Re: [ovs-dev] [PATCH v3 9/9] ofproto-dpif-xlate: Translate timeout policy in ct action
On Tue, Aug 13, 2019 at 8:03 PM Darrell Ball wrote: >> diff --git a/lib/dpif-provider.h b/lib/dpif-provider.h >> index e988626ea05b..d12b5a91c2eb 100644 >> --- a/lib/dpif-provider.h >> +++ b/lib/dpif-provider.h >> @@ -542,6 +542,16 @@ struct dpif_class { >> struct ct_dpif_timeout_policy *tp); >> int (*ct_timeout_policy_dump_done)(struct dpif *, void *state); >> >> +/* Gets timeout policy name based on 'tp_id', 'dl_type' and 'nw_proto'. >> + * On success, returns 0, stores the timeout policy name in 'tp_name', >> + * and sets 'unwildcard'. 'unwildcard' is true if the timeout >> + * policy in 'dpif' is 'dl_type' and 'nw_proto' specific, .i.e. in >> + * kernel datapath. Sets 'unwildcard' to false if the timeout policy >> + * is generic to all supported 'dl_type' and 'nw_proto'. */ >> +int (*ct_get_timeout_policy_name)(struct dpif *, uint32_t tp_id, >> + uint16_t dl_type, uint8_t nw_proto, >> + struct ds *tp_name, bool *unwildcard); > > I think adding the 'unwildcard' parameter to this particular API is not > intuitive; > I would create a simple dedicated API for it. As our offline discussion, we will keep this interface as is but update comment to make the API easier to understand. I also add some comment in the caller (in ofproto-dpif.c) to make the 'unwildcard' idea to be more clear. >> diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c >> index 3013d83e96a0..8bbc596e2ce0 100644 >> --- a/ofproto/ofproto-dpif.c >> +++ b/ofproto/ofproto-dpif.c >> +bool >> +ofproto_dpif_ct_zone_timeout_policy_get_name( >> +const struct dpif_backer *backer, uint16_t zone, uint16_t dl_type, >> +uint8_t nw_proto, struct ds *tp_name, bool *unwildcard) >> +{ >> +struct ct_zone *ct_zone; >> + >> +if (!ct_dpif_timeout_policy_support_ipproto(nw_proto)) { >> +return false; >> +} >> + >> +ct_zone = ct_zone_lookup(>ct_zones, zone); > > > struct ct_zone *ct_zone = ct_zone_lookup(>ct_zones, zone); Done in v4. >> --- a/tests/system-traffic.at >> +++ b/tests/system-traffic.at >> +dnl Wait until the timeout expire. >> +dnl We intend to wait a bit longer, because conntrack does not recycle the >> entry right after it is expired. >> +sleep 4 > > Once the issue with sending additional packets after the first timeout expiry > is fixed, we should enhance the test > to resend and re-timeout to make sure it works. Sure, will modify the test case once the kernel fix is upstream. >> diff --git a/tests/system-userspace-macros.at >> b/tests/system-userspace-macros.at >> index 9d5f3bf419d3..8950a4de7287 100644 >> --- a/tests/system-userspace-macros.at >> +++ b/tests/system-userspace-macros.at >> +# VSCTL_ADD_ZONE_TIMEOUT_POLICY([parameters]) >> +# >> +# Add zone based timeout policy to userspace datapath >> +m4_define([VSCTL_ADD_ZONE_TIMEOUT_POLICY], > > > TBH, does not seems useful; just hides the what is happening Thanks for the diff in the other e-mail. I will fold in the proposed diff in v4. Thanks, -Yi-Hung ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v3 9/9] ofproto-dpif-xlate: Translate timeout policy in ct action
On Tue, Aug 13, 2019 at 8:03 PM Darrell Ball wrote: > Thanks for the patch > > few more comments > > On Mon, Aug 12, 2019 at 5:57 PM Yi-Hung Wei wrote: > >> This patch derives the timeout policy based on ct zone from the >> internal data structure that we maintain on dpif layer. >> >> It also adds a system traffic test to verify the zone-based conntrack >> timeout feature. The test uses ovs-vsctl commands to configure >> the customized ICMP and UDP timeout on zone 5 to a shorter period. >> It then injects ICMP and UDP traffic to conntrack, and checks if the >> corresponding conntrack entry expires after the predefined timeout. >> >> Signed-off-by: Yi-Hung Wei >> --- >> NEWS | 1 + >> lib/ct-dpif.c| 11 +++ >> lib/ct-dpif.h| 3 ++ >> lib/dpif-netdev.c| 1 + >> lib/dpif-netlink.c | 12 >> lib/dpif-provider.h | 10 ++ >> ofproto/ofproto-dpif-xlate.c | 23 ++ >> ofproto/ofproto-dpif.c | 27 >> ofproto/ofproto-dpif.h | 4 +++ >> tests/system-kmod-macros.at | 27 >> tests/system-traffic.at | 66 >> >> tests/system-userspace-macros.at | 26 >> 12 files changed, 211 insertions(+) >> >> diff --git a/NEWS b/NEWS >> index c5caa13d6374..9f7fbb852e08 100644 >> --- a/NEWS >> +++ b/NEWS >> @@ -69,6 +69,7 @@ v2.12.0 - xx xxx >> - Linux datapath: >> * Support for the kernel versions 4.19.x and 4.20.x. >> * Support for the kernel version 5.0.x. >> + * Add support for conntrack zone-based timeout policy. >> - 'ovs-dpctl dump-flows' is no longer suitable for dumping offloaded >> flows. >> 'ovs-appctl dpctl/dump-flows' should be used instead. >> - Add L2 GRE tunnel over IPv6 support. >> diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c >> index 7f9ce0a561f7..f3bd71b5769d 100644 >> --- a/lib/ct-dpif.c >> +++ b/lib/ct-dpif.c >> @@ -864,3 +864,14 @@ ct_dpif_timeout_policy_dump_done(struct dpif *dpif, >> void *state) >> ? dpif->dpif_class->ct_timeout_policy_dump_done(dpif, state) >> : EOPNOTSUPP); >> } >> + >> +int >> +ct_dpif_get_timeout_policy_name(struct dpif *dpif, uint32_t tp_id, >> +uint16_t dl_type, uint8_t nw_proto, >> +struct ds *tp_name, bool *unwildcard) >> +{ >> +return (dpif->dpif_class->ct_get_timeout_policy_name >> +? dpif->dpif_class->ct_get_timeout_policy_name( >> +dpif, tp_id, dl_type, nw_proto, tp_name, unwildcard) >> +: EOPNOTSUPP); >> +} >> diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h >> index aabd6962f2c0..786dc6d2c474 100644 >> --- a/lib/ct-dpif.h >> +++ b/lib/ct-dpif.h >> @@ -318,5 +318,8 @@ int ct_dpif_timeout_policy_dump_start(struct dpif >> *dpif, void **statep); >> int ct_dpif_timeout_policy_dump_next(struct dpif *dpif, void *state, >> struct ct_dpif_timeout_policy *tp); >> int ct_dpif_timeout_policy_dump_done(struct dpif *dpif, void *state); >> +int ct_dpif_get_timeout_policy_name(struct dpif *dpif, uint32_t tp_id, >> +uint16_t dl_type, uint8_t nw_proto, >> +struct ds *tp_name, bool >> *unwildcard); >> >> #endif /* CT_DPIF_H */ >> diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c >> index 7240a3e6f3c8..36637052e598 100644 >> --- a/lib/dpif-netdev.c >> +++ b/lib/dpif-netdev.c >> @@ -7539,6 +7539,7 @@ const struct dpif_class dpif_netdev_class = { >> NULL, /* ct_timeout_policy_dump_start */ >> NULL, /* ct_timeout_policy_dump_next */ >> NULL, /* ct_timeout_policy_dump_done */ >> +NULL, /* ct_get_timeout_policy_name */ >> dpif_netdev_ipf_set_enabled, >> dpif_netdev_ipf_set_min_frag, >> dpif_netdev_ipf_set_max_nfrags, >> diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c >> index c2ac19dff887..c306242984ae 100644 >> --- a/lib/dpif-netlink.c >> +++ b/lib/dpif-netlink.c >> @@ -3072,6 +3072,17 @@ dpif_netlink_format_tp_name(uint32_t id, uint16_t >> l3num, uint8_t l4num, >> ovs_assert(tp_name->length < CTNL_TIMEOUT_NAME_MAX); >> } >> >> +static int >> +dpif_netlink_ct_get_timeout_policy_name(struct dpif *dpif OVS_UNUSED, >> +uint32_t tp_id, uint16_t dl_type, uint8_t nw_proto, struct ds >> *tp_name, >> +bool *unwildcard) >> +{ >> +dpif_netlink_format_tp_name(tp_id, >> +dl_type == ETH_TYPE_IP ? AF_INET : AF_INET6, nw_proto, tp_name); >> +*unwildcard = true; >> +return 0; >> +} >> + >> #define CT_DPIF_NL_TP_TCP_MAPPINGS \ >> CT_DPIF_NL_TP_MAPPING(TCP, TCP, SYN_SENT, SYN_SENT) \ >> CT_DPIF_NL_TP_MAPPING(TCP, TCP, SYN_RECV, SYN_RECV) \ >> @@ -3898,6 +3909,7
Re: [ovs-dev] [PATCH v3 9/9] ofproto-dpif-xlate: Translate timeout policy in ct action
Thanks for the patch few more comments On Mon, Aug 12, 2019 at 5:57 PM Yi-Hung Wei wrote: > This patch derives the timeout policy based on ct zone from the > internal data structure that we maintain on dpif layer. > > It also adds a system traffic test to verify the zone-based conntrack > timeout feature. The test uses ovs-vsctl commands to configure > the customized ICMP and UDP timeout on zone 5 to a shorter period. > It then injects ICMP and UDP traffic to conntrack, and checks if the > corresponding conntrack entry expires after the predefined timeout. > > Signed-off-by: Yi-Hung Wei > --- > NEWS | 1 + > lib/ct-dpif.c| 11 +++ > lib/ct-dpif.h| 3 ++ > lib/dpif-netdev.c| 1 + > lib/dpif-netlink.c | 12 > lib/dpif-provider.h | 10 ++ > ofproto/ofproto-dpif-xlate.c | 23 ++ > ofproto/ofproto-dpif.c | 27 > ofproto/ofproto-dpif.h | 4 +++ > tests/system-kmod-macros.at | 27 > tests/system-traffic.at | 66 > > tests/system-userspace-macros.at | 26 > 12 files changed, 211 insertions(+) > > diff --git a/NEWS b/NEWS > index c5caa13d6374..9f7fbb852e08 100644 > --- a/NEWS > +++ b/NEWS > @@ -69,6 +69,7 @@ v2.12.0 - xx xxx > - Linux datapath: > * Support for the kernel versions 4.19.x and 4.20.x. > * Support for the kernel version 5.0.x. > + * Add support for conntrack zone-based timeout policy. > - 'ovs-dpctl dump-flows' is no longer suitable for dumping offloaded > flows. > 'ovs-appctl dpctl/dump-flows' should be used instead. > - Add L2 GRE tunnel over IPv6 support. > diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c > index 7f9ce0a561f7..f3bd71b5769d 100644 > --- a/lib/ct-dpif.c > +++ b/lib/ct-dpif.c > @@ -864,3 +864,14 @@ ct_dpif_timeout_policy_dump_done(struct dpif *dpif, > void *state) > ? dpif->dpif_class->ct_timeout_policy_dump_done(dpif, state) > : EOPNOTSUPP); > } > + > +int > +ct_dpif_get_timeout_policy_name(struct dpif *dpif, uint32_t tp_id, > +uint16_t dl_type, uint8_t nw_proto, > +struct ds *tp_name, bool *unwildcard) > +{ > +return (dpif->dpif_class->ct_get_timeout_policy_name > +? dpif->dpif_class->ct_get_timeout_policy_name( > +dpif, tp_id, dl_type, nw_proto, tp_name, unwildcard) > +: EOPNOTSUPP); > +} > diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h > index aabd6962f2c0..786dc6d2c474 100644 > --- a/lib/ct-dpif.h > +++ b/lib/ct-dpif.h > @@ -318,5 +318,8 @@ int ct_dpif_timeout_policy_dump_start(struct dpif > *dpif, void **statep); > int ct_dpif_timeout_policy_dump_next(struct dpif *dpif, void *state, > struct ct_dpif_timeout_policy *tp); > int ct_dpif_timeout_policy_dump_done(struct dpif *dpif, void *state); > +int ct_dpif_get_timeout_policy_name(struct dpif *dpif, uint32_t tp_id, > +uint16_t dl_type, uint8_t nw_proto, > +struct ds *tp_name, bool *unwildcard); > > #endif /* CT_DPIF_H */ > diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c > index 7240a3e6f3c8..36637052e598 100644 > --- a/lib/dpif-netdev.c > +++ b/lib/dpif-netdev.c > @@ -7539,6 +7539,7 @@ const struct dpif_class dpif_netdev_class = { > NULL, /* ct_timeout_policy_dump_start */ > NULL, /* ct_timeout_policy_dump_next */ > NULL, /* ct_timeout_policy_dump_done */ > +NULL, /* ct_get_timeout_policy_name */ > dpif_netdev_ipf_set_enabled, > dpif_netdev_ipf_set_min_frag, > dpif_netdev_ipf_set_max_nfrags, > diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c > index c2ac19dff887..c306242984ae 100644 > --- a/lib/dpif-netlink.c > +++ b/lib/dpif-netlink.c > @@ -3072,6 +3072,17 @@ dpif_netlink_format_tp_name(uint32_t id, uint16_t > l3num, uint8_t l4num, > ovs_assert(tp_name->length < CTNL_TIMEOUT_NAME_MAX); > } > > +static int > +dpif_netlink_ct_get_timeout_policy_name(struct dpif *dpif OVS_UNUSED, > +uint32_t tp_id, uint16_t dl_type, uint8_t nw_proto, struct ds > *tp_name, > +bool *unwildcard) > +{ > +dpif_netlink_format_tp_name(tp_id, > +dl_type == ETH_TYPE_IP ? AF_INET : AF_INET6, nw_proto, tp_name); > +*unwildcard = true; > +return 0; > +} > + > #define CT_DPIF_NL_TP_TCP_MAPPINGS \ > CT_DPIF_NL_TP_MAPPING(TCP, TCP, SYN_SENT, SYN_SENT) \ > CT_DPIF_NL_TP_MAPPING(TCP, TCP, SYN_RECV, SYN_RECV) \ > @@ -3898,6 +3909,7 @@ const struct dpif_class dpif_netlink_class = { > dpif_netlink_ct_timeout_policy_dump_start, > dpif_netlink_ct_timeout_policy_dump_next, >
Re: [ovs-dev] [PATCH v3 9/9] ofproto-dpif-xlate: Translate timeout policy in ct action
On Tue, Aug 13, 2019 at 2:33 PM Yi-Hung Wei wrote: > On Tue, Aug 13, 2019 at 11:43 AM Darrell Ball wrote: > > Sure, circling back to this part > > > > yep, it is the Linux In-tree kernel module rather than OVS tree module > > > > dball@ubuntu:~/ovs$ modinfo openvswitch > > filename: > /lib/modules/5.0.0-23-generic/kernel/net/openvswitch/openvswitch.ko > > alias: net-pf-16-proto-16-family-ovs_ct_limit > > alias: net-pf-16-proto-16-family-ovs_meter > > alias: net-pf-16-proto-16-family-ovs_packet > > alias: net-pf-16-proto-16-family-ovs_flow > > alias: net-pf-16-proto-16-family-ovs_vport > > alias: net-pf-16-proto-16-family-ovs_datapath > > license:GPL > > description:Open vSwitch switching datapath > > srcversion: 12850657561FB87D174A001 > > depends: > nf_conntrack,nf_nat,nf_conncount,libcrc32c,nf_nat_ipv6,nf_nat_ipv4,nf_defrag_ipv6,nsh > > retpoline: Y > > intree: Y > > name: openvswitch > > vermagic: 5.0.0-23-generic SMP mod_unload > > signat: PKCS#7 > > signer: > > sig_key: > > sig_hashalgo: md4 > > > > btw, similarly > > make 'check-kernel' fails for the same reasons. > > > > Ostensibly, I would have expected 5.0 to be ok. > > I can dig more on this part later if you wish. > > The ct timeout feature is introduced in 5.2 kernel, so 'make > check-kernel' is expected to fail on 5.0 kernel. The upstream kernel > support for ct timeout feature is documented at > "Documentation/faq/releases.rst" in the patch 4. > sure, I had another version in mind for some reason > > > > btw, I think a timeout policy not being applied should not result in > packet blackholing. > > I think we need to make this better. > > Sure, we can definitely make it better. I am focusing on some other > issue now, but I will have a follow up patch that only translate the > ct timeout attribute when the datapath does support that. > I had a brief look at the incremental, but probing for the support is the standard approach. > > Thanks, > > -Yi-Hung > > > > A timeout policy is just a nice to have 'thingy' after all. > > > > That being said, I would like to see Xenial working (with OVS in-tree > module) with higher priority. > > > > Thanks Darrell > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v3 9/9] ofproto-dpif-xlate: Translate timeout policy in ct action
On Tue, Aug 13, 2019 at 2:33 PM Yi-Hung Wei wrote: > > On Tue, Aug 13, 2019 at 11:43 AM Darrell Ball wrote: > > btw, similarly > > make 'check-kernel' fails for the same reasons. > > > > Ostensibly, I would have expected 5.0 to be ok. > > I can dig more on this part later if you wish. > > The ct timeout feature is introduced in 5.2 kernel, so 'make > check-kernel' is expected to fail on 5.0 kernel. The upstream kernel > support for ct timeout feature is documented at > "Documentation/faq/releases.rst" in the patch 4. > > > > btw, I think a timeout policy not being applied should not result in packet > > blackholing. > > I think we need to make this better. > > Sure, we can definitely make it better. I am focusing on some other > issue now, but I will have a follow up patch that only translate the > ct timeout attribute when the datapath does support that. > With the following diff, OVS will translate the ct timeout attribute depends on whether the datapath support it or not. This shall resolve the 'make check-kernel' issue on 5.0 kernel. Thanks, -Yi-Hung <---diff> diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c index 0b5c56f443e6..4b9a11da221e 100644 --- a/ofproto/ofproto-dpif-xlate.c +++ b/ofproto/ofproto-dpif-xlate.c @@ -6085,15 +6085,15 @@ compose_conntrack_action(struct xlate_ctx *ctx, struct ofpact_conntrack *ofc, nl_msg_put_u32(ctx->odp_actions, OVS_CT_ATTR_EVENTMASK, OVS_CT_EVENTMASK_DEFAULT); } +if (ctx->xbridge->support.ct_timeout) { +put_ct_timeout(ctx->odp_actions, ctx->xbridge->ofproto->backer, + >xin->flow, ctx->wc, zone); +} } nl_msg_put_u16(ctx->odp_actions, OVS_CT_ATTR_ZONE, zone); put_ct_mark(>xin->flow, ctx->odp_actions, ctx->wc); put_ct_label(>xin->flow, ctx->odp_actions, ctx->wc); put_ct_helper(ctx, ctx->odp_actions, ofc); -if (ofc->flags & NX_CT_F_COMMIT) { -put_ct_timeout(ctx->odp_actions, ctx->xbridge->ofproto->backer, - >xin->flow, ctx->wc, zone); -} put_ct_nat(ctx); ctx->ct_nat_action = NULL; nl_msg_end_nested(ctx->odp_actions, ct_offset); diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c index 8bbc596e2ce0..a5617b589964 100644 --- a/ofproto/ofproto-dpif.c +++ b/ofproto/ofproto-dpif.c @@ -1319,6 +1319,67 @@ check_ct_clear(struct dpif_backer *backer) return supported; } +/* Tests whether 'backer''s datapath supports the OVS_CT_ATTR_TIMEOUT + * attribute in OVS_ACTION_ATTR_CT. */ +static bool +check_ct_timeout_policy(struct dpif_backer *backer) +{ +struct dpif_execute execute; +struct dp_packet packet; +struct ofpbuf actions; +struct flow flow = { +.dl_type = CONSTANT_HTONS(ETH_TYPE_IP), +.nw_proto = IPPROTO_UDP, +.nw_ttl = 64, +/* Use the broadcast address on the loopback address range 127/8 to + * avoid hitting any real conntrack entries. We leave the UDP ports to + * zeroes for the same purpose. */ +.nw_src = CONSTANT_HTONL(0x7fff), +.nw_dst = CONSTANT_HTONL(0x7fff), +}; +size_t ct_start; +int error; + +/* Compose CT action with timeout policy attribute and check if datapath + * can decode the message. */ +ofpbuf_init(, 64); +ct_start = nl_msg_start_nested(, OVS_ACTION_ATTR_CT); +/* Timeout policy has no effect without the commit flag, but currently the + * datapath will accept a timeout policy even without commit. This is + * useful as we do not want to persist the probe connection in the + * conntrack table. */ +nl_msg_put_string(, OVS_CT_ATTR_TIMEOUT, "ovs_test_tp"); +nl_msg_end_nested(, ct_start); + +/* Compose a dummy UDP packet. */ +dp_packet_init(, 0); +flow_compose(, , NULL, 64); + +/* Execute the actions. On older datapaths this fails with EINVAL, on + * newer datapaths it succeeds. */ +execute.actions = actions.data; +execute.actions_len = actions.size; +execute.packet = +execute.flow = +execute.needs_help = false; +execute.probe = true; +execute.mtu = 0; + +error = dpif_execute(backer->dpif, ); + +dp_packet_uninit(); +ofpbuf_uninit(); + +if (error) { +VLOG_INFO("%s: Datapath does not support timeout policy in conntrack " + "action", dpif_name(backer->dpif)); +} else { +VLOG_INFO("%s: Datapath supports timeout policy in conntrack action", + dpif_name(backer->dpif)); +} + +return !error; +} /* Tests whether 'backer''s datapath supports the * OVS_ACTION_ATTR_CHECK_PKT_LEN action. */ @@ -1469,6 +1530,7 @@ check_support(struct dpif_backer *backer) backer->rt_support.ct_clear = check_ct_clear(backer); backer->rt_support.max_hash_alg = check_max_dp_hash_alg(backer);
Re: [ovs-dev] [PATCH v3 9/9] ofproto-dpif-xlate: Translate timeout policy in ct action
On Tue, Aug 13, 2019 at 11:43 AM Darrell Ball wrote: > Sure, circling back to this part > > yep, it is the Linux In-tree kernel module rather than OVS tree module > > dball@ubuntu:~/ovs$ modinfo openvswitch > filename: > /lib/modules/5.0.0-23-generic/kernel/net/openvswitch/openvswitch.ko > alias: net-pf-16-proto-16-family-ovs_ct_limit > alias: net-pf-16-proto-16-family-ovs_meter > alias: net-pf-16-proto-16-family-ovs_packet > alias: net-pf-16-proto-16-family-ovs_flow > alias: net-pf-16-proto-16-family-ovs_vport > alias: net-pf-16-proto-16-family-ovs_datapath > license:GPL > description:Open vSwitch switching datapath > srcversion: 12850657561FB87D174A001 > depends: > nf_conntrack,nf_nat,nf_conncount,libcrc32c,nf_nat_ipv6,nf_nat_ipv4,nf_defrag_ipv6,nsh > retpoline: Y > intree: Y > name: openvswitch > vermagic: 5.0.0-23-generic SMP mod_unload > signat: PKCS#7 > signer: > sig_key: > sig_hashalgo: md4 > > btw, similarly > make 'check-kernel' fails for the same reasons. > > Ostensibly, I would have expected 5.0 to be ok. > I can dig more on this part later if you wish. The ct timeout feature is introduced in 5.2 kernel, so 'make check-kernel' is expected to fail on 5.0 kernel. The upstream kernel support for ct timeout feature is documented at "Documentation/faq/releases.rst" in the patch 4. > btw, I think a timeout policy not being applied should not result in packet > blackholing. > I think we need to make this better. Sure, we can definitely make it better. I am focusing on some other issue now, but I will have a follow up patch that only translate the ct timeout attribute when the datapath does support that. Thanks, -Yi-Hung > A timeout policy is just a nice to have 'thingy' after all. > > That being said, I would like to see Xenial working (with OVS in-tree module) > with higher priority. > > Thanks Darrell ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v3 9/9] ofproto-dpif-xlate: Translate timeout policy in ct action
On Tue, Aug 13, 2019 at 11:01 AM Yi-Hung Wei wrote: > On Mon, Aug 12, 2019 at 7:35 PM Darrell Ball wrote: > > > > Thanks for the patch > > > > Not a full review; I just did a quick run of the test using a more > recent kernel version > > > > dball@ubuntu:~/ovs$ uname -r > > 5.0.0-23-generic > > dball@ubuntu:~/ovs$ lsb_release -a > > No LSB modules are available. > > Distributor ID: Ubuntu > > Description: Ubuntu 18.04.3 LTS > > Release: 18.04 > > Codename: bionic > > > > The test is no longer blocked on subsequent runs, at least with this > kernel version (others: TBD) - cool ! > > > > However > > > > ## --- ## > > ## openvswitch 2.12.90 test suite. ## > > ## --- ## > > 75: conntrack - zone-based timeout policy FAILED ( > system-traffic.at:3228) > > > > . > > . > > . > > VSCTL_ADD_ZONE_TIMEOUT_POLICY([zone=5 udp_single=3 icmp_first=3]) > > > > dnl Send ICMP and UDP traffic > > NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | > FORMAT_PING], [0], [dnl < FAILS HERE > > 3 packets transmitted, 3 received, 0% packet loss, time 0ms > > ]) > > . > > . > > . > > > > -3 packets transmitted, 3 received, 0% packet loss, time 0ms > > +7 packets transmitted, 0 received, 100% packet loss, time 0ms > > > > warnings: > > > > > 2019-08-13T02:19:06.674Z|1|dpif(handler1)|WARN|system@ovs-system: > failed to put[create] (Invalid argument) > ufid:55d8603a-729c-43d7-9612-b54553e46299 > recirc_id(0x2),dp_hash(0/0),skb_priority(0/0),in_port(2),skb_mark(0/0),ct_state(0x21/0x23),ct_zone(0x5/0),ct_mark(0/0),ct_label(0/0),ct_tuple4(src= > 10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1/0,tp_src=8/0,tp_dst=0/0 > ),eth(src=8a:ea:c3:02:6f:94/00:00:00:00:00:00,dst=92:48:5b:47:e2:63/00:00:00:00:00:00),eth_type(0x0800),ipv4(src= > 10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), > actions:ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 > > > 2019-08-13T02:19:06.674Z|2|dpif(handler1)|WARN|system@ovs-system: > execute ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 failed (Invalid > argument) on packet > icmp,vlan_tci=0x,dl_src=8a:ea:c3:02:6f:94,dl_dst=92:48:5b:47:e2:63,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0 > icmp_csum:4d0a > > > with metadata > skb_priority(0),skb_mark(0),ct_state(0x21),ct_zone(0x5),ct_tuple4(src=10.1.1.1,dst=10.1.1.2,proto=1,tp_src=8,tp_dst=0),in_port(2) > mtu 0 > > > 2019-08-13T02:19:06.999Z|3|dpif(handler1)|WARN|system@ovs-system: > failed to put[create] (Invalid argument) > ufid:55d8603a-729c-43d7-9612-b54553e46299 > recirc_id(0x2),dp_hash(0/0),skb_priority(0/0),in_port(2),skb_mark(0/0),ct_state(0x21/0x23),ct_zone(0x5/0),ct_mark(0/0),ct_label(0/0),ct_tuple4(src= > 10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1/0,tp_src=8/0,tp_dst=0/0 > ),eth(src=8a:ea:c3:02:6f:94/00:00:00:00:00:00,dst=92:48:5b:47:e2:63/00:00:00:00:00:00),eth_type(0x0800),ipv4(src= > 10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), > actions:ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 > > > 2019-08-13T02:19:06.999Z|4|dpif(handler1)|WARN|system@ovs-system: > execute ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 failed (Invalid > argument) on packet > icmp,vlan_tci=0x,dl_src=8a:ea:c3:02:6f:94,dl_dst=92:48:5b:47:e2:63,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0 > icmp_csum:2f10 > > > with metadata > skb_priority(0),skb_mark(0),ct_state(0x21),ct_zone(0x5),ct_tuple4(src=10.1.1.1,dst=10.1.1.2,proto=1,tp_src=8,tp_dst=0),in_port(2) > mtu 0 > > Thanks for trying this test out on the other setup. > > The warning messages indicate that the kernel module does not > understand the new added ct timeout action attribute. I am wondering > if the system used the correct kernel module? Can you check 'modinfo > openvswitch' and 'dmesg' to make sure the correct kernel module is > loaded in the system? > > Thanks, > > -Yi-Hung > Sure, circling back to this part yep, it is the Linux In-tree kernel module rather than OVS tree module dball@ubuntu:~/ovs$ modinfo openvswitch filename: /lib/modules/5.0.0-23-generic/kernel/net/openvswitch/openvswitch.ko alias: net-pf-16-proto-16-family-ovs_ct_limit alias: net-pf-16-proto-16-family-ovs_meter alias: net-pf-16-proto-16-family-ovs_packet alias: net-pf-16-proto-16-family-ovs_flow alias: net-pf-16-proto-16-family-ovs_vport alias: net-pf-16-proto-16-family-ovs_datapath license:GPL description:Open vSwitch switching datapath srcversion: 12850657561FB87D174A001 depends: nf_conntrack,nf_nat,nf_conncount,libcrc32c,nf_nat_ipv6,nf_nat_ipv4,nf_defrag_ipv6,nsh retpoline: Y intree: Y name: openvswitch vermagic: 5.0.0-23-generic SMP mod_unload signat: PKCS#7 signer: sig_key: sig_hashalgo: md4 btw, similarly make 'check-kernel' fails for the
Re: [ovs-dev] [PATCH v3 9/9] ofproto-dpif-xlate: Translate timeout policy in ct action
On Mon, Aug 12, 2019 at 7:35 PM Darrell Ball wrote: > > Thanks for the patch > > Not a full review; I just did a quick run of the test using a more recent > kernel version > > dball@ubuntu:~/ovs$ uname -r > 5.0.0-23-generic > dball@ubuntu:~/ovs$ lsb_release -a > No LSB modules are available. > Distributor ID: Ubuntu > Description: Ubuntu 18.04.3 LTS > Release: 18.04 > Codename: bionic > > The test is no longer blocked on subsequent runs, at least with this kernel > version (others: TBD) - cool ! > > However > > ## --- ## > ## openvswitch 2.12.90 test suite. ## > ## --- ## > 75: conntrack - zone-based timeout policy FAILED > (system-traffic.at:3228) > > . > . > . > VSCTL_ADD_ZONE_TIMEOUT_POLICY([zone=5 udp_single=3 icmp_first=3]) > > dnl Send ICMP and UDP traffic > NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], > [0], [dnl < FAILS HERE > 3 packets transmitted, 3 received, 0% packet loss, time 0ms > ]) > . > . > . > > -3 packets transmitted, 3 received, 0% packet loss, time 0ms > +7 packets transmitted, 0 received, 100% packet loss, time 0ms > > warnings: > > > 2019-08-13T02:19:06.674Z|1|dpif(handler1)|WARN|system@ovs-system: > > failed to put[create] (Invalid argument) > > ufid:55d8603a-729c-43d7-9612-b54553e46299 > > recirc_id(0x2),dp_hash(0/0),skb_priority(0/0),in_port(2),skb_mark(0/0),ct_state(0x21/0x23),ct_zone(0x5/0),ct_mark(0/0),ct_label(0/0),ct_tuple4(src=10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1/0,tp_src=8/0,tp_dst=0/0),eth(src=8a:ea:c3:02:6f:94/00:00:00:00:00:00,dst=92:48:5b:47:e2:63/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), > > actions:ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 > > 2019-08-13T02:19:06.674Z|2|dpif(handler1)|WARN|system@ovs-system: > > execute ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 failed (Invalid > > argument) on packet > > icmp,vlan_tci=0x,dl_src=8a:ea:c3:02:6f:94,dl_dst=92:48:5b:47:e2:63,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0 > > icmp_csum:4d0a > > with metadata > > skb_priority(0),skb_mark(0),ct_state(0x21),ct_zone(0x5),ct_tuple4(src=10.1.1.1,dst=10.1.1.2,proto=1,tp_src=8,tp_dst=0),in_port(2) > > mtu 0 > > 2019-08-13T02:19:06.999Z|3|dpif(handler1)|WARN|system@ovs-system: > > failed to put[create] (Invalid argument) > > ufid:55d8603a-729c-43d7-9612-b54553e46299 > > recirc_id(0x2),dp_hash(0/0),skb_priority(0/0),in_port(2),skb_mark(0/0),ct_state(0x21/0x23),ct_zone(0x5/0),ct_mark(0/0),ct_label(0/0),ct_tuple4(src=10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1/0,tp_src=8/0,tp_dst=0/0),eth(src=8a:ea:c3:02:6f:94/00:00:00:00:00:00,dst=92:48:5b:47:e2:63/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), > > actions:ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 > > 2019-08-13T02:19:06.999Z|4|dpif(handler1)|WARN|system@ovs-system: > > execute ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 failed (Invalid > > argument) on packet > > icmp,vlan_tci=0x,dl_src=8a:ea:c3:02:6f:94,dl_dst=92:48:5b:47:e2:63,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0 > > icmp_csum:2f10 > > with metadata > > skb_priority(0),skb_mark(0),ct_state(0x21),ct_zone(0x5),ct_tuple4(src=10.1.1.1,dst=10.1.1.2,proto=1,tp_src=8,tp_dst=0),in_port(2) > > mtu 0 Thanks for trying this test out on the other setup. The warning messages indicate that the kernel module does not understand the new added ct timeout action attribute. I am wondering if the system used the correct kernel module? Can you check 'modinfo openvswitch' and 'dmesg' to make sure the correct kernel module is loaded in the system? Thanks, -Yi-Hung ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v3 9/9] ofproto-dpif-xlate: Translate timeout policy in ct action
Thanks for the patch Not a full review; I just did a quick run of the test using a more recent kernel version dball@ubuntu:~/ovs$ uname -r 5.0.0-23-generic dball@ubuntu:~/ovs$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.3 LTS Release: 18.04 Codename: bionic The test is no longer blocked on subsequent runs, at least with this kernel version (others: TBD) - cool ! However ## --- ## ## openvswitch 2.12.90 test suite. ## ## --- ## 75: conntrack - zone-based timeout policy FAILED ( system-traffic.at:3228) . . . VSCTL_ADD_ZONE_TIMEOUT_POLICY([zone=5 udp_single=3 icmp_first=3]) dnl Send ICMP and UDP traffic NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl < FAILS HERE 3 packets transmitted, 3 received, 0% packet loss, time 0ms ]) . . . -3 packets transmitted, 3 received, 0% packet loss, time 0ms +7 packets transmitted, 0 received, 100% packet loss, time 0ms warnings: > 2019-08-13T02:19:06.674Z|1|dpif(handler1)|WARN|system@ovs-system: failed to put[create] (Invalid argument) ufid:55d8603a-729c-43d7-9612-b54553e46299 recirc_id(0x2),dp_hash(0/0),skb_priority(0/0),in_port(2),skb_mark(0/0),ct_state(0x21/0x23),ct_zone(0x5/0),ct_mark(0/0),ct_label(0/0),ct_tuple4(src= 10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1/0,tp_src=8/0,tp_dst=0/0 ),eth(src=8a:ea:c3:02:6f:94/00:00:00:00:00:00,dst=92:48:5b:47:e2:63/00:00:00:00:00:00),eth_type(0x0800),ipv4(src= 10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), actions:ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 > 2019-08-13T02:19:06.674Z|2|dpif(handler1)|WARN|system@ovs-system: execute ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 failed (Invalid argument) on packet icmp,vlan_tci=0x,dl_src=8a:ea:c3:02:6f:94,dl_dst=92:48:5b:47:e2:63,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0 icmp_csum:4d0a > with metadata skb_priority(0),skb_mark(0),ct_state(0x21),ct_zone(0x5),ct_tuple4(src=10.1.1.1,dst=10.1.1.2,proto=1,tp_src=8,tp_dst=0),in_port(2) mtu 0 > 2019-08-13T02:19:06.999Z|3|dpif(handler1)|WARN|system@ovs-system: failed to put[create] (Invalid argument) ufid:55d8603a-729c-43d7-9612-b54553e46299 recirc_id(0x2),dp_hash(0/0),skb_priority(0/0),in_port(2),skb_mark(0/0),ct_state(0x21/0x23),ct_zone(0x5/0),ct_mark(0/0),ct_label(0/0),ct_tuple4(src= 10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1/0,tp_src=8/0,tp_dst=0/0 ),eth(src=8a:ea:c3:02:6f:94/00:00:00:00:00:00,dst=92:48:5b:47:e2:63/00:00:00:00:00:00),eth_type(0x0800),ipv4(src= 10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), actions:ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 > 2019-08-13T02:19:06.999Z|4|dpif(handler1)|WARN|system@ovs-system: execute ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 failed (Invalid argument) on packet icmp,vlan_tci=0x,dl_src=8a:ea:c3:02:6f:94,dl_dst=92:48:5b:47:e2:63,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0 icmp_csum:2f10 > with metadata skb_priority(0),skb_mark(0),ct_state(0x21),ct_zone(0x5),ct_tuple4(src=10.1.1.1,dst=10.1.1.2,proto=1,tp_src=8,tp_dst=0),in_port(2) mtu 0 > 2019-08-13T02:19:07.319Z|5|dpif(handler1)|WARN|system@ovs-system: failed to put[create] (Invalid argument) ufid:55d8603a-729c-43d7-9612-b54553e46299 recirc_id(0x2),dp_hash(0/0),skb_priority(0/0),in_port(2),skb_mark(0/0),ct_state(0x21/0x23),ct_zone(0x5/0),ct_mark(0/0),ct_label(0/0),ct_tuple4(src= 10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1/0,tp_src=8/0,tp_dst=0/0 ),eth(src=8a:ea:c3:02:6f:94/00:00:00:00:00:00,dst=92:48:5b:47:e2:63/00:00:00:00:00:00),eth_type(0x0800),ipv4(src= 10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), actions:ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 > 2019-08-13T02:19:07.320Z|6|dpif(handler1)|WARN|system@ovs-system: execute ct(commit,zone=5,timeout=ovs_tp_0_icmp4),3 failed (Invalid argument) on packet icmp,vlan_tci=0x,dl_src=8a:ea:c3:02:6f:94,dl_dst=92:48:5b:47:e2:63,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0 icmp_csum:906c > with metadata skb_priority(0),skb_mark(0),ct_state(0x21),ct_zone(0x5),ct_tuple4(src=10.1.1.1,dst=10.1.1.2,proto=1,tp_src=8,tp_dst=0),in_port(2) mtu 0 > 2019-08-13T02:19:07.639Z|7|dpif(handler1)|WARN|system@ovs-system: failed to put[create] (Invalid argument) ufid:55d8603a-729c-43d7-9612-b54553e46299 recirc_id(0x2),dp_hash(0/0),skb_priority(0/0),in_port(2),skb_mark(0/0),ct_state(0x21/0x23),ct_zone(0x5/0),ct_mark(0/0),ct_label(0/0),ct_tuple4(src= 10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1/0,tp_src=8/0,tp_dst=0/0 ),eth(src=8a:ea:c3:02:6f:94/00:00:00:00:00:00,dst=92:48:5b:47:e2:63/00:00:00:00:00:00),eth_type(0x0800),ipv4(src= 10.1.1.1/0.0.0.0,dst=10.1.1.2/0.0.0.0,proto=1,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0),
[ovs-dev] [PATCH v3 9/9] ofproto-dpif-xlate: Translate timeout policy in ct action
This patch derives the timeout policy based on ct zone from the internal data structure that we maintain on dpif layer. It also adds a system traffic test to verify the zone-based conntrack timeout feature. The test uses ovs-vsctl commands to configure the customized ICMP and UDP timeout on zone 5 to a shorter period. It then injects ICMP and UDP traffic to conntrack, and checks if the corresponding conntrack entry expires after the predefined timeout. Signed-off-by: Yi-Hung Wei --- NEWS | 1 + lib/ct-dpif.c| 11 +++ lib/ct-dpif.h| 3 ++ lib/dpif-netdev.c| 1 + lib/dpif-netlink.c | 12 lib/dpif-provider.h | 10 ++ ofproto/ofproto-dpif-xlate.c | 23 ++ ofproto/ofproto-dpif.c | 27 ofproto/ofproto-dpif.h | 4 +++ tests/system-kmod-macros.at | 27 tests/system-traffic.at | 66 tests/system-userspace-macros.at | 26 12 files changed, 211 insertions(+) diff --git a/NEWS b/NEWS index c5caa13d6374..9f7fbb852e08 100644 --- a/NEWS +++ b/NEWS @@ -69,6 +69,7 @@ v2.12.0 - xx xxx - Linux datapath: * Support for the kernel versions 4.19.x and 4.20.x. * Support for the kernel version 5.0.x. + * Add support for conntrack zone-based timeout policy. - 'ovs-dpctl dump-flows' is no longer suitable for dumping offloaded flows. 'ovs-appctl dpctl/dump-flows' should be used instead. - Add L2 GRE tunnel over IPv6 support. diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c index 7f9ce0a561f7..f3bd71b5769d 100644 --- a/lib/ct-dpif.c +++ b/lib/ct-dpif.c @@ -864,3 +864,14 @@ ct_dpif_timeout_policy_dump_done(struct dpif *dpif, void *state) ? dpif->dpif_class->ct_timeout_policy_dump_done(dpif, state) : EOPNOTSUPP); } + +int +ct_dpif_get_timeout_policy_name(struct dpif *dpif, uint32_t tp_id, +uint16_t dl_type, uint8_t nw_proto, +struct ds *tp_name, bool *unwildcard) +{ +return (dpif->dpif_class->ct_get_timeout_policy_name +? dpif->dpif_class->ct_get_timeout_policy_name( +dpif, tp_id, dl_type, nw_proto, tp_name, unwildcard) +: EOPNOTSUPP); +} diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h index aabd6962f2c0..786dc6d2c474 100644 --- a/lib/ct-dpif.h +++ b/lib/ct-dpif.h @@ -318,5 +318,8 @@ int ct_dpif_timeout_policy_dump_start(struct dpif *dpif, void **statep); int ct_dpif_timeout_policy_dump_next(struct dpif *dpif, void *state, struct ct_dpif_timeout_policy *tp); int ct_dpif_timeout_policy_dump_done(struct dpif *dpif, void *state); +int ct_dpif_get_timeout_policy_name(struct dpif *dpif, uint32_t tp_id, +uint16_t dl_type, uint8_t nw_proto, +struct ds *tp_name, bool *unwildcard); #endif /* CT_DPIF_H */ diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c index 7240a3e6f3c8..36637052e598 100644 --- a/lib/dpif-netdev.c +++ b/lib/dpif-netdev.c @@ -7539,6 +7539,7 @@ const struct dpif_class dpif_netdev_class = { NULL, /* ct_timeout_policy_dump_start */ NULL, /* ct_timeout_policy_dump_next */ NULL, /* ct_timeout_policy_dump_done */ +NULL, /* ct_get_timeout_policy_name */ dpif_netdev_ipf_set_enabled, dpif_netdev_ipf_set_min_frag, dpif_netdev_ipf_set_max_nfrags, diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c index c2ac19dff887..c306242984ae 100644 --- a/lib/dpif-netlink.c +++ b/lib/dpif-netlink.c @@ -3072,6 +3072,17 @@ dpif_netlink_format_tp_name(uint32_t id, uint16_t l3num, uint8_t l4num, ovs_assert(tp_name->length < CTNL_TIMEOUT_NAME_MAX); } +static int +dpif_netlink_ct_get_timeout_policy_name(struct dpif *dpif OVS_UNUSED, +uint32_t tp_id, uint16_t dl_type, uint8_t nw_proto, struct ds *tp_name, +bool *unwildcard) +{ +dpif_netlink_format_tp_name(tp_id, +dl_type == ETH_TYPE_IP ? AF_INET : AF_INET6, nw_proto, tp_name); +*unwildcard = true; +return 0; +} + #define CT_DPIF_NL_TP_TCP_MAPPINGS \ CT_DPIF_NL_TP_MAPPING(TCP, TCP, SYN_SENT, SYN_SENT) \ CT_DPIF_NL_TP_MAPPING(TCP, TCP, SYN_RECV, SYN_RECV) \ @@ -3898,6 +3909,7 @@ const struct dpif_class dpif_netlink_class = { dpif_netlink_ct_timeout_policy_dump_start, dpif_netlink_ct_timeout_policy_dump_next, dpif_netlink_ct_timeout_policy_dump_done, +dpif_netlink_ct_get_timeout_policy_name, NULL, /* ipf_set_enabled */ NULL, /* ipf_set_min_frag */ NULL, /* ipf_set_max_nfrags */ diff --git a/lib/dpif-provider.h b/lib/dpif-provider.h index