG_DBG("%s: RSTP port "RSTP_PORT_ID_FMT" initialized.", rstp->name,
>  p->port_id);
> @@ -1210,6 +1219,7 @@ rstp_port_unref(struct rstp_port *rp)
> ovs_mutex_lock(_mutex);
> rstp = rp->rstp;
> rstp_port_set_state__(rp, RSTP_DISABLED);
> +free(rp->port_name);
> hmap_remove(>ports, >node);
> VLOG_DBG("%s: removed port "RSTP_PORT_ID_FMT"", rstp->name,
>  rp->port_id);
> @@ -1448,13 +1458,15 @@ void
> rstp_port_set(struct rstp_port *port, uint16_t port_num, int priority,
>   uint32_t path_cost, bool is_admin_edge, bool is_auto_edge,
>   enum rstp_admin_point_to_point_mac_state admin_p2p_mac_state,
> -  bool admin_port_state, bool do_mcheck, void *aux)
> +  bool admin_port_state, bool do_mcheck, void *aux,
> +  const char *name)
> OVS_EXCLUDED(rstp_mutex)
> {
> ovs_mutex_lock(_mutex);
> port->aux = aux;
> rstp_port_set_priority__(port, priority);
> rstp_port_set_port_number__(port, port_num);
> +rstp_port_set_port_name__(port, name);
> rstp_port_set_path_cost__(port, path_cost);
> rstp_port_set_admin_edge__(port, is_admin_edge);
> rstp_port_set_auto_edge__(port, is_auto_edge);
> diff --git a/lib/rstp.h b/lib/rstp.h
> index 78e07fb..fa67e3c 100644
> --- a/lib/rstp.h
> +++ b/lib/rstp.h
> @@ -221,7 +221,8 @@ uint32_t rstp_convert_speed_to_cost(unsigned int speed);
> void rstp_port_set(struct rstp_port *, uint16_t port_num, int priority,
>uint32_t path_cost, bool is_admin_edge, bool is_auto_edge,
>enum rstp_admin_point_to_point_mac_state 
> admin_p2p_mac_state,
> -   bool admin_port_state, bool do_mcheck, void *aux)
> +   bool admin_port_state, bool do_mcheck, void *aux,
> +   const char *name)
> OVS_EXCLUDED(rstp_mutex);
> 
> enum rstp_state rstp_port_get_state(const struct rstp_port *)
> diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
> index f015131..d41d90f 100644
> --- a/ofproto/ofproto-dpif.c
> +++ b/ofproto/ofproto-dpif.c
> @@ -2675,7 +2675,7 @@ set_rstp_port(struct ofport *ofport_,
> rstp_port_set(rp, s->port_num, s->priority, s->path_cost,
>   s->admin_edge_port, s->auto_edge,
>   s->admin_p2p_mac_state, s->admin_port_state, s->mcheck,
> -  ofport);
> +  ofport, netdev_get_name(ofport->up.netdev));
> update_rstp_port_state(ofport);
> /* Synchronize operational status. */
> rstp_port_set_mac_operational(rp, ofport->may_enable);
> -- 
> 1.8.3.1
> 
> 
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 4/6] rstp: Init a recursive mutex for rstp.

2017-04-20 Thread Jarno Rajahalme 

> On Mar 31, 2017, at 8:11 PM, nickcooper-zhangtonghao  
> wrote:
> 
> This patch will be used for next patch.

I don’t see exactly what in the following patch(es) need this. Could you 
elaborate?

> 
> Signed-off-by: nickcooper-zhangtonghao 
> ---
> lib/rstp.c | 15 ---
> lib/rstp.h |  6 --
> 2 files changed, 12 insertions(+), 9 deletions(-)
> 
> diff --git a/lib/rstp.c b/lib/rstp.c
> index 907a907..6f1c1e3 100644
> --- a/lib/rstp.c
> +++ b/lib/rstp.c
> @@ -50,7 +50,7 @@
> 
> VLOG_DEFINE_THIS_MODULE(rstp);
> 
> -struct ovs_mutex rstp_mutex = OVS_MUTEX_INITIALIZER;
> +static struct ovs_mutex rstp_mutex;
> 
> static struct ovs_list all_rstps__ = OVS_LIST_INITIALIZER(_rstps__);
> static struct ovs_list *const all_rstps OVS_GUARDED_BY(rstp_mutex) = 
> _rstps__;
> @@ -239,8 +239,15 @@ void
> rstp_init(void)
> OVS_EXCLUDED(rstp_mutex)
> {
> -unixctl_command_register("rstp/tcn", "[bridge]", 0, 1, rstp_unixctl_tcn,
> - NULL);
> +static struct ovsthread_once once = OVSTHREAD_ONCE_INITIALIZER;
> +
> +if (ovsthread_once_start()) {
> +ovs_mutex_init_recursive(_mutex);
> +
> +unixctl_command_register("rstp/tcn", "[bridge]", 0, 1, 
> rstp_unixctl_tcn,
> + NULL);
> +ovsthread_once_done();
> +}
> }
> 
> /* Creates and returns a new RSTP instance that initially has no ports. */
> @@ -255,6 +262,8 @@ rstp_create(const char *name, rstp_identifier 
> bridge_address,
> 
> VLOG_DBG("Creating RSTP instance");
> 
> +rstp_init();
> +

rstp_init() is already called earlier from the bridge_init(), so I see little 
point calling it from here. Not having multiple call sites would also remove 
the need for most of the changes above.

> rstp = xzalloc(sizeof *rstp);
> rstp->name = xstrdup(name);
> 
> diff --git a/lib/rstp.h b/lib/rstp.h
> index 4942d59..78e07fb 100644
> --- a/lib/rstp.h
> +++ b/lib/rstp.h
> @@ -36,12 +36,6 @@
> #include "compiler.h"
> #include "util.h"
> 
> -/* Thread Safety: Callers passing in RSTP and RSTP port object
> - * pointers must hold a reference to the passed object to ensure that
> - * the object does not become stale while it is being accessed. */
> -
> -extern struct ovs_mutex rstp_mutex;
> -

This change, if needed, should be in a separate patch with it’s own commit 
message.

  Jarno

> #define RSTP_MAX_PORTS 4095
> 
> struct dp_packet;
> -- 
> 1.8.3.1
> 
> 
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 3/6] stp: Add link-state checking support for stp ports.

2017-04-20 Thread Jarno Rajahalme 

> On Mar 31, 2017, at 8:11 PM, nickcooper-zhangtonghao  
> wrote:
> 
> When bridge stp enabled, we enable the stp ports despite
> ports are down. When initializing, this patch checks
> link-state of ports and enable or disable them according
> to their link-state. This patch also allow user to enable
> and disable a port when bridge stp is running.
> 

This describes what the patch does but gives little help for understanding why 
this change is needed. STP would notice that the link is down as it is not able 
to exchange BPDUs over that link. Also, a link that is in STP_DISABLED state 
forwards all traffic, so that when the link comes up, but before stp_run() 
manages to enable STP there would be a loop in the network. To prevent this it 
seems to me that we should leave STP enabled also when the link goes down, so 
that STP would have the chance to initially block to port when it comes back up.

  Jarno

> Signed-off-by: nickcooper-zhangtonghao 
> ---
> ofproto/ofproto-dpif.c | 41 +++-
> tests/stp.at   | 73 ++
> 2 files changed, 113 insertions(+), 1 deletion(-)
> 
> diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
> index 4beacda..f015131 100644
> --- a/ofproto/ofproto-dpif.c
> +++ b/ofproto/ofproto-dpif.c
> @@ -2488,6 +2488,37 @@ update_stp_port_state(struct ofport_dpif *ofport)
> }
> }
> 
> +static void
> +stp_check_and_update_link_state(struct ofproto_dpif *ofproto)
> +{
> +struct ofport *ofport_;
> +struct ofport_dpif *ofport;
> +bool up;
> +
> +HMAP_FOR_EACH (ofport_, hmap_node, >up.ports) {
> +ofport = ofport_dpif_cast(ofport_);
> +up = netdev_get_carrier(ofport_->netdev);
> +
> +if (ofport->stp_port &&
> +up != (stp_port_get_state(ofport->stp_port) != STP_DISABLED)) {
> +
> +VLOG_DBG("bridge: %s, port: %s is %s, %s it", ofproto->up.name,
> + netdev_get_name(ofport->up.netdev),
> + up ? "up" : "down",
> + up ? "enabling" : "disabling");
> +
> +if (up) {
> +stp_port_enable(ofport->stp_port);
> +stp_port_set_aux(ofport->stp_port, ofport);
> +} else {
> +stp_port_disable(ofport->stp_port);
> +}
> +
> +update_stp_port_state(ofport);
> +}
> +}
> +}
> +
> /* Configures STP on 'ofport_' using the settings defined in 's'.  The
>  * caller is responsible for assigning STP port numbers and ensuring
>  * there are no duplicates. */
> @@ -2518,7 +2549,12 @@ set_stp_port(struct ofport *ofport_,
> /* Set name before enabling the port so that debugging messages can print
>  * the name. */
> stp_port_set_name(sp, netdev_get_name(ofport->up.netdev));
> -stp_port_enable(sp);
> +
> +if (netdev_get_carrier(ofport_->netdev)) {
> +stp_port_enable(sp);
> +} else {
> +stp_port_disable(sp);
> +}
> 
> stp_port_set_aux(sp, ofport);
> stp_port_set_priority(sp, s->priority);
> @@ -2580,6 +2616,9 @@ stp_run(struct ofproto_dpif *ofproto)
> stp_tick(ofproto->stp, MIN(INT_MAX, elapsed));
> ofproto->stp_last_tick = now;
> }
> +
> +stp_check_and_update_link_state(ofproto);
> +
> while (stp_get_changed_port(ofproto->stp, )) {
> struct ofport_dpif *ofport = stp_port_get_aux(sp);
> 
> diff --git a/tests/stp.at b/tests/stp.at
> index 98632a8..de8f971 100644
> --- a/tests/stp.at
> +++ b/tests/stp.at
> @@ -420,6 +420,8 @@ AT_CHECK([ovs-vsctl add-port br1 p8 -- \
>set port p8 other_config:stp-enable=false -- \
> ])
> 
> +ovs-appctl netdev-dummy/set-admin-state up
> +
> ovs-appctl time/stop
> 
> AT_CHECK([ovs-ofctl add-flow br0 "in_port=7 icmp actions=1"])
> @@ -519,6 +521,7 @@ AT_CHECK([
> set interface p6 type=dummy options:pstream=punix:$OVS_RUNDIR/p6.sock 
> ofport_request=6
> ], [0])
> 
> +ovs-appctl netdev-dummy/set-admin-state up
> 
> ovs-appctl time/stop
> 
> @@ -633,6 +636,8 @@ AT_CHECK([
> set interface p2 type=dummy ofport_request=2
> ], [0])
> 
> +ovs-appctl netdev-dummy/set-admin-state up
> +
> ovs-appctl time/stop
> 
> # give time for STP to move initially
> @@ -653,6 +658,8 @@ AT_CHECK([
> set interface p3 type=dummy ofport_request=3
> ], [0])
> 
> +ovs-appctl netdev-dummy/set-admin-state p3 up
> +
> # The new stp port should be a listening state and other
> # stp ports keep forwarding.
> AT_CHECK([ovs-appctl stp/show br0 | grep p1], [0], [dnl
> @@ -676,5 +683,71 @@ AT_CHECK([ovs-appctl stp/show br0 | grep p3], [0], [dnl
>   p3 designated listening  19128.3
> ])
> 
> +AT_CLEANUP
> +
> +AT_SETUP([STP - check link-state when stp is running])
> +OVS_VSWITCHD_START([])
> +
> +AT_CHECK([
> +ovs-vsctl -- \
> +set port br0 other_config:stp-enable=false -- \
> +set bridge br0 datapath-type=dummy

Re: [ovs-dev] [PATCH 1/6] rstp/stp: Unref the rstp/stp when bridges destroyed.

2017-04-20 Thread Jarno Rajahalme 
Looks correct to me.

Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Mar 31, 2017, at 8:11 PM, nickcooper-zhangtonghao <n...@opencloud.tech> 
> wrote:
> 
> When bridges destroyed, which stp enabled, you can
> still get stp info via the command 'ovs-appctl stp/show'.
> And the rstp is also in the same case. We should unref
> them. The rstp/stp ports have been unregistered via
> 'ofproto_port_unregister' function when ports destroyed.
> We will unref rstp/stp struct in the 'destruct' of
> ofproto-dpif provider.
> 
> Signed-off-by: nickcooper-zhangtonghao <n...@opencloud.tech>
> ---
> ofproto/ofproto-dpif.c | 2 ++
> 1 file changed, 2 insertions(+)
> 
> diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
> index 523adad..4beacda 100644
> --- a/ofproto/ofproto-dpif.c
> +++ b/ofproto/ofproto-dpif.c
> @@ -1494,6 +1494,8 @@ destruct(struct ofproto *ofproto_)
> hmap_destroy(>bundles);
> mac_learning_unref(ofproto->ml);
> mcast_snooping_unref(ofproto->ms);
> +stp_unref(ofproto->stp);
> +rstp_unref(ofproto->rstp);
> 
> sset_destroy(>ports);
> sset_destroy(>ghost_ports);
> -- 
> 1.8.3.1
> 
> 
> 
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] datapath-windows: Add missing IPCT_LABEL.

2017-04-19 Thread Jarno Rajahalme 
Add the missing enum definition for IPCT_LABEL.

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 datapath-windows/include/OvsDpInterfaceCtExt.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/datapath-windows/include/OvsDpInterfaceCtExt.h 
b/datapath-windows/include/OvsDpInterfaceCtExt.h
index 2795edc..3b94778 100644
--- a/datapath-windows/include/OvsDpInterfaceCtExt.h
+++ b/datapath-windows/include/OvsDpInterfaceCtExt.h
@@ -132,6 +132,7 @@ enum ip_conntrack_events {
 IPCT_MARK,
 IPCT_NATSEQADJ,
 IPCT_SECMARK,
+IPCT_LABEL,
 };
 
 enum ip_conntrack_expect_events {
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH v2 2/2] datapath: pass extended ACK struct to parsing functions

2017-04-19 Thread Jarno Rajahalme 
From: Johannes Berg <johannes.b...@intel.com>

Upstream commit:

commit fceb6435e85298f747fee938415057af837f5a8a
Author: Johannes Berg <johannes.b...@intel.com>
Date:   Wed Apr 12 14:34:07 2017 +0200

netlink: pass extended ACK struct to parsing functions

Pass the new extended ACK reporting struct to all of the generic
netlink parsing functions. For now, pass NULL in almost all callers
(except for some in the core.)

Signed-off-by: Johannes Berg <johannes.b...@intel.com>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
v2: Call original functions from replacements if available.

 acinclude.m4  |  3 +++
 datapath/datapath.c   |  2 +-
 datapath/flow_netlink.c   |  4 ++--
 datapath/linux/compat/include/net/genetlink.h | 18 +-
 datapath/linux/compat/include/net/netlink.h   | 14 ++
 datapath/vport-vxlan.c|  3 ++-
 6 files changed, 35 insertions(+), 9 deletions(-)

diff --git a/acinclude.m4 b/acinclude.m4
index 6a2b9f1..9f8e30d 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -663,6 +663,9 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   OVS_GREP_IFELSE([$KSRC/include/net/netlink.h], [nla_is_last])
   OVS_GREP_IFELSE([$KSRC/include/linux/netlink.h], [void.*netlink_set_err],
   [OVS_DEFINE([HAVE_VOID_NETLINK_SET_ERR])])
+  OVS_FIND_PARAM_IFELSE([$KSRC/include/net/netlink.h],
+[nla_parse], [netlink_ext_ack],
+[OVS_DEFINE([HAVE_NETLINK_EXT_ACK])])
 
   OVS_GREP_IFELSE([$KSRC/include/net/sctp/checksum.h], [sctp_compute_cksum])
 
diff --git a/datapath/datapath.c b/datapath/datapath.c
index 8cf0381..c85029c 100644
--- a/datapath/datapath.c
+++ b/datapath/datapath.c
@@ -1365,7 +1365,7 @@ static int ovs_flow_cmd_dump(struct sk_buff *skb, struct 
netlink_callback *cb)
int err;
 
err = genlmsg_parse(cb->nlh, _flow_genl_family, a,
-   OVS_FLOW_ATTR_MAX, flow_policy);
+   OVS_FLOW_ATTR_MAX, flow_policy, NULL);
if (err)
return err;
ufid_flags = ovs_nla_get_ufid_flags(a[OVS_FLOW_ATTR_UFID_FLAGS]);
diff --git a/datapath/flow_netlink.c b/datapath/flow_netlink.c
index 0762f6c..07ab8e9 100644
--- a/datapath/flow_netlink.c
+++ b/datapath/flow_netlink.c
@@ -2431,8 +2431,8 @@ static int validate_userspace(const struct nlattr *attr)
struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1];
int error;
 
-   error = nla_parse_nested(a, OVS_USERSPACE_ATTR_MAX,
-attr, userspace_policy);
+   error = nla_parse_nested(a, OVS_USERSPACE_ATTR_MAX, attr,
+userspace_policy, NULL);
if (error)
return error;
 
diff --git a/datapath/linux/compat/include/net/genetlink.h 
b/datapath/linux/compat/include/net/genetlink.h
index 4b42cf7..b05eae5 100644
--- a/datapath/linux/compat/include/net/genetlink.h
+++ b/datapath/linux/compat/include/net/genetlink.h
@@ -125,15 +125,23 @@ static inline int rpl_genl_has_listeners(struct 
genl_family *family,
 
 #endif /* HAVE_GENL_HAS_LISTENERS */
 
-#ifndef HAVE_GENLMSG_PARSE
-static inline int genlmsg_parse(const struct nlmsghdr *nlh,
-   const struct genl_family *family,
-   struct nlattr *tb[], int maxtype,
-   const struct nla_policy *policy)
+#ifndef HAVE_NETLINK_EXT_ACK
+struct netlink_ext_ack;
+
+static inline int rpl_genlmsg_parse(const struct nlmsghdr *nlh,
+   const struct genl_family *family,
+   struct nlattr *tb[], int maxtype,
+   const struct nla_policy *policy,
+   struct netlink_ext_ack *extack)
 {
+#ifdef HAVE_GENLMSG_PARSE
+   return genlmsg_parse(nlh, family, tb, maxtype, policy);
+#else
return nlmsg_parse(nlh, family->hdrsize + GENL_HDRLEN, tb, maxtype,
   policy);
+#endif
 }
+#define genlmsg_parse rpl_genlmsg_parse
 #endif
 
 #endif /* genetlink.h */
diff --git a/datapath/linux/compat/include/net/netlink.h 
b/datapath/linux/compat/include/net/netlink.h
index 082afac..4325b9b 100644
--- a/datapath/linux/compat/include/net/netlink.h
+++ b/datapath/linux/compat/include/net/netlink.h
@@ -157,4 +157,18 @@ static inline int nla_put_be64(struct sk_buff *skb, int 
attrtype, __be64 value,
 }
 
 #endif
+
+#ifndef HAVE_NETLINK_EXT_ACK
+struct netlink_ext_ack;
+
+static inline int rpl_nla_parse_nested(struct nlattr *tb[], int maxtype,
+  const struct nlattr *nla,
+  const struct nla_policy *policy,
+  struct netlink_ext_ack *extack)
+{
+   return nla_p

[ovs-dev] [PATCH v2 1/2] datapath: Fix refcount leak on force commit.

2017-04-19 Thread Jarno Rajahalme 
Upstream commit:

commit b768b16de58d5e0b1d7c3f936825b25327ced20c
Author: Jarno Rajahalme <ja...@ovn.org>
Date:   Tue Mar 28 11:25:26 2017 -0700

openvswitch: Fix refcount leak on force commit.

The reference count held for skb needs to be released when the skb's
nfct pointer is cleared regardless of if nf_ct_delete() is called or
not.

Failing to release the skb's reference cound led to deferred conntrack
cleanup spinning forever within nf_conntrack_cleanup_net_list() when
cleaning up a network namespace:

   kworker/u16:0-19025 [004] 45981067.173642: sched_switch: 
kworker/u16:0:19025 [120] R ==> rcu_preempt:7 [120]
   kworker/u16:0-19025 [004] 45981067.173651: kernel_stack: 
=> ___preempt_schedule (a001ed36)
=> _raw_spin_unlock_bh (a0713290)
=> nf_ct_iterate_cleanup (c00a4454)
=> nf_conntrack_cleanup_net_list (c00a5e1e)
=> nf_conntrack_pernet_exit (c00a63dd)
=> ops_exit_list.isra.1 (a06075f3)
=> cleanup_net (a0607df0)
=> process_one_work (a0084c31)
=> worker_thread (a008592b)
=> kthread (a008bee2)
=> ret_from_fork (a071b67c)

Fixes: dd41d33f0b03 ("openvswitch: Add force commit.")
Reported-by: Yang Song <yangs...@vmware.com>
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
    Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
v2: No change.

datapath/conntrack.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index 109b297..4c42a48 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -677,8 +677,8 @@ static bool skb_nfct_cached(struct net *net,
 */
if (nf_ct_is_confirmed(ct))
nf_ct_delete(ct, 0, 0);
-   else
-   nf_conntrack_put(>ct_general);
+
+   nf_conntrack_put(>ct_general);
nf_ct_set(skb, NULL, 0);
return false;
}
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 3/3] datapath: pass extended ACK struct to parsing functions

2017-04-19 Thread Jarno Rajahalme 

> On Apr 19, 2017, at 3:50 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 19 April 2017 at 14:35, Jarno Rajahalme <ja...@ovn.org 
> <mailto:ja...@ovn.org>> wrote:
>> From: Johannes Berg <johannes.b...@intel.com>
>> 
>> Upstream commit:
>> 
>>commit fceb6435e85298f747fee938415057af837f5a8a
>>Author: Johannes Berg <johannes.b...@intel.com>
>>Date:   Wed Apr 12 14:34:07 2017 +0200
>> 
>>netlink: pass extended ACK struct to parsing functions
>> 
>>Pass the new extended ACK reporting struct to all of the generic
>>netlink parsing functions. For now, pass NULL in almost all callers
>>(except for some in the core.)
>> 
>>Signed-off-by: Johannes Berg <johannes.b...@intel.com>
>>Signed-off-by: David S. Miller <da...@davemloft.net>
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>> ---
>> acinclude.m4  |  3 +++
>> datapath/datapath.c   |  2 +-
>> datapath/flow_netlink.c   |  4 ++--
>> datapath/linux/compat/include/net/genetlink.h | 14 +-
>> datapath/linux/compat/include/net/netlink.h   | 14 ++
>> datapath/vport-vxlan.c|  3 ++-
>> 6 files changed, 31 insertions(+), 9 deletions(-)
>> 
>> diff --git a/acinclude.m4 b/acinclude.m4
>> index 6a2b9f1..9f8e30d 100644
>> --- a/acinclude.m4
>> +++ b/acinclude.m4
>> @@ -663,6 +663,9 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
>>   OVS_GREP_IFELSE([$KSRC/include/net/netlink.h], [nla_is_last])
>>   OVS_GREP_IFELSE([$KSRC/include/linux/netlink.h], [void.*netlink_set_err],
>>   [OVS_DEFINE([HAVE_VOID_NETLINK_SET_ERR])])
>> +  OVS_FIND_PARAM_IFELSE([$KSRC/include/net/netlink.h],
>> +[nla_parse], [netlink_ext_ack],
>> +[OVS_DEFINE([HAVE_NETLINK_EXT_ACK])])
>> 
>>   OVS_GREP_IFELSE([$KSRC/include/net/sctp/checksum.h], [sctp_compute_cksum])
>> 
>> diff --git a/datapath/datapath.c b/datapath/datapath.c
>> index 8cf0381..c85029c 100644
>> --- a/datapath/datapath.c
>> +++ b/datapath/datapath.c
>> @@ -1365,7 +1365,7 @@ static int ovs_flow_cmd_dump(struct sk_buff *skb, 
>> struct netlink_callback *cb)
>>int err;
>> 
>>err = genlmsg_parse(cb->nlh, _flow_genl_family, a,
>> -   OVS_FLOW_ATTR_MAX, flow_policy);
>> +   OVS_FLOW_ATTR_MAX, flow_policy, NULL);
>>if (err)
>>return err;
>>ufid_flags = ovs_nla_get_ufid_flags(a[OVS_FLOW_ATTR_UFID_FLAGS]);
>> diff --git a/datapath/flow_netlink.c b/datapath/flow_netlink.c
>> index 0762f6c..07ab8e9 100644
>> --- a/datapath/flow_netlink.c
>> +++ b/datapath/flow_netlink.c
>> @@ -2431,8 +2431,8 @@ static int validate_userspace(const struct nlattr 
>> *attr)
>>struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1];
>>int error;
>> 
>> -   error = nla_parse_nested(a, OVS_USERSPACE_ATTR_MAX,
>> -attr, userspace_policy);
>> +   error = nla_parse_nested(a, OVS_USERSPACE_ATTR_MAX, attr,
>> +userspace_policy, NULL);
>>if (error)
>>return error;
>> 
>> diff --git a/datapath/linux/compat/include/net/genetlink.h 
>> b/datapath/linux/compat/include/net/genetlink.h
>> index 4b42cf7..f35bc02 100644
>> --- a/datapath/linux/compat/include/net/genetlink.h
>> +++ b/datapath/linux/compat/include/net/genetlink.h
>> @@ -125,15 +125,19 @@ static inline int rpl_genl_has_listeners(struct 
>> genl_family *family,
>> 
>> #endif /* HAVE_GENL_HAS_LISTENERS */
>> 
>> -#ifndef HAVE_GENLMSG_PARSE
>> -static inline int genlmsg_parse(const struct nlmsghdr *nlh,
>> -   const struct genl_family *family,
>> -   struct nlattr *tb[], int maxtype,
>> -   const struct nla_policy *policy)
>> +#ifndef HAVE_NETLINK_EXT_ACK
>> +struct netlink_ext_ack;
>> +
>> +static inline int rpl_genlmsg_parse(const struct nlmsghdr *nlh,
>> +   const struct genl_family *family,
>> +   struct nlattr *tb[], int maxtype,
>> +   const struct nla_policy *policy,
>> +   struct netlink_ext_ack *extack)
>> {
>>return nlmsg_parse(nlh, family->hdrsize + GE

Re: [ovs-dev] [PATCH 2/3] datapath: Fix ovs_flow_key_update()

2017-04-19 Thread Jarno Rajahalme 

> On Apr 19, 2017, at 3:13 PM, Yi-Hung Wei <yihung@gmail.com> wrote:
> 
> Acked-by: Yi-Hung Wei <yihung@gmail.com>
> 
> Actually, this patch has been backported in the MPLS GSO fix series as
> in here: https://patchwork.ozlabs.org/patch/746674/
> 

OK, will drop this then, thanks!

  Jarno

> -Yi-Hung
> 
> On Wed, Apr 19, 2017 at 2:35 PM, Jarno Rajahalme <ja...@ovn.org> wrote:
>> From: Yi-Hung Wei <yihung@gmail.com>
>> 
>> Upstream commit:
>> 
>>commit 6f56f6186c18e3fd54122b73da68e870687b8c59
>>Author: Yi-Hung Wei <yihung@gmail.com>
>>Date:   Thu Mar 30 12:36:03 2017 -0700
>> 
>>openvswitch: Fix ovs_flow_key_update()
>> 
>>ovs_flow_key_update() is called when the flow key is invalid, and it is
>>used to update and revalidate the flow key. Commit 329f45bc4f19
>>("openvswitch: add mac_proto field to the flow key") introduces mac_proto
>>field to flow key and use it to determine whether the flow key is valid.
>>However, the commit does not update the code path in ovs_flow_key_update()
>>to revalidate the flow key which may cause BUG_ON() on execute_recirc().
>>This patch addresses the aforementioned issue.
>> 
>>Fixes: 329f45bc4f19 ("openvswitch: add mac_proto field to the flow key")
>>Signed-off-by: Yi-Hung Wei <yihung@gmail.com>
>>Acked-by: Jiri Benc <jb...@redhat.com>
>>Signed-off-by: David S. Miller <da...@davemloft.net>
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>> ---
>> datapath/flow.c | 10 --
>> 1 file changed, 8 insertions(+), 2 deletions(-)
>> 
>> diff --git a/datapath/flow.c b/datapath/flow.c
>> index 2bc1ad0..39cac25 100644
>> --- a/datapath/flow.c
>> +++ b/datapath/flow.c
>> @@ -531,7 +531,7 @@ static int key_extract(struct sk_buff *skb, struct 
>> sw_flow_key *key)
>> 
>>/* Link layer. */
>>clear_vlan(key);
>> -   if (key->mac_proto == MAC_PROTO_NONE) {
>> +   if (ovs_key_mac_proto(key) == MAC_PROTO_NONE) {
>>if (unlikely(eth_type_vlan(skb->protocol)))
>>return -EINVAL;
>> 
>> @@ -756,7 +756,13 @@ static int key_extract(struct sk_buff *skb, struct 
>> sw_flow_key *key)
>> 
>> int ovs_flow_key_update(struct sk_buff *skb, struct sw_flow_key *key)
>> {
>> -   return key_extract(skb, key);
>> +   int res;
>> +
>> +   res = key_extract(skb, key);
>> +   if (!res)
>> +   key->mac_proto &= ~SW_FLOW_KEY_INVALID;
>> +
>> +   return res;
>> }
>> 
>> static int key_extract_mac_proto(struct sk_buff *skb)
>> --
>> 2.1.4
>> 

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH 3/3] datapath: pass extended ACK struct to parsing functions

2017-04-19 Thread Jarno Rajahalme 
From: Johannes Berg <johannes.b...@intel.com>

Upstream commit:

commit fceb6435e85298f747fee938415057af837f5a8a
Author: Johannes Berg <johannes.b...@intel.com>
Date:   Wed Apr 12 14:34:07 2017 +0200

netlink: pass extended ACK struct to parsing functions

Pass the new extended ACK reporting struct to all of the generic
netlink parsing functions. For now, pass NULL in almost all callers
(except for some in the core.)

Signed-off-by: Johannes Berg <johannes.b...@intel.com>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 acinclude.m4  |  3 +++
 datapath/datapath.c   |  2 +-
 datapath/flow_netlink.c   |  4 ++--
 datapath/linux/compat/include/net/genetlink.h | 14 +-
 datapath/linux/compat/include/net/netlink.h   | 14 ++
 datapath/vport-vxlan.c|  3 ++-
 6 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/acinclude.m4 b/acinclude.m4
index 6a2b9f1..9f8e30d 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -663,6 +663,9 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   OVS_GREP_IFELSE([$KSRC/include/net/netlink.h], [nla_is_last])
   OVS_GREP_IFELSE([$KSRC/include/linux/netlink.h], [void.*netlink_set_err],
   [OVS_DEFINE([HAVE_VOID_NETLINK_SET_ERR])])
+  OVS_FIND_PARAM_IFELSE([$KSRC/include/net/netlink.h],
+[nla_parse], [netlink_ext_ack],
+[OVS_DEFINE([HAVE_NETLINK_EXT_ACK])])
 
   OVS_GREP_IFELSE([$KSRC/include/net/sctp/checksum.h], [sctp_compute_cksum])
 
diff --git a/datapath/datapath.c b/datapath/datapath.c
index 8cf0381..c85029c 100644
--- a/datapath/datapath.c
+++ b/datapath/datapath.c
@@ -1365,7 +1365,7 @@ static int ovs_flow_cmd_dump(struct sk_buff *skb, struct 
netlink_callback *cb)
int err;
 
err = genlmsg_parse(cb->nlh, _flow_genl_family, a,
-   OVS_FLOW_ATTR_MAX, flow_policy);
+   OVS_FLOW_ATTR_MAX, flow_policy, NULL);
if (err)
return err;
ufid_flags = ovs_nla_get_ufid_flags(a[OVS_FLOW_ATTR_UFID_FLAGS]);
diff --git a/datapath/flow_netlink.c b/datapath/flow_netlink.c
index 0762f6c..07ab8e9 100644
--- a/datapath/flow_netlink.c
+++ b/datapath/flow_netlink.c
@@ -2431,8 +2431,8 @@ static int validate_userspace(const struct nlattr *attr)
struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1];
int error;
 
-   error = nla_parse_nested(a, OVS_USERSPACE_ATTR_MAX,
-attr, userspace_policy);
+   error = nla_parse_nested(a, OVS_USERSPACE_ATTR_MAX, attr,
+userspace_policy, NULL);
if (error)
return error;
 
diff --git a/datapath/linux/compat/include/net/genetlink.h 
b/datapath/linux/compat/include/net/genetlink.h
index 4b42cf7..f35bc02 100644
--- a/datapath/linux/compat/include/net/genetlink.h
+++ b/datapath/linux/compat/include/net/genetlink.h
@@ -125,15 +125,19 @@ static inline int rpl_genl_has_listeners(struct 
genl_family *family,
 
 #endif /* HAVE_GENL_HAS_LISTENERS */
 
-#ifndef HAVE_GENLMSG_PARSE
-static inline int genlmsg_parse(const struct nlmsghdr *nlh,
-   const struct genl_family *family,
-   struct nlattr *tb[], int maxtype,
-   const struct nla_policy *policy)
+#ifndef HAVE_NETLINK_EXT_ACK
+struct netlink_ext_ack;
+
+static inline int rpl_genlmsg_parse(const struct nlmsghdr *nlh,
+   const struct genl_family *family,
+   struct nlattr *tb[], int maxtype,
+   const struct nla_policy *policy,
+   struct netlink_ext_ack *extack)
 {
return nlmsg_parse(nlh, family->hdrsize + GENL_HDRLEN, tb, maxtype,
   policy);
 }
+#define genlmsg_parse rpl_genlmsg_parse
 #endif
 
 #endif /* genetlink.h */
diff --git a/datapath/linux/compat/include/net/netlink.h 
b/datapath/linux/compat/include/net/netlink.h
index 082afac..b791a3f 100644
--- a/datapath/linux/compat/include/net/netlink.h
+++ b/datapath/linux/compat/include/net/netlink.h
@@ -157,4 +157,18 @@ static inline int nla_put_be64(struct sk_buff *skb, int 
attrtype, __be64 value,
 }
 
 #endif
+
+#ifndef HAVE_NETLINK_EXT_ACK
+struct netlink_ext_ack;
+
+static inline int rpl_nla_parse_nested(struct nlattr *tb[], int maxtype,
+  const struct nlattr *nla,
+  const struct nla_policy *policy,
+  struct netlink_ext_ack *extack)
+{
+   return nla_parse(tb, maxtype, nla_data(nla), nla_len(nla), policy);
+}
+#define nla_parse_nested rpl_nla_parse_nested
+#endif
+
 #endif /* net/netlink.h */
diff --git a/datapath/vp

[ovs-dev] [PATCH 2/3] datapath: Fix ovs_flow_key_update()

2017-04-19 Thread Jarno Rajahalme 
From: Yi-Hung Wei <yihung@gmail.com>

Upstream commit:

commit 6f56f6186c18e3fd54122b73da68e870687b8c59
Author: Yi-Hung Wei <yihung@gmail.com>
Date:   Thu Mar 30 12:36:03 2017 -0700

openvswitch: Fix ovs_flow_key_update()

ovs_flow_key_update() is called when the flow key is invalid, and it is
used to update and revalidate the flow key. Commit 329f45bc4f19
("openvswitch: add mac_proto field to the flow key") introduces mac_proto
field to flow key and use it to determine whether the flow key is valid.
However, the commit does not update the code path in ovs_flow_key_update()
to revalidate the flow key which may cause BUG_ON() on execute_recirc().
This patch addresses the aforementioned issue.

Fixes: 329f45bc4f19 ("openvswitch: add mac_proto field to the flow key")
Signed-off-by: Yi-Hung Wei <yihung@gmail.com>
Acked-by: Jiri Benc <jb...@redhat.com>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 datapath/flow.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/datapath/flow.c b/datapath/flow.c
index 2bc1ad0..39cac25 100644
--- a/datapath/flow.c
+++ b/datapath/flow.c
@@ -531,7 +531,7 @@ static int key_extract(struct sk_buff *skb, struct 
sw_flow_key *key)
 
/* Link layer. */
clear_vlan(key);
-   if (key->mac_proto == MAC_PROTO_NONE) {
+   if (ovs_key_mac_proto(key) == MAC_PROTO_NONE) {
if (unlikely(eth_type_vlan(skb->protocol)))
return -EINVAL;
 
@@ -756,7 +756,13 @@ static int key_extract(struct sk_buff *skb, struct 
sw_flow_key *key)
 
 int ovs_flow_key_update(struct sk_buff *skb, struct sw_flow_key *key)
 {
-   return key_extract(skb, key);
+   int res;
+
+   res = key_extract(skb, key);
+   if (!res)
+   key->mac_proto &= ~SW_FLOW_KEY_INVALID;
+
+   return res;
 }
 
 static int key_extract_mac_proto(struct sk_buff *skb)
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH 1/3] datapath: Fix refcount leak on force commit.

2017-04-19 Thread Jarno Rajahalme 
Upstream commit:

commit b768b16de58d5e0b1d7c3f936825b25327ced20c
Author: Jarno Rajahalme <ja...@ovn.org>
Date:   Tue Mar 28 11:25:26 2017 -0700

openvswitch: Fix refcount leak on force commit.

The reference count held for skb needs to be released when the skb's
nfct pointer is cleared regardless of if nf_ct_delete() is called or
not.

Failing to release the skb's reference cound led to deferred conntrack
cleanup spinning forever within nf_conntrack_cleanup_net_list() when
cleaning up a network namespace:

   kworker/u16:0-19025 [004] 45981067.173642: sched_switch: 
kworker/u16:0:19025 [120] R ==> rcu_preempt:7 [120]
   kworker/u16:0-19025 [004] 45981067.173651: kernel_stack: 
=> ___preempt_schedule (a001ed36)
=> _raw_spin_unlock_bh (a0713290)
=> nf_ct_iterate_cleanup (c00a4454)
=> nf_conntrack_cleanup_net_list (c00a5e1e)
=> nf_conntrack_pernet_exit (c00a63dd)
=> ops_exit_list.isra.1 (a06075f3)
=> cleanup_net (a0607df0)
=> process_one_work (a0084c31)
=> worker_thread (a008592b)
=> kthread (a008bee2)
=> ret_from_fork (a071b67c)

Fixes: dd41d33f0b03 ("openvswitch: Add force commit.")
Reported-by: Yang Song <yangs...@vmware.com>
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
    Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 datapath/conntrack.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index 109b297..4c42a48 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -677,8 +677,8 @@ static bool skb_nfct_cached(struct net *net,
 */
if (nf_ct_is_confirmed(ct))
nf_ct_delete(ct, 0, 0);
-   else
-   nf_conntrack_put(>ct_general);
+
+   nf_conntrack_put(>ct_general);
nf_ct_set(skb, NULL, 0);
return false;
}
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] ofproto: Report only un-deleted groups in group stats replies.

2017-04-19 Thread Jarno Rajahalme 
This was an oversight from when we groups were versioned for OF bundle support. 
Looks good to me, too.

Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Apr 19, 2017, at 11:29 AM, Ben Pfaff <b...@ovn.org> wrote:
> 
> Deleted groups hang around in the group table until the next grace period,
> so it's important for the group stats code to pretend that they're gone
> until they really get deleted.
> 
> Reported-by: "Timothy M. Redaelli" <tredae...@redhat.com>
> Reported-at: 
> https://mail.openvswitch.org/pipermail/ovs-dev/2017-April/331117.html
> Signed-off-by: Ben Pfaff <b...@ovn.org>
> ---
> ofproto/ofproto.c | 5 -
> 1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
> index 7440d5b52092..4d3d46c8ba45 100644
> --- a/ofproto/ofproto.c
> +++ b/ofproto/ofproto.c
> @@ -6641,7 +6641,10 @@ handle_group_request(struct ofconn *ofconn,
> ovs_mutex_lock(_mutex);
> if (group_id == OFPG_ALL) {
> CMAP_FOR_EACH (group, cmap_node, >groups) {
> -cb(group, );
> +if (versions_visible_in_version(>versions,
> +OVS_VERSION_MAX)) {
> +cb(group, );
> +}
> }
> } else {
> group = ofproto_group_lookup__(ofproto, group_id, OVS_VERSION_MAX);
> -- 
> 2.10.2
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH branch-2.7 00/14] Backports for branch-2.7

2017-04-18 Thread Jarno Rajahalme 
For the series:

Acked-by: Jarno Rajahalme <ja...@ovn.org>

One of the userspace changes (indicate if had labels) changes the OVS library 
interface, so leave it for you to decide what to do with that.

  Jarno

> On Apr 18, 2017, at 5:09 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> This is a trimmed down set of the backports presented by Jarno here:
> https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329817.html
> 
> The fixes (including label inheritance and subsequent fixups) are included
> in this series, while the unrelated refactors and unnecessary compat changes
> are dropped.
> 
> Jarno acked this proposal already, but I'm sending it out to the list for
> completeness.
> 
> The following patch is new in this proposal, as suggested by Jarno:
> "datapath: Avoid struct copy on conntrack labels."
> 
> Jarno Rajahalme (9):
>  datapath: Use inverted tuple in ovs_ct_find_existing() if NATted.
>  datapath: Do not trigger events for unconfirmed connections.
>  lib: Indicate if netlink message had labels.
>  datapath: Unionize ovs_key_ct_label with a u32 array.
>  datapath: Simplify labels length logic.
>  datapath: Refactor labels initialization.
>  datapath: Inherit master's labels.
>  datapath: Avoid struct copy on conntrack labels.
>  ofp-util: Ignore unknown fields in ofputil_decode_packet_in2().
> 
> Jiri Benc (2):
>  datapath: remove unused functions
>  datapath: remove unnecessary EXPORT_SYMBOLs
> 
> Pablo Neira Ayuso (1):
>  datapath: handle NF_REPEAT from nf_conntrack_in()
> 
> Thadeu Lima de Souza Cascardo (1):
>  datapath: fix flow stats accounting when node 0 is not possible
> 
> Yi-Hung Wei (1):
>  nx-match: Fix oxm decode.
> 
> datapath/conntrack.c   | 172 ++---
> datapath/datapath.c|   2 -
> datapath/flow.c|   6 +-
> datapath/flow_table.c  |   3 +-
> datapath/linux/compat/include/linux/openvswitch.h  |   8 +-
> .../include/net/netfilter/nf_conntrack_core.h  |  21 +++
> datapath/vport-netdev.c|   1 -
> datapath/vport.c   |  17 --
> datapath/vport.h   |   1 -
> lib/ct-dpif.h  |   1 +
> lib/netlink-conntrack.c|   1 +
> lib/nx-match.c |  23 ++-
> lib/nx-match.h |   4 +-
> lib/ofp-util.c |   2 +-
> tests/system-traffic.at|  52 +++
> 15 files changed, 223 insertions(+), 91 deletions(-)
> 
> -- 
> 2.11.1
> 

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 3/3] ofproto-dpif: Check support for resubmit with conntrack action.

2017-04-18 Thread Jarno Rajahalme 

> On Apr 18, 2017, at 8:56 AM, Ben Pfaff <b...@ovn.org> wrote:
> 
> On Fri, Apr 14, 2017 at 05:25:49PM -0700, Jarno Rajahalme wrote:
>> Use the existing probed support flag for the original direction tuple
>> to determine if resubmit(ct) can be executed or not.
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
> 
> Thank you!  I think that this will help to make for less confusing
> errors in the future.  I did not study this carefully, but what I saw
> looked good.
> 
> Acked-by: Ben Pfaff <b...@ovn.org>

Thanks for the reviews!

Series pushed to master,

  Jarno

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 2/3] ofproto-dpif: Check if original direction matches are supported.

2017-04-17 Thread Jarno Rajahalme 

> On Apr 17, 2017, at 4:47 PM, Ben Pfaff <b...@ovn.org> wrote:
> 
> On Fri, Apr 14, 2017 at 05:25:48PM -0700, Jarno Rajahalme wrote:
>> Use the existing probed support flag for the original direction tuple
>> to determine if matches on the original direction tuple can be supported.
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
>> ---
>> ofproto/ofproto-dpif.c | 14 +-
>> 1 file changed, 13 insertions(+), 1 deletion(-)
>> 
>> diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
>> index c0212f2..25f8adf 100644
>> --- a/ofproto/ofproto-dpif.c
>> +++ b/ofproto/ofproto-dpif.c
>> @@ -4122,7 +4122,8 @@ check_mask(struct ofproto_dpif *ofproto, const struct 
>> miniflow *flow)
>> support = >backer->support.odp;
>> ct_state = MINIFLOW_GET_U8(flow, ct_state);
>> if (support->ct_state && support->ct_zone && support->ct_mark
>> -&& support->ct_label && support->ct_state_nat) {
>> +&& support->ct_label && support->ct_state_nat
>> +&& support->ct_orig_tuple) {
>> return ct_state & CS_UNSUPPORTED_MASK ? OFPERR_OFPBMC_BAD_MASK : 0;
>> }
> 
> I don't understand the above logic (before or after).  Can you explain
> it?  Maybe there needs to be a comment.
> 

I guess a comment is needed, how about:

/* Do not bother dissecting the flow if the datapath supports all the features 
we know of. */

  Jarno

> Thanks,
> 
> Ben.

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [branch-2.7 3/4] ofproto: Add ref counting for variable length mf_fields.

2017-04-17 Thread Jarno Rajahalme 
Acked-by: Jarno Rajahalme <ja...@ovn.org> 

with two notes:

1. Maybe patch 4 should be applied before this one to avoid creating a 
potential memory leak in the history?

2. taking new references before releasing old ones in modify_flows_start__() 
would seem better. Since the table holds a reference this does not matter in 
practice.

  Jarno

> On Mar 15, 2017, at 4:01 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> From: Yi-Hung Wei <yihung@gmail.com>
> 
> Currently, a controller may potentially trigger a segmentation fault if it
> accidentally removes a TLV mapping that is still used by an active flow.
> To resolve this issue, in this patch, we maintain reference counting for each
> dynamically allocated variable length mf_fields, so that vswitchd can use this
> information to properly remove a TLV mapping, and to return an error if the
> controller tries to remove a TLV mapping that is still used by any active 
> flow.
> 
> To keep track of the usage of tun_metadata for each flow, two 'uint64_t'
> bitmaps are introduce for the flow match and flow action respectively. We use
> 'uint64_t' as a bitmap since the 64 geneve TLV tunnel metadata are the only
> available variable length mf_fields for now. We shall adopt general bitmap 
> when
> more variable length mf_fields are introduced. The bitmaps are configured
> during the flow decoding process, and vswitchd use these bitmaps to increase 
> or
> decrease the ref counting when the flow is created or deleted.
> 
> VMWare-BZ: #1768370
> Fixes: 04f48a68c428 ("ofp-actions: Fix variable length meta-flow OXMs.")
> Suggested-by: Jarno Rajahalme <ja...@ovn.org>
> Suggested-by: Joe Stringer <j...@ovn.org>
> Signed-off-by: Yi-Hung Wei <yihung@gmail.com>
> Signed-off-by: Joe Stringer <j...@ovn.org>
> ---
> build-aux/extract-ofp-actions |   9 +-
> include/openvswitch/ofp-actions.h |   2 +
> include/openvswitch/ofp-errors.h  |   4 +
> include/openvswitch/ofp-util.h|   1 +
> lib/learn.c   |   5 +
> lib/meta-flow.c   | 228 --
> lib/ofp-actions.c | 208 +-
> lib/ofp-util.c|  21 ++--
> lib/vl-mff-map.h  |  17 ++-
> ofproto/ofproto-provider.h|   4 +
> ofproto/ofproto.c |  33 +-
> ovn/controller/pinctrl.c  |   6 +-
> tests/tunnel.at   |  76 -
> utilities/ovs-ofctl.c |   2 +-
> 14 files changed, 479 insertions(+), 137 deletions(-)
> 
> diff --git a/build-aux/extract-ofp-actions b/build-aux/extract-ofp-actions
> index 184447b99422..0062ab881dd5 100755
> --- a/build-aux/extract-ofp-actions
> +++ b/build-aux/extract-ofp-actions
> @@ -322,7 +322,8 @@ def extract_ofp_actions(fn, definitions):
> static enum ofperr
> ofpact_decode(const struct ofp_action_header *a, enum ofp_raw_action_type raw,
>   enum ofp_version version, uint64_t arg,
> -  const struct vl_mff_map *vl_mff_map, struct ofpbuf *out)
> +  const struct vl_mff_map *vl_mff_map,
> +  uint64_t *tlv_bitmap, struct ofpbuf *out)
> {
> switch (raw) {\
> """
> @@ -343,7 +344,7 @@ ofpact_decode(const struct ofp_action_header *a, enum 
> ofp_raw_action_type raw,
> else:
> arg = "arg"
> if arg_vl_mff_map:
> -print "return decode_%s(%s, version, vl_mff_map, 
> out);" % (enum, arg)
> +print "return decode_%s(%s, version, vl_mff_map, 
> tlv_bitmap, out);" % (enum, arg)
> else:
> print "return decode_%s(%s, version, out);" % 
> (enum, arg)
> print
> @@ -365,7 +366,7 @@ ofpact_decode(const struct ofp_action_header *a, enum 
> ofp_raw_action_type raw,
> else:
> prototype += "%s, enum ofp_version, " % base_argtype
> if arg_vl_mff_map:
> -prototype += 'const struct vl_mff_map *, '
> +prototype += 'const struct vl_mff_map *, uint64_t *, '
> prototype += "struct ofpbuf *);"
> print prototype
> 
> @@ -374,7 +375,7 @@ static enum ofperr ofpact_decode(const struct 
> ofp_action_header *,
>  enum ofp_raw_action_type raw,
>  enum ofp_version version,
>  uint64_t arg, const struct vl_mff_map 
> *vl_mff_map,
> - struct ofpbuf *out);
> +

Re: [ovs-dev] [branch-2.7 2/4] nx-match: Use vl_mff_map to parse match field.

2017-04-17 Thread Jarno Rajahalme 
Looks good to me:

Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Mar 15, 2017, at 4:01 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> From: Yi-Hung Wei <yihung@gmail.com>
> 
> vl_mff_map is introduced in commit 04f48a68c428 ("ofp-actions: Fix variable
> length meta-flow OXMs") to account variable length mf_field, and it is used
> to decode variable length mf_field in ofp_action. In this patch, vl_mff_map
> is further used to decode the variable length match field as well.
> 
> Signed-off-by: Yi-Hung Wei <yihung@gmail.com>
> Signed-off-by: Joe Stringer <j...@ovn.org>
> ---
> include/openvswitch/ofp-util.h |  6 ++--
> lib/learning-switch.c  |  2 +-
> lib/nx-match.c | 46 
> lib/nx-match.h |  7 ++--
> lib/ofp-print.c|  4 +--
> lib/ofp-util.c | 80 +-
> ofproto/ofproto.c  | 11 +++---
> ovn/controller/pinctrl.c   |  2 +-
> tests/ofproto.at   | 15 +---
> utilities/ovs-ofctl.c  | 13 +++
> 10 files changed, 123 insertions(+), 63 deletions(-)
> 
> diff --git a/include/openvswitch/ofp-util.h b/include/openvswitch/ofp-util.h
> index 0c3a10aa4264..e73a942a3e15 100644
> --- a/include/openvswitch/ofp-util.h
> +++ b/include/openvswitch/ofp-util.h
> @@ -222,7 +222,7 @@ void ofputil_match_to_ofp10_match(const struct match *, 
> struct ofp10_match *);
> 
> /* Work with ofp11_match. */
> enum ofperr ofputil_pull_ofp11_match(struct ofpbuf *, const struct tun_table 
> *,
> - struct match *,
> + const struct vl_mff_map *, struct match 
> *,
>  uint16_t *padded_match_len);
> enum ofperr ofputil_pull_ofp11_mask(struct ofpbuf *, struct match *,
> struct mf_bitmap *bm);
> @@ -352,7 +352,7 @@ struct ofputil_flow_stats_request {
> 
> enum ofperr ofputil_decode_flow_stats_request(
> struct ofputil_flow_stats_request *, const struct ofp_header *,
> -const struct tun_table *);
> +const struct tun_table *, const struct vl_mff_map *);
> struct ofpbuf *ofputil_encode_flow_stats_request(
> const struct ofputil_flow_stats_request *, enum ofputil_protocol);
> 
> @@ -457,6 +457,7 @@ void ofputil_packet_in_destroy(struct ofputil_packet_in 
> *);
> 
> enum ofperr ofputil_decode_packet_in(const struct ofp_header *, bool loose,
>  const struct tun_table *,
> + const struct vl_mff_map *,
>  struct ofputil_packet_in *,
>  size_t *total_len, uint32_t *buffer_id,
>  struct ofpbuf *continuation);
> @@ -509,6 +510,7 @@ struct ofpbuf *ofputil_encode_packet_in_private(
> enum ofperr ofputil_decode_packet_in_private(
> const struct ofp_header *, bool loose,
> const struct tun_table *,
> +const struct vl_mff_map *,
> struct ofputil_packet_in_private *,
> size_t *total_len, uint32_t *buffer_id);
> 
> diff --git a/lib/learning-switch.c b/lib/learning-switch.c
> index bc757f46dd7a..77155d04fcc0 100644
> --- a/lib/learning-switch.c
> +++ b/lib/learning-switch.c
> @@ -523,7 +523,7 @@ process_packet_in(struct lswitch *sw, const struct 
> ofp_header *oh)
> struct dp_packet pkt;
> struct flow flow;
> 
> -error = ofputil_decode_packet_in(oh, true, NULL, , NULL,
> +error = ofputil_decode_packet_in(oh, true, NULL, NULL, , NULL,
>  _id, NULL);
> if (error) {
> VLOG_WARN_RL(, "failed to decode packet-in: %s",
> diff --git a/lib/nx-match.c b/lib/nx-match.c
> index c258869eec80..124cb71eb7c8 100644
> --- a/lib/nx-match.c
> +++ b/lib/nx-match.c
> @@ -480,13 +480,14 @@ nx_pull_header(struct ofpbuf *b, const struct 
> vl_mff_map *vl_mff_map,
> 
> static enum ofperr
> nx_pull_match_entry(struct ofpbuf *b, bool allow_cookie,
> +const struct vl_mff_map *vl_mff_map,
> const struct mf_field **field,
> union mf_value *value, union mf_value *mask)
> {
> enum ofperr error;
> uint64_t header;
> 
> -error = nx_pull_entry__(b, allow_cookie, NULL, , field, value,
> +error = nx_pull_entry__(b, allow_cookie, vl_mff_map, , field, 
> value,
> mask);
> if (error) {
> return error;
> @@ -507,7 +508,8 @@ nx_pull_match_entry(struct ofpbuf *b, bool allow_cookie,
> static enum ofperr
> nx_pull_raw(const uint8_t *p, unsigne

Re: [ovs-dev] [branch-2.7 1/4] nx-match: Fix oxm decode.

2017-04-17 Thread Jarno Rajahalme 
This patch should be prepended by a prior patch, as some required changes are 
now missing:

7befb20d0f70 (“ofp-util: Ignore unknown fields in nx_decode_packet_in2().”)

  Jarno

> On Mar 15, 2017, at 4:01 PM, Joe Stringer  wrote:
> 
> From: Yi-Hung Wei 
> 
> decode_nx_packet_in2() may be used by the switch to parse NXT_RESUME
> messages, where we need exact match on the oxm header. It's also used by
> OVN to parse NXT_PACKET_IN2 messages. For the switch, strict
> prerequisites should be applied but for the controller, this should not
> be the case. Pass the 'loose' parameter down to oxm_decode() to apply
> these restrictions correctly based on which code is performing decode.
> 
> Signed-off-by: Yi-Hung Wei 
> Signed-off-by: Joe Stringer 
> ---
> lib/nx-match.c | 8 +---
> lib/nx-match.h | 4 ++--
> lib/ofp-util.c | 2 +-
> 3 files changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/lib/nx-match.c b/lib/nx-match.c
> index 91401e2201c6..c258869eec80 100644
> --- a/lib/nx-match.c
> +++ b/lib/nx-match.c
> @@ -678,12 +678,14 @@ oxm_pull_match_loose(struct ofpbuf *b, const struct 
> tun_table *tun_table,
>  *
>  * Fails with an error when encountering unknown OXM headers.
>  *
> - * Returns 0 if successful, otherwise an OpenFlow error code. */
> + * If 'loose' is true, encountering unknown OXM headers or missing field
> + * prerequisites are not considered as error conditions.
> + */
> enum ofperr
> -oxm_decode_match(const void *oxm, size_t oxm_len,
> +oxm_decode_match(const void *oxm, size_t oxm_len, bool loose,
>  const struct tun_table *tun_table, struct match *match)
> {
> -return nx_pull_raw(oxm, oxm_len, true, match, NULL, NULL, tun_table);
> +return nx_pull_raw(oxm, oxm_len, !loose, match, NULL, NULL, tun_table);
> }
> 
> /* Verify an array of OXM TLVs treating value of each TLV as a mask,
> diff --git a/lib/nx-match.h b/lib/nx-match.h
> index 5dca24a01a49..e103dd5fa74d 100644
> --- a/lib/nx-match.h
> +++ b/lib/nx-match.h
> @@ -61,8 +61,8 @@ enum ofperr oxm_pull_match(struct ofpbuf *, const struct 
> tun_table *,
>struct match *);
> enum ofperr oxm_pull_match_loose(struct ofpbuf *, const struct tun_table *,
>  struct match *);
> -enum ofperr oxm_decode_match(const void *, size_t, const struct tun_table *,
> - struct match *);
> +enum ofperr oxm_decode_match(const void *, size_t, bool,
> + const struct tun_table *, struct match *);
> enum ofperr oxm_pull_field_array(const void *, size_t fields_len,
>  struct field_array *);
> 
> diff --git a/lib/ofp-util.c b/lib/ofp-util.c
> index 0c9343ec400b..d3153370f2e6 100644
> --- a/lib/ofp-util.c
> +++ b/lib/ofp-util.c
> @@ -3398,7 +3398,7 @@ decode_nx_packet_in2(const struct ofp_header *oh, bool 
> loose,
> 
> case NXPINT_METADATA:
> error = oxm_decode_match(payload.msg, ofpbuf_msgsize(),
> - tun_table, >flow_metadata);
> + loose, tun_table, >flow_metadata);
> break;
> 
> case NXPINT_USERDATA:
> -- 
> 2.11.1
> 

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 2/2] dpif: Log packet metadata on execute.

2017-04-17 Thread Jarno Rajahalme 

> On Apr 14, 2017, at 8:54 PM, Ben Pfaff <b...@ovn.org> wrote:
> 
> On Thu, Apr 13, 2017 at 04:47:36PM -0700, Jarno Rajahalme wrote:
>> Debug log output for execute operations is missing the packet
>> metadata, which can be instrumental in tracing what the datapath
>> should be executing.  No reason to have the metadata on the debug
>> output, so add it there.
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
> 
> This does seem like an important oversight.
> 
> Acked-by: Ben Pfaff <b...@ovn.org>

Thanks for the review, pushed to master, and branches 2.5, 2.6, and 2.7. 
Cherry-pick on branch-2.4 was not clean, and I did not bother to resolve it for 
now.

  Jarno

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 1/2] acinclude: Allow compile with Linux 4.11.

2017-04-17 Thread Jarno Rajahalme 

> On Apr 14, 2017, at 8:56 PM, Ben Pfaff <b...@ovn.org> wrote:
> 
> On Thu, Apr 13, 2017 at 04:47:35PM -0700, Jarno Rajahalme wrote:
>> Change the Linux kernel tests in OVS configuration.
>> 
>> While the backports may still be a little behind, it is useful to be
>> able to test the OVS tree kernel module with the upstream net-next
>> kernel.
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
> 
> Here's a review to indicate that this patch does what the commit message
> says it does.  I don't have an informed position on whether this is a
> good thing to do.  I'm happy to take your word on that, or you can ask
> someone better informed if you like.
> 
> Acked-by: Ben Pfaff <b...@ovn.org>

Thanks for the review!

At worst we need to revert this before the next release if we find that the OVS 
tree kernel module does not work with Linux 4.11. By enabling it in the master 
now we’ll get more testing for it, so I merged this to master.

  Jarno

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] ofp-parse: Fix match parsing with [x..y]=z format.

2017-04-17 Thread Jarno Rajahalme 

> On Apr 14, 2017, at 8:58 PM, Ben Pfaff <b...@ovn.org> wrote:
> 
> On Thu, Apr 13, 2017 at 06:31:06PM -0700, Jarno Rajahalme wrote:
>> Commit 21b2fa617126 ("ofp-parse: Allow match field names in actions
>> and brackets in matches.") added support for matching a consecutive
>> set of bits with the [x..y]=z format, but the copying of the parsed
>> value ('z') to the match was done from a wrong offset, so that the
>> actual value matched would be incorrect.
>> 
>> Fix this and add a test case preventing regression in future.
>> 
>> Fixes: 21b2fa617126 ("ofp-parse: Allow match field names in actions and 
>> brackets in matches.")
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
> 
> Oops, thanks for the fix!
> 
> Should the test try a multibit match too, for completeness?
> 

Pushed to master and branch-2.7 with an additional multibit match. Thanks for 
the review!

  Jarno

> Acked-by: Ben Pfaff <b...@ovn.org>

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH 3/3] ofproto-dpif: Check support for resubmit with conntrack action.

2017-04-14 Thread Jarno Rajahalme 
Use the existing probed support flag for the original direction tuple
to determine if resubmit(ct) can be executed or not.

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 ofproto/ofproto-dpif.c | 86 ++
 1 file changed, 45 insertions(+), 41 deletions(-)

diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index 25f8adf..23afc76 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -4155,13 +4155,12 @@ check_mask(struct ofproto_dpif *ofproto, const struct 
miniflow *flow)
 }
 
 static void
-report_unsupported_ct(const char *detail)
+report_unsupported_act(const char *action, const char *detail)
 {
 static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
-VLOG_WARN_RL(, "Rejecting ct action because datapath does not support "
- "ct action%s%s (your kernel module may be out of date)",
- detail ? " " : "",
- detail ? detail : "");
+VLOG_WARN_RL(, "Rejecting %s action because datapath does not support"
+ "%s%s (your kernel module may be out of date)",
+ action, detail ? " " : "", detail ? detail : "");
 }
 
 static enum ofperr
@@ -4169,51 +4168,56 @@ check_actions(const struct ofproto_dpif *ofproto,
   const struct rule_actions *const actions)
 {
 const struct ofpact *ofpact;
+const struct odp_support *support = >backer->support.odp;
 
 OFPACT_FOR_EACH (ofpact, actions->ofpacts, actions->ofpacts_len) {
-const struct odp_support *support;
-const struct ofpact_conntrack *ct;
-const struct ofpact *a;
+if (ofpact->type == OFPACT_CT) {
+const struct ofpact_conntrack *ct;
+const struct ofpact *a;
 
-if (ofpact->type != OFPACT_CT) {
-continue;
-}
+ct = CONTAINER_OF(ofpact, struct ofpact_conntrack, ofpact);
 
-ct = CONTAINER_OF(ofpact, struct ofpact_conntrack, ofpact);
-support = >backer->support.odp;
+if (!support->ct_state) {
+report_unsupported_act("ct", "ct action");
+return OFPERR_OFPBAC_BAD_TYPE;
+}
+if ((ct->zone_imm || ct->zone_src.field) && !support->ct_zone) {
+report_unsupported_act("ct", "ct zones");
+return OFPERR_OFPBAC_BAD_ARGUMENT;
+}
+/* So far the force commit feature is implemented together with the
+ * original direction tuple feature by all datapaths, so we use the
+ * support flag for the 'ct_orig_tuple' to indicate support for the
+ * force commit feature as well. */
+if ((ct->flags & NX_CT_F_FORCE) && !support->ct_orig_tuple) {
+report_unsupported_act("ct", "force commit");
+return OFPERR_OFPBAC_BAD_ARGUMENT;
+}
 
-if (!support->ct_state) {
-report_unsupported_ct(NULL);
-return OFPERR_OFPBAC_BAD_TYPE;
-}
-if ((ct->zone_imm || ct->zone_src.field) && !support->ct_zone) {
-report_unsupported_ct("zone");
-return OFPERR_OFPBAC_BAD_ARGUMENT;
-}
-/* So far the force commit feature is implemented together with the
- * original direction tuple feature by all datapaths, so we use the
- * support flag for the 'ct_orig_tuple' to indicate support for the
- * force commit feature as well. */
-if ((ct->flags & NX_CT_F_FORCE) && !support->ct_orig_tuple) {
-report_unsupported_ct("force commit");
-return OFPERR_OFPBAC_BAD_ARGUMENT;
-}
+OFPACT_FOR_EACH(a, ct->actions, ofpact_ct_get_action_len(ct)) {
+const struct mf_field *dst = ofpact_get_mf_dst(a);
 
-OFPACT_FOR_EACH(a, ct->actions, ofpact_ct_get_action_len(ct)) {
-const struct mf_field *dst = ofpact_get_mf_dst(a);
+if (a->type == OFPACT_NAT && !support->ct_state_nat) {
+/* The backer doesn't seem to support the NAT bits in
+ * 'ct_state': assume that it doesn't support the NAT
+ * action. */
+report_unsupported_act("ct", "nat");
+return OFPERR_OFPBAC_BAD_TYPE;
+}
+if (dst && ((dst->id == MFF_CT_MARK && !support->ct_mark) ||
+(dst->id == MFF_CT_LABEL && !support->ct_label))) {
+report_unsupported_act("ct", "setting mark and/or label");
+return OFPERR_OFPBAC_BAD_S

[ovs-dev] [PATCH 2/3] ofproto-dpif: Check if original direction matches are supported.

2017-04-14 Thread Jarno Rajahalme 
Use the existing probed support flag for the original direction tuple
to determine if matches on the original direction tuple can be supported.

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 ofproto/ofproto-dpif.c | 14 +-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index c0212f2..25f8adf 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -4122,7 +4122,8 @@ check_mask(struct ofproto_dpif *ofproto, const struct 
miniflow *flow)
 support = >backer->support.odp;
 ct_state = MINIFLOW_GET_U8(flow, ct_state);
 if (support->ct_state && support->ct_zone && support->ct_mark
-&& support->ct_label && support->ct_state_nat) {
+&& support->ct_label && support->ct_state_nat
+&& support->ct_orig_tuple) {
 return ct_state & CS_UNSUPPORTED_MASK ? OFPERR_OFPBMC_BAD_MASK : 0;
 }
 
@@ -4139,6 +4140,17 @@ check_mask(struct ofproto_dpif *ofproto, const struct 
miniflow *flow)
 return OFPERR_OFPBMC_BAD_MASK;
 }
 
+if (!support->ct_orig_tuple &&
+(MINIFLOW_GET_U8(flow, ct_nw_proto) ||
+ MINIFLOW_GET_U16(flow, ct_tp_src) ||
+ MINIFLOW_GET_U16(flow, ct_tp_dst) ||
+ MINIFLOW_GET_U32(flow, ct_nw_src) ||
+ MINIFLOW_GET_U32(flow, ct_nw_dst) ||
+ !ovs_u128_is_zero(MINIFLOW_GET_U128(flow, ct_ipv6_src)) ||
+ !ovs_u128_is_zero(MINIFLOW_GET_U128(flow, ct_ipv6_dst {
+return OFPERR_OFPBMC_BAD_MASK;
+}
+
 return 0;
 }
 
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH 1/3] ofproto-dpif: Check support for CT action force commit flag.

2017-04-14 Thread Jarno Rajahalme 
So far the force commit feature is implemented together with the
original direction tuple feature by all datapaths, so we can use the
support flag for the 'ct_orig_tuple' to indicate support for the force
commit feature as well.

Better fail the flow install than rely on ovs-vswitchd log being
filled by error messages from the datapath.

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 ofproto/ofproto-dpif.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index 6a5ffb9..c0212f2 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -4178,6 +4178,14 @@ check_actions(const struct ofproto_dpif *ofproto,
 report_unsupported_ct("zone");
 return OFPERR_OFPBAC_BAD_ARGUMENT;
 }
+/* So far the force commit feature is implemented together with the
+ * original direction tuple feature by all datapaths, so we use the
+ * support flag for the 'ct_orig_tuple' to indicate support for the
+ * force commit feature as well. */
+if ((ct->flags & NX_CT_F_FORCE) && !support->ct_orig_tuple) {
+report_unsupported_ct("force commit");
+return OFPERR_OFPBAC_BAD_ARGUMENT;
+}
 
 OFPACT_FOR_EACH(a, ct->actions, ofpact_ct_get_action_len(ct)) {
 const struct mf_field *dst = ofpact_get_mf_dst(a);
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] ofp-parse: Fix match parsing with [x..y]=z format.

2017-04-13 Thread Jarno Rajahalme 
Commit 21b2fa617126 ("ofp-parse: Allow match field names in actions
and brackets in matches.") added support for matching a consecutive
set of bits with the [x..y]=z format, but the copying of the parsed
value ('z') to the match was done from a wrong offset, so that the
actual value matched would be incorrect.

Fix this and add a test case preventing regression in future.

Fixes: 21b2fa617126 ("ofp-parse: Allow match field names in actions and 
brackets in matches.")
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 lib/ofp-parse.c| 6 +++---
 tests/ovs-ofctl.at | 2 ++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/ofp-parse.c b/lib/ofp-parse.c
index 7826bc5..c8cac5b 100644
--- a/lib/ofp-parse.c
+++ b/lib/ofp-parse.c
@@ -290,11 +290,11 @@ parse_subfield(const char *name, const char *str_value, 
struct match *match,
 
 const struct mf_field *field = sf.field;
 union mf_value value, mask;
-unsigned int size = DIV_ROUND_UP(sf.n_bits, 8);
+unsigned int size = field->n_bytes;
 
 mf_get(field, match, , );
-bitwise_copy(, size, 0, , field->n_bytes, sf.ofs, sf.n_bits);
-bitwise_one (   ,  field->n_bytes, sf.ofs, sf.n_bits);
+bitwise_copy(, size, 0, , size, sf.ofs, sf.n_bits);
+bitwise_one (   ,  size, sf.ofs, sf.n_bits);
 *usable_protocols &= mf_set(field, , , match, );
 }
 return error;
diff --git a/tests/ovs-ofctl.at b/tests/ovs-ofctl.at
index 737f609..18ab788 100644
--- a/tests/ovs-ofctl.at
+++ b/tests/ovs-ofctl.at
@@ -285,6 +285,7 @@ AT_CLEANUP
 AT_SETUP([ovs-ofctl parse-flows (OpenFlow 1.2)])
 AT_DATA([flows.txt], [[
 # comment
+tcp,tp_src[5]=1,actions=flood
 tcp,tp_src=123,actions=flood
 in_port=LOCAL dl_vlan=9 dl_src=00:0A:E4:25:6B:B0 
actions=mod_vlan_vid:7,mod_vlan_pcp:2
 udp dl_vlan_pcp=7 idle_timeout=5 actions=strip_vlan output:0
@@ -309,6 +310,7 @@ AT_CHECK([ovs-ofctl --protocols OpenFlow12 parse-flows 
flows.txt
 AT_CHECK([[sed 's/ (xid=0x[0-9a-fA-F]*)//' stdout]], [0],
 [[usable protocols: NXM,OXM
 chosen protocol: OXM-OpenFlow12
+OFPT_FLOW_MOD (OF1.2): ADD tcp,tp_src=0x20/0x20 actions=FLOOD
 OFPT_FLOW_MOD (OF1.2): ADD tcp,tp_src=123 actions=FLOOD
 OFPT_FLOW_MOD (OF1.2): ADD in_port=LOCAL,dl_vlan=9,dl_src=00:0a:e4:25:6b:b0 
actions=set_field:4103->vlan_vid,set_field:2->vlan_pcp
 OFPT_FLOW_MOD (OF1.2): ADD udp,dl_vlan_pcp=7 idle:5 actions=pop_vlan,output:0
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH 2/2] dpif: Log packet metadata on execute.

2017-04-13 Thread Jarno Rajahalme 
Debug log output for execute operations is missing the packet
metadata, which can be instrumental in tracing what the datapath
should be executing.  No reason to have the metadata on the debug
output, so add it there.

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 lib/dpif.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/lib/dpif.c b/lib/dpif.c
index 1760de8..4066f9c 100644
--- a/lib/dpif.c
+++ b/lib/dpif.c
@@ -1760,9 +1760,13 @@ log_execute_message(struct dpif *dpif, const struct 
dpif_execute *execute,
 && !execute->probe) {
 struct ds ds = DS_EMPTY_INITIALIZER;
 char *packet;
+uint64_t stub[1024 / 8];
+struct ofpbuf md = OFPBUF_STUB_INITIALIZER(stub);
 
 packet = ofp_packet_to_string(dp_packet_data(execute->packet),
   dp_packet_size(execute->packet));
+odp_key_from_pkt_metadata(, >packet->md);
+
 ds_put_format(, "%s: %sexecute ",
   dpif_name(dpif),
   (subexecute ? "sub-"
@@ -1773,10 +1777,13 @@ log_execute_message(struct dpif *dpif, const struct 
dpif_execute *execute,
 ds_put_format(, " failed (%s)", ovs_strerror(error));
 }
 ds_put_format(, " on packet %s", packet);
+ds_put_format(, " with metadata ");
+odp_flow_format(md.data, md.size, NULL, 0, NULL, , true);
 ds_put_format(, " mtu %d", execute->mtu);
 vlog(_module, error ? VLL_WARN : VLL_DBG, "%s", ds_cstr());
 ds_destroy();
 free(packet);
+ofpbuf_uninit();
 }
 }
 
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] OVS performance with Kernel Datapath of Linux upstream vs Linux OVS tree.

2017-04-13 Thread Jarno Rajahalme 

> On Apr 12, 2017, at 9:00 PM, Kapil Adhikesavalu <kapil20...@gmail.com> wrote:
> 
> Hi Jarno,
> 
> That's great! Thanks for the clarification. So, if anything it should only 
> improve the performance when I move to OVS tree kernel module.
> 
> 

Yes, assuming you will be using a recent OVS release rather than an old one.

  Jarno

> On Thu, 13 Apr 2017, 1:05 AM Jarno Rajahalme, <ja...@ovn.org 
> <mailto:ja...@ovn.org>> wrote:
> 
> > On Apr 12, 2017, at 12:49 AM, Kapil Adhikesavalu <kapil20...@gmail.com 
> > <mailto:kapil20...@gmail.com>> wrote:
> >
> > Hi,
> >
> > Is there any performance difference with using the OVS kernel Datapath
> > available part of Linux upstream Vs the module built from Linux OVS tree.
> >
> 
> OVS tree kernel module has an Exact Match Cache, which generally improves 
> performance. Upstream linux openvswitch module does not have it.
> 
> > So far i have been using the DP part of the Linux upstream and as NAT
> > feature requires Linux version 4.6, i plan to switch to DP module built
> > from OVS tree.
> >
> > 1. In general is there any performance between using these two ? or would
> > it vary based on the features being in use.
> > 2. I am currently using VXLAN and L2 forwarding + NAT(plan to use it),
> > would like to know if there could be any performance difference expected
> > when i switch from upstream DP to KLM.
> >
> > I didn't any specific mention about performance in FAQ -
> > http://docs.openvswitch.org/en/latest/faq/releases/ 
> > <http://docs.openvswitch.org/en/latest/faq/releases/> expect for this
> > statement 'Certain features require kernel support to function or to have
> > reasonable performance.’
> >
> 
> This note relates to using OVS with an older (upstream) kernel module. While 
> we maintain backwards compatibility, newer features perform better with newer 
> kernel module having explicit support for the feature.
> 
>   Jarno
> 
> > Regards
> > Kapil.
> > ___
> > dev mailing list
> > d...@openvswitch.org <mailto:d...@openvswitch.org>
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev 
> > <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>
> 
> -- 
> Regards
> Kapil
> 

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] tests: Add test for CT action with setting labels.

2017-04-12 Thread Jarno Rajahalme 

> On Apr 12, 2017, at 2:06 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 21 March 2017 at 15:51, Jarno Rajahalme <ja...@ovn.org> wrote:
>> This test clearly demonstrates the bit order of labels in the OpenFlow
>> wire format.
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
> 
> Acked-by: Joe Stringer <j...@ovn.org>

Thanks for the review! Pushed to master,

  Jarno

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] OVS performance with Kernel Datapath of Linux upstream vs Linux OVS tree.

2017-04-12 Thread Jarno Rajahalme 

> On Apr 12, 2017, at 12:49 AM, Kapil Adhikesavalu  wrote:
> 
> Hi,
> 
> Is there any performance difference with using the OVS kernel Datapath
> available part of Linux upstream Vs the module built from Linux OVS tree.
> 

OVS tree kernel module has an Exact Match Cache, which generally improves 
performance. Upstream linux openvswitch module does not have it.

> So far i have been using the DP part of the Linux upstream and as NAT
> feature requires Linux version 4.6, i plan to switch to DP module built
> from OVS tree.
> 
> 1. In general is there any performance between using these two ? or would
> it vary based on the features being in use.
> 2. I am currently using VXLAN and L2 forwarding + NAT(plan to use it),
> would like to know if there could be any performance difference expected
> when i switch from upstream DP to KLM.
> 
> I didn't any specific mention about performance in FAQ -
> http://docs.openvswitch.org/en/latest/faq/releases/ expect for this
> statement 'Certain features require kernel support to function or to have
> reasonable performance.’
> 

This note relates to using OVS with an older (upstream) kernel module. While we 
maintain backwards compatibility, newer features perform better with newer 
kernel module having explicit support for the feature.

  Jarno

> Regards
> Kapil.
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH RFC] dpif-netdev: Add Cuckoo Distributor to Accelerate Megaflow Search

2017-04-11 Thread Jarno Rajahalme 
Thanks for your contribution!

I haven’t looked at the patch yet, but based on the description I’d ask you to 
characterize the difference and/or feature interaction with the Exact Match 
Cache (EMC). Particularly, does “orig-ovs” and/or “cd-ovs” have the conditional 
EMC feature (merged to master on Feb 16th, 2017), and what values of 
“emc-insert-inv-prob” were used for comparison?

  Jarno

> On Apr 11, 2017, at 12:21 AM, Fischetti, Antonio 
>  wrote:
> 
> Any comment on this patch?
> As this is a sort of an addition to Subtable Ranking, maybe
> Jarno and/or Jan could have some comments?
> 
> Thanks,
> Antonio
> 
>> -Original Message-
>> From: ovs-dev-boun...@openvswitch.org [mailto:ovs-dev-
>> boun...@openvswitch.org] On Behalf Of yipeng1.w...@intel.com
>> Sent: Thursday, April 6, 2017 10:48 PM
>> To: d...@openvswitch.org
>> Subject: [ovs-dev] [PATCH RFC] dpif-netdev: Add Cuckoo Distributor to
>> Accelerate Megaflow Search
>> 
>> From: Yipeng Wang 
>> 
>> The Datapath Classifier uses tuple space search for flow classification.
>> The rules are arranged into a set of tuples/subtables (each with a
>> distinct mask).  Each subtable is implemented as a hash table and lookup
>> is done with flow keys formed by selecting the bits from the packet header
>> based on each subtable's mask. Tuple space search will sequentially search
>> each subtable until a match is found. With a large number of subtables, a
>> sequential search of the subtables could consume a lot of CPU cycles. In
>> a testbench with a uniform traffic pattern equally distributed across 20
>> subtables, we measured that up to 65% of total execution time is
>> attributed
>> to the megaflow cache lookup.
>> 
>> This patch presents the idea of the two-layer hierarchical lookup, where a
>> low overhead first level of indirection is accessed first, we call this
>> level cuckoo distributor (CD). If a flow key has been inserted in the flow
>> table the first level will indicate with high probability that which
>> subtable to look into. A lookup is performed on the second level (the
>> target subtable) to retrieve the result. If the key doesn’t have a match,
>> then we revert back to the sequential search of subtables.
>> 
>> This patch can improve the already existing Subtable Ranking when traffic
>> data has high entropy. Subtable Ranking helps minimize the number of
>> traversed subtables when most of the traffic hit the same subtable.
>> However, in the case of high entropy traffic such as traffic coming from
>> a physical port, multiple subtables could be hit with a similar frequency.
>> In this case the average subtable lookups per hit would be much greater
>> than 1. In addition, CD can adaptively turn off when it finds the traffic
>> mostly hit one subtable. Thus, CD will not be an overhead when Subtable
>> Ranking works well.
>> 
>> Scheme:
>> 
>> ---
>>|  CD   |
>> ---
>>   \
>>\
>> -  - -
>> |sub  ||sub  |...|sub  |
>> |table||table|   |table|
>> -  - -
>> 
>> Evaluation:
>> 
>> We create set of rules with various src IP. We feed traffic containing 1
>> million flows with various src IP and dst IP. All the flows hit 10/20/30
>> rules creating 10/20/30 subtables.
>> 
>> The table below shows the preliminary continuous testing results (full
>> line
>> speed test) we collected with a uni-directional port-to-port setup. The
>> machine we tested on is a Xeon E5 server running with 2.2GHz cores. OvS
>> runs with 1 PMD. We use Spirent as the hardware traffic generator.
>> 
>> no.subtable: 10  20  30
>> cd-ovs   3895961 3170530 2968555
>> orig-ovs 2683455 1646227 1240501
>> speedup  1.45x   1.92x   2.39x
>> 
>> Signed-off-by: Yipeng Wang 
>> Signed-off-by: Charlie Tai 
>> Co-authored-by: Charlie Tai 
>> Signed-off-by: Sameh Gobriel 
>> Co-authored-by: Sameh Gobriel 
>> Signed-off-by: Ren Wang 
>> Co-authored-by: Ren Wang 
>> Signed-off-by: Antonio Fischetti 
>> Co-authored-by: Antonio Fischetti 
>> ---
>> lib/dpif-netdev.c | 654
>> --
>> tests/ofproto-dpif.at |   3 +-
>> 2 files changed, 633 insertions(+), 24 deletions(-)
>> 
>> diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
>> index a14a2eb..d9a883b 100644
>> --- a/lib/dpif-netdev.c
>> +++ b/lib/dpif-netdev.c
>> @@ -79,11 +79,23 @@
>> 
>> VLOG_DEFINE_THIS_MODULE(dpif_netdev);
>> 
>> +/* Length of Subtable table for cuckoo distributor to index subtables.
>> + * The size of the table is at most 256 entires because the CD's entry
>> only
>> + * provides 1 byte for indexing.
>> + */
>> +#define SUBTABLE_TABLE_LENGTH 256
>> +
>> #define FLOW_DUMP_MAX_BATCH 50
>> /* Use per thread recirc_depth to prevent recirculation loop. */
>> #define MAX_RECIRC_DEPTH 5
>> DEFINE_STATIC_PER_THREAD_DATA(uint32_t, recirc_depth, 0)
>> 
>> +
>> +#define CD_DEBUG 0
>> +#define debug_print(...)

Re: [ovs-dev] [PATCH] datapath: Avoid struct copy on conntrack labels.

2017-04-11 Thread Jarno Rajahalme 
Thanks for the review!

Applied to master with an explanatory comment,

  Jarno

> On Apr 10, 2017, at 5:11 PM, Andy Zhou <az...@ovn.org> wrote:
> 
> On Sat, Apr 1, 2017 at 8:24 PM, Jarno Rajahalme <ja...@ovn.org 
> <mailto:ja...@ovn.org>> wrote:
>> Older kernels have variable sized labels, and the struct itself
>> contains only the length, so we must memcpy the bits explicitly.
>> 
>> The modified system test fails on older kernels without this change.
>> 
>> VMware-BZ: #1841876
>> Fixes: 09aa98ad496d ("datapath: Inherit master's labels.")
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org <mailto:ja...@ovn.org>>
> 
> I have a comment in line.
> Acked-by: Andy Zhou <az...@ovn.org <mailto:az...@ovn.org>>
> 
> 
>> ---
>> datapath/conntrack.c|  2 +-
>> tests/system-traffic.at | 18 +-
>> 2 files changed, 10 insertions(+), 10 deletions(-)
>> 
>> diff --git a/datapath/conntrack.c b/datapath/conntrack.c
>> index 4df7352..cb8b3ff 100644
>> --- a/datapath/conntrack.c
>> +++ b/datapath/conntrack.c
>> @@ -367,7 +367,7 @@ static int ovs_ct_init_labels(struct nf_conn *ct, struct 
>> sw_flow_key *key,
>> 
>>/* Inherit the master's labels, if any. */
>>if (master_cl)
>> -   *cl = *master_cl;
>> +   memcpy(cl->bits, master_cl->bits, OVS_CT_LABELS_LEN);
> 
> This changes from what up stream code looks like. (So that it can work
> with older version). To make future back-port easier, may be we should
> add an comment around this line to explain the change?
>> 
>>if (have_mask) {
>>u32 *dst = (u32 *)cl->bits;
>> diff --git a/tests/system-traffic.at b/tests/system-traffic.at
>> index 1816b1a..c042773 100644
>> --- a/tests/system-traffic.at
>> +++ b/tests/system-traffic.at
>> @@ -3044,7 +3044,7 @@ dnl Non-REPLY/RELATED packets get the ACL lookup with 
>> the packet headers
>> dnl in the actual packet direction in reg0 (IN=1, OUT=2).  REPLY packets
>> dnl get the ACL lookup using the conntrack tuple and the inverted direction.
>> dnl RELATED packets get ACL lookup using the conntrack tuple in the direction
>> -dnl of the master connection, as storted in ct_mark.
>> +dnl of the master connection, as stored in ct_label[0].
>> dnl
>> dnl Incoming non-related packet in the original direction (ACL IN)
>> table=1 reg3=1, ip, ct_state=-rel-rpl+trk-inv 
>> action=set_field:1->reg0,resubmit(,3),goto_table:5
>> @@ -3056,7 +3056,7 @@ dnl Outgoing non-related reply packet (CT ACL IN)
>> table=1 reg3=2, ip, ct_state=-rel+rpl+trk-inv 
>> action=set_field:1->reg0,resubmit(,3,ct),goto_table:4
>> dnl
>> dnl Related packet (CT ACL in the direction of the master connection.)
>> -table=1 ip, ct_state=+rel+trk-inv, 
>> action=move:NXM_NX_CT_MARK[[]]->NXM_NX_REG0[[]],resubmit(,3,ct),goto_table:4
>> +table=1 ip, ct_state=+rel+trk-inv, 
>> action=move:NXM_NX_CT_LABEL[[0]]->NXM_NX_REG0[[0]],resubmit(,3,ct),goto_table:4
>> dnl Drop everything else.
>> table=1 priority=0, action=drop
>> dnl
>> @@ -3088,15 +3088,15 @@ table=5 reg2=0 priority=1000 action=drop
>> dnl
>> dnl Commit new incoming FTP control connections with SNAT range.  Must match 
>> on
>> dnl 'tcp' when setting 'alg=ftp'.  Store the directionality of non-related
>> -dnl connections to ct_mark.  Store the rule ID to labels.
>> -table=5 priority=100 reg2=1 reg3=1 ct_state=+new-rel, tcp, tp_dst=21, 
>> action=ct(zone=NXM_NX_REG4[[0..15]],alg=ftp,commit,nat(src=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
>> +dnl connections to ct_label[0]  Store the rule ID to ct_label[96..127].
>> +table=5 priority=100 reg2=1 reg3=1 ct_state=+new-rel, tcp, tp_dst=21, 
>> action=ct(zone=NXM_NX_REG4[[0..15]],alg=ftp,commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
>> dnl Commit other new incoming non-related IP connections with SNAT range.
>> -table=5 priority=10 reg2=1 reg3=1 ct_state=+new-rel, ip, 
>> action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(src=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
>> +table=5 priority=10 reg2=1 reg3=1 ct_state=+new-rel, ip, 
>> action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6

[ovs-dev] [PATCH] datapath: Avoid struct copy on conntrack labels.

2017-04-01 Thread Jarno Rajahalme 
Older kernels have variable sized labels, and the struct itself
contains only the length, so we must memcpy the bits explicitly.

The modified system test fails on older kernels without this change.

VMware-BZ: #1841876
Fixes: 09aa98ad496d ("datapath: Inherit master's labels.")
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 datapath/conntrack.c|  2 +-
 tests/system-traffic.at | 18 +-
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index 4df7352..cb8b3ff 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -367,7 +367,7 @@ static int ovs_ct_init_labels(struct nf_conn *ct, struct 
sw_flow_key *key,
 
/* Inherit the master's labels, if any. */
if (master_cl)
-   *cl = *master_cl;
+   memcpy(cl->bits, master_cl->bits, OVS_CT_LABELS_LEN);
 
if (have_mask) {
u32 *dst = (u32 *)cl->bits;
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 1816b1a..c042773 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -3044,7 +3044,7 @@ dnl Non-REPLY/RELATED packets get the ACL lookup with the 
packet headers
 dnl in the actual packet direction in reg0 (IN=1, OUT=2).  REPLY packets
 dnl get the ACL lookup using the conntrack tuple and the inverted direction.
 dnl RELATED packets get ACL lookup using the conntrack tuple in the direction
-dnl of the master connection, as storted in ct_mark.
+dnl of the master connection, as stored in ct_label[0].
 dnl
 dnl Incoming non-related packet in the original direction (ACL IN)
 table=1 reg3=1, ip, ct_state=-rel-rpl+trk-inv 
action=set_field:1->reg0,resubmit(,3),goto_table:5
@@ -3056,7 +3056,7 @@ dnl Outgoing non-related reply packet (CT ACL IN)
 table=1 reg3=2, ip, ct_state=-rel+rpl+trk-inv 
action=set_field:1->reg0,resubmit(,3,ct),goto_table:4
 dnl
 dnl Related packet (CT ACL in the direction of the master connection.)
-table=1 ip, ct_state=+rel+trk-inv, 
action=move:NXM_NX_CT_MARK[[]]->NXM_NX_REG0[[]],resubmit(,3,ct),goto_table:4
+table=1 ip, ct_state=+rel+trk-inv, 
action=move:NXM_NX_CT_LABEL[[0]]->NXM_NX_REG0[[0]],resubmit(,3,ct),goto_table:4
 dnl Drop everything else.
 table=1 priority=0, action=drop
 dnl
@@ -3088,15 +3088,15 @@ table=5 reg2=0 priority=1000 action=drop
 dnl
 dnl Commit new incoming FTP control connections with SNAT range.  Must match on
 dnl 'tcp' when setting 'alg=ftp'.  Store the directionality of non-related
-dnl connections to ct_mark.  Store the rule ID to labels.
-table=5 priority=100 reg2=1 reg3=1 ct_state=+new-rel, tcp, tp_dst=21, 
action=ct(zone=NXM_NX_REG4[[0..15]],alg=ftp,commit,nat(src=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
+dnl connections to ct_label[0]  Store the rule ID to ct_label[96..127].
+table=5 priority=100 reg2=1 reg3=1 ct_state=+new-rel, tcp, tp_dst=21, 
action=ct(zone=NXM_NX_REG4[[0..15]],alg=ftp,commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
 dnl Commit other new incoming non-related IP connections with SNAT range.
-table=5 priority=10 reg2=1 reg3=1 ct_state=+new-rel, ip, 
action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(src=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
+table=5 priority=10 reg2=1 reg3=1 ct_state=+new-rel, ip, 
action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
 dnl Commit non-related outgoing new IP connections with DNAT range.
 dnl (This should not get any packets in this test.)
-table=5 priority=10 reg2=1 reg3=2 ct_state=+new-rel, ip, 
action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(dst=$2),exec(move:NXM_NX_REG3[[0..31]]->NXM_NX_CT_MARK[[0..31]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
+table=5 priority=10 reg2=1 reg3=2 ct_state=+new-rel, ip, 
action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(dst=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
 dnl Commit new related connections in either direction, which need 'nat'
-dnl and which inherit the mark (the direction of the original direction
+dnl and which inherit the label (the direction of the original direction
 dnl master tuple) from the master connection.
 table=5 priority=10 reg2=1 ct_state=+new+rel, ip, 
action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat,exec(move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
 dnl
@@ -3122,8 +3122,8 @@ table=10 priority=100 arp xreg0=0 action=normal
 table=10 
priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OX

Re: [ovs-dev] [PATCH] ovs-ofctl: Document reset_counts, no_packet_counts, no_byte_counts.

2017-03-30 Thread Jarno Rajahalme 
Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Mar 30, 2017, at 8:55 AM, Ben Pfaff <b...@ovn.org> wrote:
> 
> Signed-off-by: Ben Pfaff <b...@ovn.org>
> ---
> utilities/ovs-ofctl.8.in | 31 +--
> 1 file changed, 29 insertions(+), 2 deletions(-)
> 
> diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
> index 8a3ba0279d7a..e7722a83a9fd 100644
> --- a/utilities/ovs-ofctl.8.in
> +++ b/utilities/ovs-ofctl.8.in
> @@ -393,8 +393,10 @@ or timeouts differ in \fIfile\fR.
> .IP
> With \fB\-\-readd\fR, \fBovs\-ofctl\fR adds all the flows from
> \fIfile\fR, even those that exist with the same actions, cookie, and
> -timeout in \fIswitch\fR.  This resets all the flow packet and byte
> -counters to 0, which can be useful for debugging.
> +timeout in \fIswitch\fR.  In OpenFlow 1.0 and 1.1, re-adding a flow
> +always resets the flow's packet and byte counters to 0, and in
> +OpenFlow 1.2 and later, it does so only if the \fBreset_counts\fR flag
> +is set.
> .
> .IP "\fBdiff\-flows \fIsource1 source2\fR"
> Reads flow entries from \fIsource1\fR and \fIsource2\fR and prints the
> @@ -1818,6 +1820,31 @@ Forces the switch to check that the flow match does 
> not overlap that
> of any different flow with the same priority in the same table.  (This
> check is expensive so it is best to avoid it.)
> .
> +.IP "\fBreset_counts\fR"
> +When this flag is specified on a flow being added to a switch, and the
> +switch already has a flow with an identical match, an OpenFlow 1.2 (or
> +later) switch resets the flow's packet and byte counters to 0.
> +Without the flag, the packet and byte counters are preserved.
> +.IP
> +OpenFlow 1.0 and 1.1 switches always reset counters in this situation,
> +as if \fBreset_counts\fR were always specified.
> +.IP
> +Open vSwitch 1.10 added support for \fBreset_counts\fR.
> +.
> +.IP "\fBno_packet_counts\fR"
> +.IQ "\fBno_byte_counts\fR"
> +Adding these flags to a flow advises an OpenFlow 1.3 (or later) switch
> +that the controller does not need packet or byte counters,
> +respectively, for the flow.  Some switch implementations might achieve
> +higher performance or reduce resource consumption when these flags are
> +used.  These flags provide no benefit to the Open vSwitch software
> +switch implementation.
> +.IP
> +OpenFlow 1.2 and earlier do not support these flags.
> +.IP
> +Open vSwitch 1.10 added support for \fBno_packet_counts\fR and
> +\fBno_byte_counts\fR.
> +.
> .PP
> The \fBdump\-flows\fR, \fBdump\-aggregate\fR, \fBdel\-flow\fR 
> and \fBdel\-flows\fR commands support these additional optional fields:
> -- 
> 2.10.2
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 2/2] conntrack: Add formatting support for IGMP, DCCP, and UDPLITE.

2017-03-28 Thread Jarno Rajahalme 

> On Mar 28, 2017, at 3:17 PM, Joe Stringer <j...@ovn.org> wrote:
> 
> On 28 March 2017 at 13:43, Jarno Rajahalme <ja...@ovn.org> wrote:
>> Print names for protocols that are supported by (Linux) conntrack
>> (DCCP, UDPLITE) and IGMP, which has been seen in logs.
>> 
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
> 
> Acked-by: Joe Stringer <j...@ovn.org>

Thanks for the reviews, series pushed to master, branch-2.7, and branch-2.6.

  Jarno
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH 2/2] conntrack: Add formatting support for IGMP, DCCP, and UDPLITE.

2017-03-28 Thread Jarno Rajahalme 
Print names for protocols that are supported by (Linux) conntrack
(DCCP, UDPLITE) and IGMP, which has been seen in logs.

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 lib/ct-dpif.c |  3 +++
 lib/packets.h | 12 
 2 files changed, 15 insertions(+)

diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index 2cdecf6..8f0b4ed 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -202,6 +202,9 @@ ct_dpif_format_ipproto(struct ds *ds, uint16_t ipproto)
 : (ipproto == IPPROTO_TCP) ? "tcp"
 : (ipproto == IPPROTO_UDP) ? "udp"
 : (ipproto == IPPROTO_SCTP) ? "sctp"
+: (ipproto == IPPROTO_UDPLITE) ? "udplite"
+: (ipproto == IPPROTO_DCCP) ? "dccp"
+: (ipproto == IPPROTO_IGMP) ? "igmp"
 : NULL;
 
 if (name) {
diff --git a/lib/packets.h b/lib/packets.h
index a5a483b..a4de7a5 100644
--- a/lib/packets.h
+++ b/lib/packets.h
@@ -591,6 +591,18 @@ char *ip_parse_cidr_len(const char *s, int *n, ovs_be32 
*ip,
 #define IPPROTO_SCTP 132
 #endif
 
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
+
+#ifndef IPPROTO_IGMP
+#define IPPROTO_IGMP 2
+#endif
+
+#ifndef IPPROTO_UDPLITE
+#define IPPROTO_UDPLITE 136
+#endif
+
 /* TOS fields. */
 #define IP_ECN_NOT_ECT 0x0
 #define IP_ECN_ECT_1 0x01
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH 1/2] netlink-conntrack: Change unsupported IPPROTO log to debug.

2017-03-28 Thread Jarno Rajahalme 
No point littering the logs with messages on an unsupported protocol,
so change the log to debug level.

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 lib/netlink-conntrack.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/netlink-conntrack.c b/lib/netlink-conntrack.c
index 8b82db2..f0e2aea 100644
--- a/lib/netlink-conntrack.c
+++ b/lib/netlink-conntrack.c
@@ -463,8 +463,8 @@ nl_ct_parse_tuple_proto(struct nlattr *nla, struct 
ct_dpif_tuple *tuple)
 tuple->dst_port = nl_attr_get_be16(attrs[CTA_PROTO_DST_PORT]);
 } else {
 /* Unsupported IPPROTO and no ports, leave them zeroed.
- * We have parsed the ip_proto, so this is not a total failure. */
-VLOG_INFO_RL(, "Unsupported L4 protocol: %u.", tuple->ip_proto);
+ * We have parsed the ip_proto, so this is not a failure. */
+VLOG_DBG_RL(, "Unsupported L4 protocol: %u.", tuple->ip_proto);
 }
 } else {
 VLOG_ERR_RL(, "Could not parse nested tuple protocol options. "
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] meta-flow: Remove metadata prerequisite on ether type.

2017-03-24 Thread Jarno Rajahalme 
Ben & Numan,

Thanks for the reviews, pushed to master.

  Jarno

> On Mar 24, 2017, at 11:06 AM, Ben Pfaff <b...@ovn.org> wrote:
> 
> On Wed, Mar 22, 2017 at 04:48:07PM -0700, Jarno Rajahalme wrote:
>> Conntrack original direction tuple fields depend on the conntrack
>> state and the type of the packet that was tracked.  These dependencies
>> were encoded as OpenFlow prerequisites in commit daf4d3c18da4 ("odp:
>> Support conntrack orig tuple key.").  However, having a prerequisite
>> from a metadata field to a packet header turned out to be problematic,
>> since sometimes we are decoding metadata fields alone, so that the
>> packet type field is not available.
>> 
>> The reason for the packet type dependency is that the IP addresses in
>> the original direction tuple can be either IPv4 or IPv6 addresses, and
>> it would be invalid to match on IPv4 original direction tuple
>> addresses for an IPv6 packet and vica verca.  Upon closer look,
>> however, allowing this kind of mismatched match only causes the flow
>> to never match anything, rather than causing more severe problems.
>> 
>> This patch removes the formal prerequisite on the packet type, but
>> replaces that with an explicit check for the mismatch on flow install.
>> This way we can still return an error to the controller if it tries to
>> install a mismatched flow.
>> 
>> Reported-by: Dong Jun <do...@dtdream.com>
>> Reported-at: 
>> https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/330052.html
>> Fixes: 7befb20d0f70 ("nx-match: Fix oxm decode.")
>> Fixes: daf4d3c18da4 ("odp: Support conntrack orig tuple key.")
>> Suggested-by: Numan Siddique <nusid...@redhat.com>
>> Suggested-by: Ben Pfaff <b...@ovn.org>
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
> 
> This seems reasonable to me.
> 
> Acked-by: Ben Pfaff <b...@ovn.org>

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 3/3] ofproto-dpif-xlate.c: Include controller traffic for NetFlow.

2017-03-23 Thread Jarno Rajahalme 

> On Mar 22, 2017, at 11:26 PM, Justin Pettit <jpet...@ovn.org> wrote:
> 
> The code previously did not include packets forwarded to the controller
> in NetFlow, as it considered this control traffic.  That is debatable for
> deployments where the first packet of every flow is sent to the
> controller for a forwarding decision that may eventually be executed on
> the switch.
> 

This argues for including controller packets in NetFlow...

> However, we are starting to send more traffic to local controllers for
> non-forwarding purposes such as logging.  These packets are already
> being forwarded and only copies are being sent to the controller,

and this seems to be arguing for the status quo (why should logging copies be 
included in NetFlow?)...

> so not
> accounting for them will incorrectly under-report NetFlow statistics.
> 

But this then concludes that we must account them anyway.

Maybe you mean that even though a copy of the packet is being sent to 
controller (maybe for logging purposes), we should still NetFlow the original 
(upcalled) packet. If so:

Acked-by: Jarno Rajahalme <ja...@ovn.org>


> Signed-off-by: Justin Pettit <jpet...@ovn.org>
> ---
> ofproto/ofproto-dpif-xlate.c | 8 ++--
> 1 file changed, 2 insertions(+), 6 deletions(-)
> 
> diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
> index 7df92e58dcf5..6b7a4fe51072 100644
> --- a/ofproto/ofproto-dpif-xlate.c
> +++ b/ofproto/ofproto-dpif-xlate.c
> @@ -6464,12 +6464,8 @@ xlate_actions(struct xlate_in *xin, struct xlate_out 
> *xout)
> ctx.xout->slow |= SLOW_ACTION;
> }
> 
> -/* Do netflow only for packets on initial reception, that are not sent to
> - * the controller.  We consider packets sent to the controller to be part
> - * of the control plane rather than the data plane. */
> -if (!xin->frozen_state
> -&& xbridge->netflow
> -&& !(xout->slow & SLOW_CONTROLLER)) {
> +/* Update NetFlow for non-frozen traffic. */
> +if (xbridge->netflow && !xin->frozen_state) {
> if (ctx.xin->resubmit_stats) {
> netflow_flow_update(xbridge->netflow, flow,
> ctx.nf_output_iface,
> -- 
> 2.7.4
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 2/3] ofproto-dpif-rid: Update comment for recirc_alloc_id__().

2017-03-23 Thread Jarno Rajahalme 
Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Mar 22, 2017, at 11:26 PM, Justin Pettit <jpet...@ovn.org> wrote:
> 
> The hash is not recomputed if it is passed in as 0.
> 
> Signed-off-by: Justin Pettit <jpet...@ovn.org>
> ---
> ofproto/ofproto-dpif-rid.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/ofproto/ofproto-dpif-rid.c b/ofproto/ofproto-dpif-rid.c
> index d27669ef1f68..9381dee61404 100644
> --- a/ofproto/ofproto-dpif-rid.c
> +++ b/ofproto/ofproto-dpif-rid.c
> @@ -216,8 +216,7 @@ frozen_state_free(struct frozen_state *state)
> 
> /* Allocate a unique recirculation id for the given set of flow metadata.
>  * The ID space is 2^^32, so there should never be a situation in which all
> - * the IDs are used up.  We loop until we find a free one.
> - * hash is recomputed if it is passed in as 0. */
> + * the IDs are used up.  We loop until we find a free one. */
> static struct recirc_id_node *
> recirc_alloc_id__(const struct frozen_state *state, uint32_t hash)
> {
> -- 
> 2.7.4
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH 1/3] ofproto-dpif: Update handle_action() comment.

2017-03-23 Thread Jarno Rajahalme 
Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Mar 22, 2017, at 11:26 PM, Justin Pettit <jpet...@ovn.org> wrote:
> 
> The comment didn't mention the SLOW_LLDP and SLOW_ACTION reasons.
> 
> Signed-off-by: Justin Pettit <jpet...@ovn.org>
> ---
> ofproto/ofproto-dpif-upcall.c | 7 +--
> 1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
> index 07086ee385cc..158d65eecefa 100644
> --- a/ofproto/ofproto-dpif-upcall.c
> +++ b/ofproto/ofproto-dpif-upcall.c
> @@ -1352,12 +1352,15 @@ handle_upcalls(struct udpif *udpif, struct upcall 
> *upcalls,
> 
> /* Handle the packets individually in order of arrival.
>  *
> - *   - For SLOW_CFM, SLOW_LACP, SLOW_STP, and SLOW_BFD, translation is 
> what
> - * processes received packets for these protocols.
> + *   - For SLOW_CFM, SLOW_LACP, SLOW_STP, SLOW_BFD, and SLOW_LLDP,
> + * translation is what processes received packets for these
> + * protocols.
>  *
>  *   - For SLOW_CONTROLLER, translation sends the packet to the OpenFlow
>  * controller.
>  *
> + *   - For SLOW_ACTION, translation executes the actions directly.
> + *
>  * The loop fills 'ops' with an array of operations to execute in the
>  * datapath. */
> n_ops = 0;
> -- 
> 2.7.4
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] Decode the NXT_RESUME message with a loose match.

2017-03-23 Thread Jarno Rajahalme 

> On Mar 22, 2017, at 9:05 PM, Numan Siddique <nusid...@redhat.com> wrote:
> 
> 
> 
> On Thu, Mar 23, 2017 at 5:19 AM, Jarno Rajahalme <ja...@ovn.org 
> <mailto:ja...@ovn.org>> wrote:
> On Mar 22, 2017, at 1:49 PM, Jarno Rajahalme <ja...@ovn.org 
> <mailto:ja...@ovn.org>> wrote:
> >
> >
> >> On Mar 22, 2017, at 1:43 PM, Ben Pfaff <b...@ovn.org 
> >> <mailto:b...@ovn.org>> wrote:
> >>
> >> On Wed, Mar 22, 2017 at 01:40:10PM -0700, Jarno Rajahalme wrote:
> >>>
> >>>> On Mar 22, 2017, at 1:21 PM, Ben Pfaff <b...@ovn.org 
> >>>> <mailto:b...@ovn.org>> wrote:
> >>>>
> >>>> On Wed, Mar 22, 2017 at 09:30:36PM +0530, nusid...@redhat.com 
> >>>> <mailto:nusid...@redhat.com> wrote:
> >>>>> From: Numan Siddique <nusid...@redhat.com <mailto:nusid...@redhat.com>>
> >>>>>
> >>>>> When ovs-vswitchd sends the NX_PACKET_IN2 message, it may not
> >>>>> encode ETH_TYPE of the packet. And with the commit daf4d3c18da
> >>>>> ("odp: Support conntrack orig tuple key."), the conntrack fields
> >>>>> are encoded, if set. After the commit 7befb20d0f70
> >>>>> ("nx-match: Fix oxm decode."), ovs-vswitchd is sending OFPBMC_BAD_PREREQ
> >>>>> message to the controller for the resumed packets (having conntract
> >>>>> fields).
> >>>>>
> >>>>> With the loose match criteria set to false when
> >>>>> ofputil_decode_packet_in_private() is called, the prerequisite check
> >>>>> for the mf field "ct_nw_src" is failing as ETH_TYPE is not set.
> >>>>
> >>>> The original design for NXT_RESUME was that the switch would only be
> >>>> decoding a flow that it had itself decoded and therefore any failure to
> >>>> decode is a bug.  I don't think this design has changed (although I'm
> >>>> happy to be corrected) so you may be pointing out a bug that we should
> >>>> fix by fixing the flow encoder or decoder.
> >>>
> >>> OVS still gets back only (metadata) fields that it itself sent. The issue 
> >>> is that ETH_TYPE is not metadata, hence it is not encoded as part of 
> >>> metadata. The root of the problem is that I made the conntrack original 
> >>> direction tuple (which is metadata) to have the packet’s ether type as a 
> >>> prerequisite. Even if the controller would send down exactly the same 
> >>> metadata as OVS sent out, the controller may still be allowed to do 
> >>> whatever with the packet, for example, add MPLS headers, thus changing 
> >>> the packet to not be an IP packet any more. In this scenario the 
> >>> conntrack original direction tuple (and conntrack state in general) 
> >>> becomes suspect, as an MPLS packet is untrackable by conntrack.
> >>>
> >>> Maybe we should make the NXT_RESUME decoder clear out conntrack metadata 
> >>> if the packet is not an IP packet (anymore), or if IPv4 metadata is 
> >>> present on an IPv6 packet or the other way around? To do this we could 
> >>> make the decoding loose as proposed here, but then explicitly check the 
> >>> packet type and clear the conntrack metadata if needed. No other metadata 
> >>> has any prerequisites, and if the controller happened to add metadata 
> >>> that OVS does not understand it might be OK to ignore those.
> >>
> >> Do we think that the prerequisite on the conntrack metadata is a
> >> valuable one?  If it is not, then it would be simple to eliminate the
> >> prerequisite.
> >
> > I’ll look into relaxing that. However, for the kernel datapath this 
> > prerequisite is essential, and we need to be sure we are not sending down 
> > flows that match on conntrack original direction tuple for non-IP or 
> > mismatched IP packets.
> >
> 
> I just posted a patch:
> 
> https://patchwork.ozlabs.org/patch/742385/ 
> <https://patchwork.ozlabs.org/patch/742385/>
> 
> 
> 
> Thanks for the patch. I tested it and it is fixing the issue.
> 

Thanks for testing! Maybe Ben could look over the general approach in this 
patch?

  Jarno

> Numan
>  
> >  Jarno
> >

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] mirror: Allow concurrent lookups.

2017-03-22 Thread Jarno Rajahalme 

> On Mar 8, 2017, at 4:15 PM, Ben Pfaff <b...@ovn.org> wrote:
> 
> On Tue, Feb 21, 2017 at 07:44:02PM -0800, Jarno Rajahalme wrote:
>> Handler threads use a selection of mirror functions with the
>> assumption that the data referred to is RCU protected, while the
>> implementation has not provided for this, which can lead to an OVS
>> crash.
>> 
>> This patch fixes this by making the mbundle lookup RCU-safe by using
>> cmap instead of hmap and postponing mbundle memory free, as wells as
>> postponing the frees of the mirrors and the vlan bitmaps of each
>> mirror.
>> 
>> Note that mirror stats update is still not accurate if multiple
>> threads do it simultaneously.
>> 
>> A less complete version of this patch (using cmap and RCU postpone
>> just for the mbridge itself) was tested by Yunjian Wang and was found
>> to fix the observed crash when running a script that adds and deletes
>> a port repeatedly.
>> 
>> Reported-by: Yunjian Wang <wangyunj...@huawei.com>
>> Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
> 
> The mirror code doesn't give me much confidence regarding concurrency,
> even after this patch, but it does seem to be an improvement.
> 
> Acked-by: Ben Pfaff <b...@ovn.org>

Thanks for the review!

Pushed to branches master, branch-2.7, and branch-2.6.

  Jarno

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] Decode the NXT_RESUME message with a loose match.

2017-03-22 Thread Jarno Rajahalme 
On Mar 22, 2017, at 1:49 PM, Jarno Rajahalme <ja...@ovn.org> wrote:
> 
> 
>> On Mar 22, 2017, at 1:43 PM, Ben Pfaff <b...@ovn.org> wrote:
>> 
>> On Wed, Mar 22, 2017 at 01:40:10PM -0700, Jarno Rajahalme wrote:
>>> 
>>>> On Mar 22, 2017, at 1:21 PM, Ben Pfaff <b...@ovn.org> wrote:
>>>> 
>>>> On Wed, Mar 22, 2017 at 09:30:36PM +0530, nusid...@redhat.com wrote:
>>>>> From: Numan Siddique <nusid...@redhat.com>
>>>>> 
>>>>> When ovs-vswitchd sends the NX_PACKET_IN2 message, it may not
>>>>> encode ETH_TYPE of the packet. And with the commit daf4d3c18da
>>>>> ("odp: Support conntrack orig tuple key."), the conntrack fields
>>>>> are encoded, if set. After the commit 7befb20d0f70
>>>>> ("nx-match: Fix oxm decode."), ovs-vswitchd is sending OFPBMC_BAD_PREREQ
>>>>> message to the controller for the resumed packets (having conntract
>>>>> fields).
>>>>> 
>>>>> With the loose match criteria set to false when
>>>>> ofputil_decode_packet_in_private() is called, the prerequisite check
>>>>> for the mf field "ct_nw_src" is failing as ETH_TYPE is not set.
>>>> 
>>>> The original design for NXT_RESUME was that the switch would only be
>>>> decoding a flow that it had itself decoded and therefore any failure to
>>>> decode is a bug.  I don't think this design has changed (although I'm
>>>> happy to be corrected) so you may be pointing out a bug that we should
>>>> fix by fixing the flow encoder or decoder.
>>> 
>>> OVS still gets back only (metadata) fields that it itself sent. The issue 
>>> is that ETH_TYPE is not metadata, hence it is not encoded as part of 
>>> metadata. The root of the problem is that I made the conntrack original 
>>> direction tuple (which is metadata) to have the packet’s ether type as a 
>>> prerequisite. Even if the controller would send down exactly the same 
>>> metadata as OVS sent out, the controller may still be allowed to do 
>>> whatever with the packet, for example, add MPLS headers, thus changing the 
>>> packet to not be an IP packet any more. In this scenario the conntrack 
>>> original direction tuple (and conntrack state in general) becomes suspect, 
>>> as an MPLS packet is untrackable by conntrack.
>>> 
>>> Maybe we should make the NXT_RESUME decoder clear out conntrack metadata if 
>>> the packet is not an IP packet (anymore), or if IPv4 metadata is present on 
>>> an IPv6 packet or the other way around? To do this we could make the 
>>> decoding loose as proposed here, but then explicitly check the packet type 
>>> and clear the conntrack metadata if needed. No other metadata has any 
>>> prerequisites, and if the controller happened to add metadata that OVS does 
>>> not understand it might be OK to ignore those.
>> 
>> Do we think that the prerequisite on the conntrack metadata is a
>> valuable one?  If it is not, then it would be simple to eliminate the
>> prerequisite.
> 
> I’ll look into relaxing that. However, for the kernel datapath this 
> prerequisite is essential, and we need to be sure we are not sending down 
> flows that match on conntrack original direction tuple for non-IP or 
> mismatched IP packets.
> 

I just posted a patch:

https://patchwork.ozlabs.org/patch/742385/

>  Jarno
> 

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] meta-flow: Remove metadata prerequisite on ether type.

2017-03-22 Thread Jarno Rajahalme 
Conntrack original direction tuple fields depend on the conntrack
state and the type of the packet that was tracked.  These dependencies
were encoded as OpenFlow prerequisites in commit daf4d3c18da4 ("odp:
Support conntrack orig tuple key.").  However, having a prerequisite
from a metadata field to a packet header turned out to be problematic,
since sometimes we are decoding metadata fields alone, so that the
packet type field is not available.

The reason for the packet type dependency is that the IP addresses in
the original direction tuple can be either IPv4 or IPv6 addresses, and
it would be invalid to match on IPv4 original direction tuple
addresses for an IPv6 packet and vica verca.  Upon closer look,
however, allowing this kind of mismatched match only causes the flow
to never match anything, rather than causing more severe problems.

This patch removes the formal prerequisite on the packet type, but
replaces that with an explicit check for the mismatch on flow install.
This way we can still return an error to the controller if it tries to
install a mismatched flow.

Reported-by: Dong Jun <do...@dtdream.com>
Reported-at: 
https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/330052.html
Fixes: 7befb20d0f70 ("nx-match: Fix oxm decode.")
Fixes: daf4d3c18da4 ("odp: Support conntrack orig tuple key.")
Suggested-by: Numan Siddique <nusid...@redhat.com>
Suggested-by: Ben Pfaff <b...@ovn.org>
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 build-aux/extract-ofp-fields|  2 --
 include/openvswitch/meta-flow.h | 10 --
 lib/meta-flow.c |  6 --
 lib/ofp-util.c  | 10 ++
 4 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/build-aux/extract-ofp-fields b/build-aux/extract-ofp-fields
index a26d558..af7c69b 100755
--- a/build-aux/extract-ofp-fields
+++ b/build-aux/extract-ofp-fields
@@ -45,8 +45,6 @@ PREREQS = {"none": "MFP_NONE",
"IPv6": "MFP_IPV6",
"IPv4/IPv6": "MFP_IP_ANY",
"CT": "MFP_CT_VALID",
-   "CTv4": "MFP_CTV4_VALID",
-   "CTv6": "MFP_CTV6_VALID",
"MPLS": "MFP_MPLS",
"TCP": "MFP_TCP",
"UDP": "MFP_UDP",
diff --git a/include/openvswitch/meta-flow.h b/include/openvswitch/meta-flow.h
index 29ccadb..11852d2 100644
--- a/include/openvswitch/meta-flow.h
+++ b/include/openvswitch/meta-flow.h
@@ -772,7 +772,7 @@ enum OVS_PACKED_ENUM mf_field_id {
  * Type: be32.
  * Maskable: bitwise.
  * Formatting: IPv4.
- * Prerequisites: CTv4.
+ * Prerequisites: CT.
  * Access: read-only.
  * NXM: NXM_NX_CT_NW_SRC(120) since v2.8.
  * OXM: none.
@@ -791,7 +791,7 @@ enum OVS_PACKED_ENUM mf_field_id {
  * Type: be32.
  * Maskable: bitwise.
  * Formatting: IPv4.
- * Prerequisites: CTv4.
+ * Prerequisites: CT.
  * Access: read-only.
  * NXM: NXM_NX_CT_NW_DST(121) since v2.8.
  * OXM: none.
@@ -810,7 +810,7 @@ enum OVS_PACKED_ENUM mf_field_id {
  * Type: be128.
  * Maskable: bitwise.
  * Formatting: IPv6.
- * Prerequisites: CTv6.
+ * Prerequisites: CT.
  * Access: read-only.
  * NXM: NXM_NX_CT_IPV6_SRC(122) since v2.8.
  * OXM: none.
@@ -829,7 +829,7 @@ enum OVS_PACKED_ENUM mf_field_id {
  * Type: be128.
  * Maskable: bitwise.
  * Formatting: IPv6.
- * Prerequisites: CTv6.
+ * Prerequisites: CT.
  * Access: read-only.
  * NXM: NXM_NX_CT_IPV6_DST(123) since v2.8.
  * OXM: none.
@@ -1824,8 +1824,6 @@ enum OVS_PACKED_ENUM mf_prereqs {
 MFP_ICMPV4,
 MFP_ICMPV6,
 MFP_CT_VALID,   /* Implies IPv4 or IPv6. */
-MFP_CTV4_VALID, /* MFP_CT_VALID and IPv4. */
-MFP_CTV6_VALID, /* MFP_CT_VALID and IPv6. */
 
 /* L2+L3+L4 requirements. */
 MFP_ND,
diff --git a/lib/meta-flow.c b/lib/meta-flow.c
index 93fbc5b..6b97794 100644
--- a/lib/meta-flow.c
+++ b/lib/meta-flow.c
@@ -419,12 +419,6 @@ mf_are_prereqs_ok__(const struct mf_field *mf, const 
struct flow *flow,
 return is_ip_any(flow);
 case MFP_CT_VALID:
 return is_ct_valid(flow, mask, wc);
-case MFP_CTV4_VALID:
-return flow->dl_type == htons(ETH_TYPE_IP)
-&& is_ct_valid(flow, mask, wc);
-case MFP_CTV6_VALID:
-return flow->dl_type == htons(ETH_TYPE_IPV6)
-&& is_ct_valid(flow, mask, wc);
 case MFP_TCP:
 /* Matching !FRAG_LATER is not enforced (mask is not checked). */
 return is_tcp(flow, wc) && !(flow->nw_frag & FLOW_NW_FRAG_LATER);
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index b2f96ea..54c83fa 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -1724,6 +1724,16 @@ ofputil_decode_f

Re: [ovs-dev] [PATCH] Decode the NXT_RESUME message with a loose match.

2017-03-22 Thread Jarno Rajahalme 

> On Mar 22, 2017, at 1:21 PM, Ben Pfaff  wrote:
> 
> On Wed, Mar 22, 2017 at 09:30:36PM +0530, nusid...@redhat.com wrote:
>> From: Numan Siddique 
>> 
>> When ovs-vswitchd sends the NX_PACKET_IN2 message, it may not
>> encode ETH_TYPE of the packet. And with the commit daf4d3c18da
>> ("odp: Support conntrack orig tuple key."), the conntrack fields
>> are encoded, if set. After the commit 7befb20d0f70
>> ("nx-match: Fix oxm decode."), ovs-vswitchd is sending OFPBMC_BAD_PREREQ
>> message to the controller for the resumed packets (having conntract
>> fields).
>> 
>> With the loose match criteria set to false when
>> ofputil_decode_packet_in_private() is called, the prerequisite check
>> for the mf field "ct_nw_src" is failing as ETH_TYPE is not set.
> 
> The original design for NXT_RESUME was that the switch would only be
> decoding a flow that it had itself decoded and therefore any failure to
> decode is a bug.  I don't think this design has changed (although I'm
> happy to be corrected) so you may be pointing out a bug that we should
> fix by fixing the flow encoder or decoder.

OVS still gets back only (metadata) fields that it itself sent. The issue is 
that ETH_TYPE is not metadata, hence it is not encoded as part of metadata. The 
root of the problem is that I made the conntrack original direction tuple 
(which is metadata) to have the packet’s ether type as a prerequisite. Even if 
the controller would send down exactly the same metadata as OVS sent out, the 
controller may still be allowed to do whatever with the packet, for example, 
add MPLS headers, thus changing the packet to not be an IP packet any more. In 
this scenario the conntrack original direction tuple (and conntrack state in 
general) becomes suspect, as an MPLS packet is untrackable by conntrack.

Maybe we should make the NXT_RESUME decoder clear out conntrack metadata if the 
packet is not an IP packet (anymore), or if IPv4 metadata is present on an IPv6 
packet or the other way around? To do this we could make the decoding loose as 
proposed here, but then explicitly check the packet type and clear the 
conntrack metadata if needed. No other metadata has any prerequisites, and if 
the controller happened to add metadata that OVS does not understand it might 
be OK to ignore those.

  Jarno

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] tests: Add test for CT action with setting labels.

2017-03-21 Thread Jarno Rajahalme 
This test clearly demonstrates the bit order of labels in the OpenFlow
wire format.

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 tests/ofp-actions.at | 5 +
 1 file changed, 5 insertions(+)

diff --git a/tests/ofp-actions.at b/tests/ofp-actions.at
index 6f9f5c1..11b3653 100644
--- a/tests/ofp-actions.at
+++ b/tests/ofp-actions.at
@@ -192,6 +192,11 @@  0018 2320 0007 001f 0001d604 f009
  0030 2320 0023 0003   FF 00  dnl
  0018 2320 0007 001f 0001d604 f009
 
+# 
actions=ct(commit,exec(load:0->NXM_NX_CT_LABEL[64..127],load:0x1d->NXM_NX_CT_LABEL[0..63]))
+ 0048 2320 0023 0001   FF 00  dnl
+ 0018 2320 0007 103f 0001d810     dnl
+ 0018 2320 0007 003f 0001d810    001d
+
 # bad OpenFlow10 actions: OFPBAC_BAD_SET_ARGUMENT
 & ofp_actions|WARN|cannot set CT fields outside of ct action
  0018 2320 0007 001f 0001d604 f009
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] compiler: Use C11 build assertions with new enough GCC or Clang.

2017-03-16 Thread Jarno Rajahalme 
LGTM with one question below,

Acked-by: Jarno Rajahalme <ja...@ovn.org>

> On Mar 16, 2017, at 2:04 PM, Ben Pfaff <b...@ovn.org> wrote:
> 
> Until now, the BUILD_ASSERT and BUILD_ASSERT_DECL macros have used OVS's
> home-grown build assertion strategy.  This commit switches them to using
> C11 build assertions with compilers that support them.  The semantics are
> the same, but C11 build assertions yield clearer error messages when they
> fail.
> 
> This commit also reorders the definitions a bit to make it easier to
> follow.
> 
> Signed-off-by: Ben Pfaff <b...@ovn.org>
> ---
> include/openvswitch/compiler.h | 28 +++-
> 1 file changed, 15 insertions(+), 13 deletions(-)
> 
> diff --git a/include/openvswitch/compiler.h b/include/openvswitch/compiler.h
> index 6e779f38fd16..0dc8636add33 100644
> --- a/include/openvswitch/compiler.h
> +++ b/include/openvswitch/compiler.h
> @@ -1,5 +1,5 @@
> /*
> - * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2016 Nicira, Inc.
> + * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2016, 2017 
> Nicira, Inc.
>  *
>  * Licensed under the Apache License, Version 2.0 (the "License");
>  * you may not use this file except in compliance with the License.
> @@ -236,26 +236,28 @@
> #define OVS_PREFETCH_WRITE(addr)
> #endif
> 
> -/* Build assertions. */
> +/* Build assertions.
> + *
> + * Use BUILD_ASSERT_DECL as a declaration or a statement, or BUILD_ASSERT as
> + * part of an expression. */
> #ifdef __CHECKER__
> #define BUILD_ASSERT(EXPR) ((void) 0)
> #define BUILD_ASSERT_DECL(EXPR) extern int (*build_assert(void))[1]
> -#elif !defined(__cplusplus)
> -/* Build-time assertion building block. */
> +#elif defined(__cplusplus)
> +#include 
> +#define BUILD_ASSERT BOOST_STATIC_ASSERT
> +#define BUILD_ASSERT_DECL BOOST_STATIC_ASSERT
> +#elif (__GNUC__ * 256 + __GNUC_MINOR__ >= 0x403 \
> +   || __has_extension(c_static_assert))
> +#define BUILD_ASSERT_DECL(EXPR) _Static_assert(EXPR, #EXPR)
> +#define BUILD_ASSERT(EXPR) (void) ({ _Static_assert(EXPR, #EXPR); })

Curly braces in a macro is a GCC feature, so is it possible that a compiler has 
the “c_static_assert” extension but not this one? I see that __has_extension() 
is defined as 0 if it is not defined, so if it it only ever defined for GCC or 
compatible compiler, then this question is moot.

  Jarno

> +#else
> #define BUILD_ASSERT__(EXPR) \
> sizeof(struct { unsigned int build_assert_failed : (EXPR) ? 1 : -1; })
> -
> -/* Build-time assertion for use in a statement context. */
> #define BUILD_ASSERT(EXPR) (void) BUILD_ASSERT__(EXPR)
> -
> -/* Build-time assertion for use in a declaration context. */
> #define BUILD_ASSERT_DECL(EXPR) \
> extern int (*build_assert(void))[BUILD_ASSERT__(EXPR)]
> -#else /* __cplusplus */
> -#include 
> -#define BUILD_ASSERT BOOST_STATIC_ASSERT
> -#define BUILD_ASSERT_DECL BOOST_STATIC_ASSERT
> -#endif /* __cplusplus */
> +#endif
> 
> #ifdef __GNUC__
> #define BUILD_ASSERT_GCCONLY(EXPR) BUILD_ASSERT(EXPR)
> -- 
> 2.10.2
> 
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH branch-2.7 25/25] lib: Indicate if netlink message had labels.

2017-03-15 Thread Jarno Rajahalme 
Conntrack update events include labels only if they have changed.
Record the presence of labels in the netlink message to OVS internal
representation, so that the user may keep the old labels when an
update does not modify them.

Fixes: 6830a0c0e6bf ("netlink-conntrack: New module.")
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
---
 lib/ct-dpif.h   | 1 +
 lib/netlink-conntrack.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index 5da3c2c..e8e159a 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -163,6 +163,7 @@ struct ct_dpif_entry {
 struct ct_dpif_protoinfo protoinfo;
 
 ovs_u128 labels;
+bool have_labels;
 uint32_t status;
 /* Timeout for this entry in seconds */
 uint32_t timeout;
diff --git a/lib/netlink-conntrack.c b/lib/netlink-conntrack.c
index aab5b1f..8b82db2 100644
--- a/lib/netlink-conntrack.c
+++ b/lib/netlink-conntrack.c
@@ -780,6 +780,7 @@ nl_ct_attrs_to_ct_dpif_entry(struct ct_dpif_entry *entry,
 entry->mark = ntohl(nl_attr_get_be32(attrs[CTA_MARK]));
 }
 if (attrs[CTA_LABELS]) {
+entry->have_labels = true;
 memcpy(>labels, nl_attr_get(attrs[CTA_LABELS]),
MIN(sizeof entry->labels, nl_attr_get_size(attrs[CTA_LABELS])));
 }
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH branch-2.7 19/25] datapath: Simplify labels length logic.

2017-03-15 Thread Jarno Rajahalme 
Upstream commit:

commit b87cec3814ccc7f6afb0a1378ee7e5110d07cdd3
Author: Jarno Rajahalme <ja...@ovn.org>
Date:   Thu Feb 9 11:21:56 2017 -0800

openvswitch: Simplify labels length logic.

Since 23014011ba42 ("netfilter: conntrack: support a fixed size of 128
distinct labels"), the size of conntrack labels extension has fixed to
128 bits, so we do not need to check for labels sizes shorter than 128
at run-time.  This patch simplifies labels length logic accordingly,
but allows the conntrack labels size to be increased in the future
without breaking the build.  In the event of conntrack labels
increasing in size OVS would still be able to deal with the 128 first
label bits.

Suggested-by: Joe Stringer <j...@ovn.org>
    Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Pravin B Shelar <pshe...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
---
 datapath/conntrack.c | 18 --
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index b5c80be..2d095b8 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -145,22 +145,20 @@ static size_t ovs_ct_get_labels_len(struct nf_conn_labels 
*cl)
 #endif
 }
 
+/* Guard against conntrack labels max size shrinking below 128 bits. */
+#if NF_CT_LABELS_MAX_SIZE < 16
+#error NF_CT_LABELS_MAX_SIZE must be at least 16 bytes
+#endif
+
 static void ovs_ct_get_labels(const struct nf_conn *ct,
  struct ovs_key_ct_labels *labels)
 {
struct nf_conn_labels *cl = ct ? nf_ct_labels_find(ct) : NULL;
 
-   if (cl) {
-   size_t len = ovs_ct_get_labels_len(cl);
-
-   if (len > OVS_CT_LABELS_LEN)
-   len = OVS_CT_LABELS_LEN;
-   else if (len < OVS_CT_LABELS_LEN)
-   memset(labels, 0, OVS_CT_LABELS_LEN);
-   memcpy(labels, cl->bits, len);
-   } else {
+   if (cl)
+   memcpy(labels, cl->bits, OVS_CT_LABELS_LEN);
+   else
memset(labels, 0, OVS_CT_LABELS_LEN);
-   }
 }
 
 static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state,
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH branch-2.7 23/25] nx-match: Fix oxm decode.

2017-03-15 Thread Jarno Rajahalme 
From: Yi-Hung Wei <yihung@gmail.com>

decode_nx_packet_in2() may be used by the switch to parse NXT_RESUME messages,
where we need exact match on the oxm header. Therefore, change
oxm_decode_loose() to oxm_decode() that takes an extra argument to indicate 
whether
we want strict or loose match.

Fixes: 7befb20d0f70 ("ofp-util: Ignore unknown fields in 
ofputil_decode_packet_in2()")
Signed-off-by: Yi-Hung Wei <yihung@gmail.com>
Signed-off-by: Joe Stringer <j...@ovn.org>
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
---
 lib/nx-match.c | 10 +-
 lib/nx-match.h |  4 ++--
 lib/ofp-util.c |  5 ++---
 3 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/lib/nx-match.c b/lib/nx-match.c
index 2e62e99..43672cb 100644
--- a/lib/nx-match.c
+++ b/lib/nx-match.c
@@ -683,14 +683,14 @@ oxm_pull_match_loose(struct ofpbuf *b, const struct 
tun_table *tun_table,
  *
  * Returns 0 if successful, otherwise an OpenFlow error code.
  *
- * Encountering unknown OXM headers or missing field prerequisites are not
- * considered as error conditions.
+ * If 'loose' is true, encountering unknown OXM headers or missing field
+ * prerequisites are not considered as error conditions.
  */
 enum ofperr
-oxm_decode_match_loose(const void *oxm, size_t oxm_len,
-   const struct tun_table *tun_table, struct match *match)
+oxm_decode_match(const void *oxm, size_t oxm_len, bool loose,
+ const struct tun_table *tun_table, struct match *match)
 {
-return nx_pull_raw(oxm, oxm_len, false, match, NULL, NULL, tun_table);
+return nx_pull_raw(oxm, oxm_len, !loose, match, NULL, NULL, tun_table);
 }
 
 /* Verify an array of OXM TLVs treating value of each TLV as a mask,
diff --git a/lib/nx-match.h b/lib/nx-match.h
index cee9e65..e103dd5 100644
--- a/lib/nx-match.h
+++ b/lib/nx-match.h
@@ -61,8 +61,8 @@ enum ofperr oxm_pull_match(struct ofpbuf *, const struct 
tun_table *,
struct match *);
 enum ofperr oxm_pull_match_loose(struct ofpbuf *, const struct tun_table *,
  struct match *);
-enum ofperr oxm_decode_match_loose(const void *, size_t,
-   const struct tun_table *, struct match *);
+enum ofperr oxm_decode_match(const void *, size_t, bool,
+ const struct tun_table *, struct match *);
 enum ofperr oxm_pull_field_array(const void *, size_t fields_len,
  struct field_array *);
 
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index 9e8d4d2..d315337 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -3397,9 +3397,8 @@ decode_nx_packet_in2(const struct ofp_header *oh, bool 
loose,
 }
 
 case NXPINT_METADATA:
-error = oxm_decode_match_loose(payload.msg,
-   ofpbuf_msgsize(),
-   tun_table, >flow_metadata);
+error = oxm_decode_match(payload.msg, ofpbuf_msgsize(),
+ loose, tun_table, >flow_metadata);
 break;
 
 case NXPINT_USERDATA:
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH branch-2.7 22/25] ofp-util: Ignore unknown fields in ofputil_decode_packet_in2().

2017-03-15 Thread Jarno Rajahalme 
The decoder of packet_in messages should not fail on encountering
unknown metadata fields.  This allows the switch to add new features
without breaking controllers.  The controllers should, however, copy
the metadata fields from the packet_int to packet_out so that the
switch gets back the full metadata.  OVN is already doing this.

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
---
 lib/nx-match.c | 25 -
 lib/nx-match.h |  4 ++--
 lib/ofp-util.c |  5 +++--
 3 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/lib/nx-match.c b/lib/nx-match.c
index 91401e2..2e62e99 100644
--- a/lib/nx-match.c
+++ b/lib/nx-match.c
@@ -504,6 +504,9 @@ nx_pull_match_entry(struct ofpbuf *b, bool allow_cookie,
 return 0;
 }
 
+/* Prerequisites will only be checked when 'strict' is 'true'.  This allows
+ * decoding conntrack original direction 5-tuple IP addresses without the
+ * ethertype being present, when decoding metadata only. */
 static enum ofperr
 nx_pull_raw(const uint8_t *p, unsigned int match_len, bool strict,
 struct match *match, ovs_be64 *cookie, ovs_be64 *cookie_mask,
@@ -539,7 +542,7 @@ nx_pull_raw(const uint8_t *p, unsigned int match_len, bool 
strict,
 *cookie = value.be64;
 *cookie_mask = mask.be64;
 }
-} else if (!mf_are_prereqs_ok(field, >flow, NULL)) {
+} else if (strict && !mf_are_prereqs_ok(field, >flow, NULL)) {
 error = OFPERR_OFPBMC_BAD_PREREQ;
 } else if (!mf_is_all_wild(field, >wc)) {
 error = OFPERR_OFPBMC_DUP_FIELD;
@@ -607,7 +610,8 @@ nx_pull_match(struct ofpbuf *b, unsigned int match_len, 
struct match *match,
 }
 
 /* Behaves the same as nx_pull_match(), but skips over unknown NXM headers,
- * instead of failing with an error. */
+ * instead of failing with an error, and does not check for field
+ * prerequisities. */
 enum ofperr
 nx_pull_match_loose(struct ofpbuf *b, unsigned int match_len,
 struct match *match,
@@ -664,8 +668,9 @@ oxm_pull_match(struct ofpbuf *b, const struct tun_table 
*tun_table,
 return oxm_pull_match__(b, true, tun_table, match);
 }
 
-/* Behaves the same as oxm_pull_match() with one exception.  Skips over unknown
- * OXM headers instead of failing with an error when they are encountered. */
+/* Behaves the same as oxm_pull_match() with two exceptions.  Skips over
+ * unknown OXM headers instead of failing with an error when they are
+ * encountered, and does not check for field prerequisities. */
 enum ofperr
 oxm_pull_match_loose(struct ofpbuf *b, const struct tun_table *tun_table,
  struct match *match)
@@ -676,14 +681,16 @@ oxm_pull_match_loose(struct ofpbuf *b, const struct 
tun_table *tun_table,
 /* Parses the OXM match description in the 'oxm_len' bytes in 'oxm'.  Stores
  * the result in 'match'.
  *
- * Fails with an error when encountering unknown OXM headers.
+ * Returns 0 if successful, otherwise an OpenFlow error code.
  *
- * Returns 0 if successful, otherwise an OpenFlow error code. */
+ * Encountering unknown OXM headers or missing field prerequisites are not
+ * considered as error conditions.
+ */
 enum ofperr
-oxm_decode_match(const void *oxm, size_t oxm_len,
- const struct tun_table *tun_table, struct match *match)
+oxm_decode_match_loose(const void *oxm, size_t oxm_len,
+   const struct tun_table *tun_table, struct match *match)
 {
-return nx_pull_raw(oxm, oxm_len, true, match, NULL, NULL, tun_table);
+return nx_pull_raw(oxm, oxm_len, false, match, NULL, NULL, tun_table);
 }
 
 /* Verify an array of OXM TLVs treating value of each TLV as a mask,
diff --git a/lib/nx-match.h b/lib/nx-match.h
index 5dca24a..cee9e65 100644
--- a/lib/nx-match.h
+++ b/lib/nx-match.h
@@ -61,8 +61,8 @@ enum ofperr oxm_pull_match(struct ofpbuf *, const struct 
tun_table *,
struct match *);
 enum ofperr oxm_pull_match_loose(struct ofpbuf *, const struct tun_table *,
  struct match *);
-enum ofperr oxm_decode_match(const void *, size_t, const struct tun_table *,
- struct match *);
+enum ofperr oxm_decode_match_loose(const void *, size_t,
+   const struct tun_table *, struct match *);
 enum ofperr oxm_pull_field_array(const void *, size_t fields_len,
  struct field_array *);
 
diff --git a/lib/ofp-util.c b/lib/ofp-util.c
index 0c9343e..9e8d4d2 100644
--- a/lib/ofp-util.c
+++ b/lib/ofp-util.c
@@ -3397,8 +3397,9 @@ decode_nx_packet_in2(const struct ofp_header *oh, bool 
loose,
 }
 
 case NXPINT_METADATA:
-error = oxm_decode_match(payload.msg, ofpbuf_msgsize(),
- tun_table, >flow_metadata);
+error = oxm_decode_match_loose(payload.msg,
+

[ovs-dev] [PATCH branch-2.7 21/25] datapath: Inherit master's labels.

2017-03-15 Thread Jarno Rajahalme 
Upstream commit:

commit 09aa98ad496d6b11a698b258bc64d7f64c55d682
Author: Jarno Rajahalme <ja...@ovn.org>
Date:   Thu Feb 9 11:21:58 2017 -0800

openvswitch: Inherit master's labels.

We avoid calling into nf_conntrack_in() for expected connections, as
that would remove the expectation that we want to stick around until
we are ready to commit the connection.  Instead, we do a lookup in the
expectation table directly.  However, after a successful expectation
lookup we have set the flow key label field from the master
connection, whereas nf_conntrack_in() does not do this.  This leads to
master's labels being inherited after an expectation lookup, but those
labels not being inherited after the corresponding conntrack action
with a commit flag.

This patch resolves the problem by changing the commit code path to
also inherit the master's labels to the expected connection.
Resolving this conflict in favor of inheriting the labels allows more
information be passed from the master connection to related
connections, which would otherwise be much harder if the 32 bits in
the connmark are not enough.  Labels can still be set explicitly, so
this change only affects the default values of the labels in presense
of a master connection.

Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
    Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Pravin B Shelar <pshe...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
Signed-off-by: David S. Miller <da...@davemloft.net>

Fixes: a94ebc39996b ("datapath: Add conntrack action")
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
---
 datapath/conntrack.c | 45 +++--
 1 file changed, 31 insertions(+), 14 deletions(-)

diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index a56fe07..9428eb2 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -80,6 +80,8 @@ struct ovs_conntrack_info {
 #endif
 };
 
+static bool labels_nonzero(const struct ovs_key_ct_labels *labels);
+
 static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info);
 
 static u16 key_to_nfproto(const struct sw_flow_key *key)
@@ -275,18 +277,32 @@ static int ovs_ct_init_labels(struct nf_conn *ct, struct 
sw_flow_key *key,
  const struct ovs_key_ct_labels *labels,
  const struct ovs_key_ct_labels *mask)
 {
-   struct nf_conn_labels *cl;
-   u32 *dst;
-   int i;
+   struct nf_conn_labels *cl, *master_cl;
+   bool have_mask = labels_nonzero(mask);
+
+   /* Inherit master's labels to the related connection? */
+   master_cl = ct->master ? nf_ct_labels_find(ct->master) : NULL;
+
+   if (!master_cl && !have_mask)
+   return 0;   /* Nothing to do. */
 
cl = ovs_ct_get_conn_labels(ct);
if (!cl)
return -ENOSPC;
 
-   dst = (u32 *)cl->bits;
-   for (i = 0; i < OVS_CT_LABELS_LEN_32; i++)
-   dst[i] = (dst[i] & ~mask->ct_labels_32[i]) |
-   (labels->ct_labels_32[i] & mask->ct_labels_32[i]);
+   /* Inherit the master's labels, if any. */
+   if (master_cl)
+   *cl = *master_cl;
+
+   if (have_mask) {
+   u32 *dst = (u32 *)cl->bits;
+   int i;
+
+   for (i = 0; i < OVS_CT_LABELS_LEN_32; i++)
+   dst[i] = (dst[i] & ~mask->ct_labels_32[i]) |
+   (labels->ct_labels_32[i]
+& mask->ct_labels_32[i]);
+   }
 
/* Labels are included in the IPCTNL_MSG_CT_NEW event only if the
 * IPCT_LABEL bit it set in the event cache.
@@ -943,13 +959,14 @@ static int ovs_ct_commit(struct net *net, struct 
sw_flow_key *key,
if (err)
return err;
}
-   if (labels_nonzero(>labels.mask)) {
-   if (!nf_ct_is_confirmed(ct))
-   err = ovs_ct_init_labels(ct, key, >labels.value,
->labels.mask);
-   else
-   err = ovs_ct_set_labels(ct, key, >labels.value,
-   >labels.mask);
+   if (!nf_ct_is_confirmed(ct)) {
+   err = ovs_ct_init_labels(ct, key, >labels.value,
+>labels.mask);
+   if (err)
+   return err;
+   } else if (labels_nonzero(>labels.mask)) {
+   err = ovs_ct_set_labels(ct, key, >labels.value,
+   >labels.mask);
if (err)
return err;
}
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH branch-2.7 07/25] datapath: remove unnecessary EXPORT_SYMBOLs

2017-03-15 Thread Jarno Rajahalme 
From: Jiri Benc <jb...@redhat.com>

Upstream commit:
commit 76e4cc7731a1e0c07e202999b9834f9d9be66de4
Author: Jiri Benc <jb...@redhat.com>
Date:   Wed Oct 19 11:26:37 2016 +0200

openvswitch: remove unnecessary EXPORT_SYMBOLs

Some symbols exported to other modules are really used only by
openvswitch.ko. Remove the exports.

Tested by loading all 4 openvswitch modules, nothing breaks.

Signed-off-by: Jiri Benc <jb...@redhat.com>
Acked-by: Pravin B Shelar <pshe...@ovn.org>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Signed-off-by: Joe Stringer <j...@ovn.org>
---
 datapath/datapath.c | 2 --
 datapath/vport-netdev.c | 1 -
 datapath/vport.c| 1 -
 3 files changed, 4 deletions(-)

diff --git a/datapath/datapath.c b/datapath/datapath.c
index be433ba..64cd781 100644
--- a/datapath/datapath.c
+++ b/datapath/datapath.c
@@ -62,7 +62,6 @@
 #include "vport-netdev.h"
 
 int ovs_net_id __read_mostly;
-EXPORT_SYMBOL_GPL(ovs_net_id);
 
 static struct genl_family dp_packet_genl_family;
 static struct genl_family dp_flow_genl_family;
@@ -135,7 +134,6 @@ int lockdep_ovsl_is_held(void)
else
return 1;
 }
-EXPORT_SYMBOL_GPL(lockdep_ovsl_is_held);
 #endif
 
 static int queue_gso_packets(struct datapath *dp, struct sk_buff *,
diff --git a/datapath/vport-netdev.c b/datapath/vport-netdev.c
index 970f7d3..fd97246 100644
--- a/datapath/vport-netdev.c
+++ b/datapath/vport-netdev.c
@@ -167,7 +167,6 @@ void ovs_netdev_detach_dev(struct vport *vport)
netdev_master_upper_dev_get(vport->dev));
dev_set_promiscuity(vport->dev, -1);
 }
-EXPORT_SYMBOL_GPL(ovs_netdev_detach_dev);
 
 static void netdev_destroy(struct vport *vport)
 {
diff --git a/datapath/vport.c b/datapath/vport.c
index 7ac4632..9c8c0f1 100644
--- a/datapath/vport.c
+++ b/datapath/vport.c
@@ -507,7 +507,6 @@ int ovs_vport_receive(struct vport *vport, struct sk_buff 
*skb,
ovs_dp_process_packet(skb, );
return 0;
 }
-EXPORT_SYMBOL_GPL(ovs_vport_receive);
 
 static unsigned int packet_length(const struct sk_buff *skb)
 {
-- 
2.1.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

  1   2   3   4   5   6   7   8   9   10   >