git.onelab.eu Git - sliver-openvswitch.git/log

timeval: Add "time/stop" unixctl command, for use in unit tests.

Although we try to avoid it, some unit tests are necessarily
timing-sensitive. The new "time/stop" command that this commit adds should
help with that, by preventing time from advancing from the viewpoint of
the OVS "timeval" functions except when "time/warp" explicitly advances
the current time. This should allow the unit tests that need it to become
reproducible regardless of the speed at which the tests run.

This commit adds one use of "time/stop" to the unit test suite, in the one
timing-sensitive test of which I am currently aware.

Bug #9782.
Reported-by: Tim Chen <tchen@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

INSTALL.Linux: minor typo

s/ovsdmonitor/ovsdbmonitor/

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

tests: Prefer development Python files over installed ones.

A developer may have Open vSwitch installed, in which case many of
the Python files which are tested will be in both the development
tree and the system Python library. When running unit tests, we
want to test the development tree, so it's better to prefer
importing those files.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

xenserver: Restart ovs-xapi-sync on kmod reload.

Some users never restart OVS, they just reload the kernel module on
each new version. Since ovs-xapi-sync is a daemon, a restart is
required to use the new code. Therefore, without this patch, users
could unwittingly use stale versions of ovs-xapi-sync.

Bug #9919.
Signed-off-by: Ethan Jackson <ethan@nicira.com>
Diagnosed-by: Ben Pfaff <blp@nicira.com>

xenserver: Always update the bridge ID in ovs-xapi-sync.

In some cases we were seeing this column get stale.

Bug #9929.
Signed-off-by: Ethan Jackson <ethan@nicira.com>
Diagnosed-by: Justin Pettit <jpettit@nicira.com>

debian: Fix exit status of openvswitch-switch init script "status" command.

The init script ends with an explicit "exit 0" so nonzero exit codes from
"ovs-ctl status" were being lost.

Bug #9714.
Reported-by: Paul Ingram <paul@nicira.com>
CC: Sujatha Shetty <sshetty@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

dpif-linux: Make dpif_linux_port_query_by_name() query only one datapath.

The kernel will report a vport with the given name in any datapath, but
userspace only wants a vport with the given name in a specific datapath.
Receiving information on a vport in an unexpected datapath yields bizarre
and hard-to-debug problems.

Bug #9889.
Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif: Cleanup STP on ports when disabled on their bridge.

When STP is enabled on a bridge, the STP module puts its ports in
an STP_LISTENING state until STP converges.  This causes all
traffic destined for these ports to be dropped.  If STP is disabled
on the bridge, but not explicitly disabled on its ports, the bridge
fails to remove the STP state from these ports.  Therefore, if a
port is in an STP_LISTENING state, it will remain in that state and
continue to drop all traffic indefinitely.  This patch fixes the
issue.

Signed-off-by: Ethan Jackson <ethan@nicira.com>
Bug #9157.

ovs-ofctl: Fix "snoop" command.

The vconn that "snoop" opens does not process and reply to requests, so
sending a request to set the packet-in format will hang forever, which
means that "snoop" never actually prints any of the traffic that it
receives.

Bug #9346.
Reported-by: Alan Shieh <ashieh@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

cfm: Allow manual override of CFM fault status.

This can be useful when testing.

Suggested-by: Reid Price <reid@nicira.com>
Signed-off-by: Ethan Jackson <ethan@nicira.com>

configure: Try to extract kernel source directory from build Makefile.

OVS needs to inspect the headers in the kernel source directory at build
time. Debian keeps moving the source directory relative to the build
directory and doesn't provide an obvious way to find the source directory,
so in the past we've used some name-based heuristics to essentially guess
where it is.

This commit introduces a new heuristic that I hope will be more reliable:
extracting the source directory from the Makefile in the build directory.
In Debian's case, it looks like the Makefile generally contains a line of
the form "MAKEARGS := -C <srcdir> O=<outdir>". This commit extracts the
source directory from that line.

To avoid regressions this commit retains the older heuristics as fallbacks.

CC: 659685@bugs.debian.org
Reported-by: Thomas Goirand <zigo@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

vswitchd: Always configure a default queue for QoS.

When an interface has QoS configured but no default queue (queue 0), OVS
has until now installed that QoS configuration literally, which causes all
packets destined for this default queue to be dropped. This behavior is
usually both unexpected and undesirable.

This commit changes behavior so that, when no default queue is configured,
OVS uses a default "empty" configuration for the default queue. This
behavior should be more acceptable when QoS is slightly misconfigured.

I tested that, without this patch, configuring only queue 1 causes "tc
class show" to show only queue 1 (handle 1:2) for linux-htb and linux-hfsc,
and that with this patch it shows configurations for both queue 0 (handle
1:1) and queue 1.

Bug #5583.
Feature #7413.
Signed-off-by: Ben Pfaff <blp@nicira.com>

xenserver: Fix iteration of dictionary.

Fix bug in commit 3249bb907a1dab9b0, which incorrectly assumed that
get_all_records_where() returned a list. It in fact returns a
dictionary and the list iteratory needs to change to account for this.

Thanks to Nicira for pointing this out.

NIC-454.

Reported-by: David Tsai <dtsai@nicira.com>
Acked-by: Rob Hoes <rob.hoes@citrix.com>
Signed-off-by: Dominic Curran <dominic.curran@citrix.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Update changelog for 1.4.0-2 upload

Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Use provided kernel source dir instead of host kernel version.

DKMS passes in an explicit variable for the kernel source directory, so we
should use that instead of `uname -r`.

CC: 659685@bugs.debian.org
Reported-by: Thomas Goirand <thomas@goirand.fr>
Tested-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Do not run "make" if "configure" fails during DKMS build.

There is no point in trying to run "make" if "configure" failed. The
"make" will fail too and the log will be harder to read.

CC: Thomas Goirand <zigo@debian.org>
CC: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Fix dependencies for openvswitch-datapath-dkms package.

The OVS kernel module, like other kernel modules, does not need a working
userspace build environment, but the OVS "configure" script and makefiles
don't support a kernel-only build, so "configure" fails if libc6-dev is
not installed.

It would be better to change the "configure" script and makefiles to handle
this special case, but that was more work than I initially expected it to
be.

Bug #8606.
Reported-by: Edwin Chiu <echiu@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-xapi-sync: Always set iface-id, not just when xs-vif-uuid changes.

When XAPI moves an interface from one bridge to another, the vif script
removes the vif from one bridge and adds it to (possibly) a different
bridge in a single transaction.  The new record does not have an iface-id
initially (because the vif script never adds the iface-id initially) but
it has the same name and xs-vif-uuid as the old one, so the caching logic
in ovs-xapi-sync failed to add a new iface-id.  This commit fixes the
caching logic.

Observed on XenServer 5.6.100.  It's possible that XAPI behavior changed in
later versions so the bug cannot be triggered there, but we have not
checked.

Bug #9414.
Reported-by: Duffie Cooley <dcooley@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif: Don't output to in_port even if in_port is OFPP_LOCAL.

Signed-off-by: Aaron Rosen <arosen@clemson.edu>
[Ben Pfaff added the test.]
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Don't install Python modules for obsolete Python versions.

Python 2.4 is obsolete, not present in Debian squeeze or sid, so don't
install Python modules for it.

It would be better to just put the files directly into
/usr/share/pyshared/ovs/, instead of in site-packages for some specific
Python version, but this causes problems for builds on squeeze, as
documented in commit bc3aa0bf5 (debian: Make python-openvswitch packaging
work with squeeze dh_python2.):

    The dh_python2 helper in Debian squeeze has a limitation that is not
    mentioned anywhere, as far as I can tell: Python files must be in
    /usr/lib/python#.#/site-packages to be installed.  The version in Debian
    wheezy does not have the same limitation.

    This meant that building the Debian packages on squeeze silently produced
    a broken python-openvswitch package, whereas building the same thing on
    wheezy built a working package.

    This fixes the problem by putting the .py files where squeeze expects them.
    It works on wheezy too.

A before-and-after "debdiff" shows that the only significant effect of this
commit is to drop python2.4 symlinks.

CC: horms@debian.org
Reported-by: Luca Falavigna <ftpmaster@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Add dependency on ${misc:Depends} to openvswitch-test

This is necessary as openvswitch-test makes use of debhelper.

As reported by lintian.

Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

vswitchd: Make the MAC entry aging time configurable.

NICS-11.
Signed-off-by: Ben Pfaff <blp@nicira.com>

mac-learning: Increase MAC learning timeout to 300 seconds.

When Cisco (and other?) routers are configured in high-availability modes,
they use two different MAC addresses.  The router uses MAC 1 only for ARP
replies.  The router uses MAC 2 for forwarding IP packets to end hosts.
When a MAC learning switch is attached to the router, therefore, it will
only learn the location of MAC 1 from ARP replies.  If the end host's ARP
cache refresh timer is longer than the switch's MAC learning timeout, then
packets to the router will be flooded from the MAC learning timeout until
the next ARP reply.

This commit fixes the problem by increasing the MAC learning timeout from
60 seconds to 300 seconds.  According to research by Sanjay Sane, this is
always sufficient, even with operating systems that use ARP timeouts
longer than 300 seconds (such as FreeBSD and Mac OS, which have 1200
seconds ARP timeouts)  because the routers that cause this problem send
unsolicited ARP replies every 180 seconds.

This issue arises in any situation where traffic between two hosts flows
only in one direction.  The explanation above describes only one special
case.

NICS-11.
Signed-off-by: Ben Pfaff <blp@nicira.com>

sflow_agent: Use snprintf() in place of sprintf().

These functions use sprintf() into a 1000-byte buffer. It appears to me
that the strings they format are either short, fixed-length strings or the
output of strerror(), neither of which should ordinarily overflow.
However, using snprintf() cannot hurt.

Launchpad bug #914160.
Reported-by: Matthias Klose <doko@ubuntu.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif: Fix merge error that caused memory leak.

Commit 5aa0fe5be (ofproto-dpif: Fix use-after-free error in
handle_miss_upcalls().), a crossport from master of commit 33bb0caa6,
did not include this necessary change, causing a memory leak.

Bug #9493.
Reported-by: Michael Hu <mhu@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

Set dates for 1.4.0 release.

NEWS: Point out userspace is compatible with Linux 3.3 OVS kernel module.

ofproto-dpif: Fix use-after-free error in handle_miss_upcalls().

When handle_flow_miss() saw that subfacet did not have any actions, then
the associated packet would get freed early, in the loop that constructs
the set of batched operations.  However, there would still be a "flow_put"
operation that referenced the key that shares the same memory block as the
packet.  The memory allocator would overwrite the first few bytes of this
block, causing bizarre errors in the flow_put.

This commit changes the memory release strategy to be less error-prone, by
deferring all freeing of packets to the end of the function.  With this
change, every packet gets freed in the same place, instead of having some
packets freed in one place and other packets freed in another.

Here is the valgrind report that pinpoints the problem:

Invalid read of size 4
   at 0x4026838: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
   by 0x80E9B52: dpif_linux_flow_to_ofpbuf (dpif-linux.c:1714)
   by 0x80E9C77: dpif_linux_operate (dpif-linux.c:883)
   by 0x80AFB5A: dpif_operate (dpif.c:994)
   by 0x809A03B: handle_upcalls (ofproto-dpif.c:2758)
   by 0x809A23A: run_fast (ofproto-dpif.c:757)
   by 0x808C04E: ofproto_run_fast (ofproto.c:963)
   by 0x806DFB6: bridge_run_fast (bridge.c:1811)
   by 0x8074B59: main (ovs-vswitchd.c:98)
Address 0x4427948 is 80 bytes inside a block of size 2,048 free'd
   at 0x402421C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
   by 0x80CD865: ofpbuf_delete (ofpbuf.c:187)
   by 0x80CD8AA: ofpbuf_list_delete (ofpbuf.c:531)
   by 0x8099F06: handle_upcalls (ofproto-dpif.c:2747)
   by 0x809A23A: run_fast (ofproto-dpif.c:757)
   by 0x808C04E: ofproto_run_fast (ofproto.c:963)
   by 0x806DFB6: bridge_run_fast (bridge.c:1811)
   by 0x8074B59: main (ovs-vswitchd.c:98)

Bug #9346.
Reported-by: Alan Shieh <ashieh@nicira.com>
Reported-by: Ethan Jackson <ethan@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

table: Avoid segmentation fault when printing an empty cell in JSON format.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-ctl: Restore ability to create 256 bridges.

OVS is supposed to support at least 256 bridges simultaneously, but the
file descriptor count was a little too low for that.

Build tested only.

Bug #8218.
Reported-by: Luca Giraudo <lgiraudo@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto: Optionally flush all learning tables with appctl.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

tests: Fix broken interface-reconfigure tests.

Commit acfb4e9597 updated the interface-reconfigure scripts without
updating the corresponding tests, causing false test failures.

Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Delete log files correctly when packages are purged.

Debian Policy 10.8 says "Log files should be removed when the package is
purged (but not when it is only removed)," but the Open vSwitch packages
didn't properly implement this:

   - The openvswitch-brcompat and openvswitch-pki packages didn't delete
     their log files at purge time.

   - The openvswitch-switch package deleted all of the log files at purge
     time, even those owned by openvswitch-brcompat or openvswitch-pki.

This commit fixes both problems.

CC: 656448@bugs.debian.org
Reported-by: Andreas Beckmann <debian@abeckmann.de>
Signed-off-by: Ben Pfaff <blp@nicira.com>

xenserver: Only replace XenServer hosts scripts that we recognize.

Open vSwitch comes with slightly improved versions of upstream Citrix
XenSever host scripts.  Until now, the Open vSwitch RPMs have always
installed its own versions of the scripts over the Citrix versions.  This
commit changes behavior to replace the scripts only if we recognize the
exact versions being replaced.  This approach seems safer given that the
benefits of the OVS changes are minor and we don't want to break any
upstream changes inadvertently.

Signed-off-by: Ben Pfaff <blp@nicira.com>

xenserver: Synchronize scripts with XenServer 6.0.0.

This commit updates the "vif" and "interface-reconfigure" scripts installed
by Open vSwitch on Citrix XenServer with those in XenServer 6.0.0.

Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: Fix version check for 3.2.

We support Linux 3.2 and all of its patch levels but the current
check only allows for 3.2.0.

Reported-by: Justin Pettit <jpettit@nicira.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

ofproto-dpif: Revalidate flows after "fdb/flush".

Otherwise bad translations can stick around.

Bug #9253.
Reported-by: Paul Ingram <paul@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: Correct GRE checksum offset.

If a statically defined GRE key is used with checksums then the
checksum will overwrite the key. This is because the key is set
at header caching time and the checksum is set at packet processing
time and we don't update the offset on packet processing because
we don't do anything with the key.

Reported-by: Christos Argyropoulos <cargious@netmode.ntua.gr>
Signed-off-by: Jesse Gross <jesse@nicira.com>

ofproto-dpif: Fix "ofproto/trace" command.

Commit 0e15264f96e3c (unixctl: Implement quoting.) broke one form of
ofproto/trace. This fixes it.

Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: Enforce mutual exclusion between bridge and brcompat_mod.

In kernels 2.6.36, Open vSwitch can (and does) safely coexist with the
Linux bridge module, but it does not make sense to load both bridge and
brcompat_mod at the same time. Until now, nothing has prevented both from
loading; when they both load, confusion (at best) results. This fixes
the problem by enforcing mutual exclusion.

Bug #9226.
Launchpad bug #917309.
Reported-by: Rogério Vinhal Nunes
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

netdev-dummy: Fix use-after-free error.

Found by valgrind.

Signed-off-by: Ben Pfaff <blp@nicira.com>

Declare the version as "1.5.0".

datapath: IFF_OVS_DATAPATH is backported by RHEL 6.2.

On kernels 2.6.37 and above IFF_OVS_DATAPATH has a unique value upstream,
on 2.6.36 we define it to be IFF_BRIDGE_PORT and below to 0. There isn't
really a good reason to use IFF_BRIDGE_PORT on 2.6.36 (and it's perhaps
bad because it's checked in a few places and we don't want those checks
to trigger on just this kernel) and it makes it difficult to know what
value we should use in the face of backporting. Therefore, this just
uses 0 on the places where we don't have a real value.

Reported-by: Benoit ML <ben42ml@gmail.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

dpif-netdev: Make port numbers predictable for dummy dpif, for unit tests.

The unit tests feed a lot of flows through the ofproto-dpif "trace"
command, which means that they need to know the port numbers of the ports
that they create. Until now, they've had to actually query those port
numbers from the database, which is a bit of unnecessary overhead for unit
tests.

This commit makes dummy dpif port numbers predictable: if the name of a
port contains a number, then the dummy dpif uses that number, if it is
valid and available, as the port number.

This commit also simplifies the unit tests that previously queried port
numbers to depend on the new behavior.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ofp-util: Extend message decoding data structures with version field.

This makes it possible to add entries for decoding OpenFlow messages with
newer versions, e.g. OpenFlow 1.1 or 1.2. However, no actual messages for
newer versions are actually implemented yet; that will come later.

Signed-off-by: Ben Pfaff <blp@nicira.com>

nicira-ext: Rename "struct nxt_*" to "struct nx_*".

Most structures in this file have an "nx_" prefix, so this makes naming
more consistent.

Signed-off-by: Ben Pfaff <blp@nicira.com>

SubmittingPatches: Fix typo.

Reported-by: Reid Price <reid@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

vswitchd: Document maximum queue_id for Linux QoS.

The code enforces an exclusive maximum of 0xf000 on queue_ids for
Linux queueing disciplines, but the documentation doesn't mention
this limitation.

Reported-by: Michael Mao <mmoa@nicira.com>
Signed-off-by: Ethan Jackson <ethan@nicira.com>

odp-util: Handle ipv6 in set nw action.

Rather than silently skipping ipv6 action generation, following patch
generates OVS_ACTION_ATTR_SET action for ipv6. Datapath which do not
support ipv6 action can reject this action.

Bug #8758
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>

ofproto-dpif: Honor statistics in packet_out().

A "packet out" ordinarily isn't accounted to any OpenFlow rule,
because its actions come directly from the controller instead of
from an OpenFlow rule. However, any "resubmit" actions or output
to OFPP_TABLE within the set of actions do bring in actions from a
rule, and the "packet out" should be accounted to the rule in that
case. This commit implements that behavior.

Reported-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: Ethan Jackson <ethan@nicira.com>

Don't specify program name in passive connection man page fragments.

The vconn and ovsdb passive connection man page fragments used the
PN (program name) macro to describe their functionality. This was
usually correct, but in the case of ovs-vsctl, they may be used to
describe configuring ovs-vswitchd. This commit rewords the fragments to
make them correct regardless of whether they're describing a local or
remote passive connection.

Signed-off-by: Justin Pettit <jpettit@nicira.com>

ovsdb-tool: Use typical db and schema install locations as defaults.

This makes ovsdb-tool easier to use in the common case.

Feature #7756.
Requested-by: Reid Price <reid@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: Fix multipart datapath dumps.

The logic to split up the list of datapaths into multiple Netlink messages
was simply wrong, causing the list to be terminated after the first part.
Only about the first 50 datapaths would be dumped. This fixes the
problem.

Bug #9124.
Reported-by: Paul Ingram <paul@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

NEWS: Fix typo.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-vsctl: Add set relational operators to "find" command.

Requested-by: Shih-Hao Li <shli@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovsdb-data: Short-circuit ovsdb_datum_includes_all() in trivial case.

Signed-off-by: Ben Pfaff <blp@nicira.com>

news: Mention NXM_PACKET_IN.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

openflow: New Nicira Extended PACKET_IN format.

The new PACKET_IN format implemented in this patch includes flow
metadata such as the cookie, table_id, and registers.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

ofproto-dpif: Implement PACKET_IN in userspace.

In future patches, PACKET_IN messages will include meta-data which
is only available in userspace during action translation. Either,
this data needs to be stored until it's required by a userspace
datapath action, or the PACKET_IN messages must be sent at the time
the data is available. This patch implements the latter.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

nx-match: New function nx_pull_match_loose().

Future patches will need the ability to skip over unsupported NXM
headers.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

flow: Create new flow_metadata structure for packet_in messages.

This will ease the implementation of future patches.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

packets: New packet_set_*() helper functions.

This commit pulls code used to modify L3 and L4 header fields
from dp_netdev into the packet library. An additional user will
be added in a future commit.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

ofputil: New function ofputil_decode_packet_in().

Signed-off-by: Ethan Jackson <ethan@nicira.com>

ofp-util: Don't use ofpbuf in ofputil_packet_in struct.

This will make the memory ownership clearer in future patches which
make more extensive use of ofputil_packet_in.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

ofproto: Always clone packets in PACKET_IN message.

This patch removes an optimization which significantly complicates
the code in ways which would get worse in future patches if not
removed. Furthermore, future patches will have fewer cases which
can take advantage of the optimization further mitigating its
justification.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

tests: Unit test PACKET_IN.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

ovs-ofctl: Support daemonization for monitor and snoop.

This will ease implementation of future unit tests.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

ofp-print: Print checksum in ofp_packet_to_string().

This will improve the unit tests of future patches.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

ofp-print: Remove tcpdump from ofp_packet_to_string().

Instead this patch uses flow_format() which gives very similar
output. This patch will improve the reliability of unit tests in
future patches which rely on the results of ofp_packet_to_string().

Signed-off-by: Ethan Jackson <ethan@nicira.com>

packets: Mask out CFI bit in eth_push_vlan().

We should never push a VLAN tag with the CFI bit set. This patch
defensively enforces this invariant.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

pktbuf: Directly use pointers in pktbuf_save().

In future patches, directly using a void * pointer in the
pktbuf_save() definition will simplify the code.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

ofp-print: Remove vestigial 'total_len' argument.

ofp_print_packet() and ofp_packet_to_string() don't use the
'total_len' argument which they require callers to supply.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

flow: Improve flow_format() output.

I find this significantly easier to read.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

ofpbuf: Maintain header pointers in clone functions.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

classifier: Update cls_rule_set_in_port() prototype.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

debian: Look in /lib/modules instead of /usr/src for DKMS kernel sources.

DKMS packages usually look in /lib/modules for kernel sources, since that
is the "standard" location, but our packages was looking directly in
/usr/src. This fixes the problem.

Reported-by: Alban Browaeys <prahal@yahoo.com>
Tested-by: Alban Browaeys <prahal@yahoo.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Ignore temporary files for openvswitch-test package too.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-monitor-ipsec: Don't reconfigure cert-based authentication as often.

ovs-monitor-ipsec wakes up when the Interface table is modified.  To
prevent needless reconfiguration, it maintains a dictionary of the
currently implemented configuration and compares it to any new changes.
Unfortunately, for certificate-based authentication we create a new
"peer_cert_file" key in our local dictionary, which always causes the
comparison to fail.  This forces expensive renegotiation for any change
in the Interface tables.  This commit uses set difference to detect
changes from the previous configuration as opposed to a straight simple
comparison.

Bug #9103

Signed-off-by: Justin Pettit <jpettit@nicira.com>

ovs-ctl: Pull system_type and system_version from config file

Currently system-type and system-version can only be set through
ovs-vsctl and ovs-ctl in the commandline. This patch allows you
to place system-type.conf and system-version.conf files in $etcdir
and their contents will be used if no arguments are specified with
ovs-vsctl or ovs-ctl.

Bug #9033.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>

ofproto-dpif: Keep subfacets longer to avoid assert-fail in facet_account().

If a subfacet expired when its facet still had statistics that had not
yet been pushed into the rule, and the facet either used the "normal"
action or the bridge contained a bond port, then facet_account() would
be called after the last subfacet was removed from its facet's list of
subfacets, triggering an assertion failure in list_front().

This fixes the problem by always running facet_flush_stats() (which calls
facet_account()) before deleting the last subfacet from a facet.

This problem took a while to surface because subfacets usually expire only
long after their statistics have been pushed into the rule.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Reported-by: Mike Kruze <mkruze@nicira.com>
Bug #9074.

ovs-benchmark: Improve output format for "rate" command.

Before, the "rate" command kept the status of the test continually updated
on the screen. This form of output is nice to watch, but it isn't very
useful for reporting, because you only end up with a single number at the
end, and redirecting it to a file yields one long line with lots of
carriage returns.

This commit simplifies the output format by simply printing one line per
second.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif.at: Add test for normal action with OFPP_NONE in_port.

Commit 33158a (ofproto-dpif: Fake-up OFPP_NONE input bundle for
mirroring and normal.) fixed handling of packets sent from a controller
with an ingress port of OFPP_NONE.  It includes a unit test for the
mirroring case, but not the "normal" processing case.  The reason is
that the test requires commit fadc05 (ofproto-dpif: Fix nondeterministic
flow revalidation behavior.), which removes a check that causes the test
to fail.  That fix isn't available in all branches that 33158a is on, so
this test is only being run on those that are.

Signed-off-by: Justin Pettit <jpettit@nicira.com>

tests: Fix bug in NetFlow test case.

The "sed" command here is intended to replace something like 1234...1234
(where the two numbers are the same) with <moment> and something like
1234...2345 (where the two numbers differ) with <range>, but in fact it
accidentally changed, e.g., 10...1016 into <moment>16. This commit fixes
that.

This fixes only a test case, not the code under test.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #9057.

datapath: Implement flow table re-hashing.

Following patch introduces a timer based event to rehash flow-hash
table. It makes finding collisions difficult to for an attacker.

Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Fix OVS compat workqueue support.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Add genl_exec().

genl_lock is not exported from older kernel. Following patch add
genl_exec() which can run any function (passed as arg) with
genl_lock held.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

ofproto-dpif: Fake-up OFPP_NONE input bundle for mirroring and normal.

Both mirroring and "normal" processing make use of the input bundle to
perform various sanity checks. Controller-generated traffic typically
uses an ingress port of OFPP_NONE, which doesn't have a corresponding
input bundle. This commit fakes one up well enough that mirroring and
"normal" processing succeed.

We looked at creating an actual bundle based on the "real" OFPP_NONE.
This was even uglier, since there were even more special-cases that
needed to be handled, including having to hide it from port queries.

Reported-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: Justin Pettit <jpettit@nicira.com>

ofproto-dpif: Have lookup_input_bundle() return a bundle.

Previously, the function returned an "ofport_dpif", but it makes more
sense to return an "ofbundle". This will also be helpful in a
forthcoming commit.

Signed-off-by: Justin Pettit <jpettit@nicira.com>

ofproto-dpif: Fix nondeterministic flow revalidation behavior.

SLB bonds are very strange beasts.  It's taken OVS a while to figure out
how they should really work.  Way back in the mists of time, when we were
in the midst of this process, we noticed that the following could happen:

1. Local VM sends a packet to the OVS bridge.
2. OVS bridge learns VM's MAC, forwards packets to SLB bond.
3. Remote switch hasn't learned packet's destination and
   forwards packet back to other interfaces in the SLB bond.

Normally nothing bad happens in this scenario because OVS has already
learned the local port for the VM's MAC in step 2 and the rules for SLB
bonding (this is rule #2 in vswitchd/INTERNALS).  But at the time we were
implementing this, OVS didn't yet use active flows to keep MAC learning
entries alive; only new flows prevented a MAC entry from aging out.  So
in steady state (e.g. just "ping" traffic) OVS would regularly forget MAC
addresses.  If the remote switch also happened to forward a packet back to
one of the SLB bond interfaces, then OVS would learn the VM's address on
the bond, with the result that any traffic coming in from the remote switch
would be black-holed until the VM sent a new packet.  This was not good.

The fix we applied at the time was commit 2416b8ecea (bridge: Eject NORMAL
flows without a learning entry from datapath.) followed by a small
refinement in commit e96a4d8035 (bridge: Feed flow stats into learning
table.).  This fix causes flows that don't have a learning entry to be
ejected from the datapath if revalidation occurs.  This forced the next
packet in the flow to go to userspace, which in turn caused learning to
happen, fixing the problem.

However, this isn't a good solution for several reasons:

* It forces more packets to userspace, which is expensive.

* It doesn't just affect the cases where it helps, those where an
  SLB bond is actually involved.  (This could be fixed, but it is
  not worth it.)

* It means that flow installability becomes nondeterministic.  When
  the first packet shows up for a flow, we install it.  But later
  if we revalidate it, we have to uninstall it.  That doesn't make
  sense; a flow should be either installable or not installable,
  not some weird mix.

Fortunately, the situation has improved since this fix was originally
designed.  First, active flows now keep MAC learning entries alive, since
commit e96a4d8035367 (bridge: Feed flow stats into learning table.)
Second, gratuitous ARP locking, added in commit 7febb9100b (bridge: Filter
some gratuitous ARPs on bond slaves.) means that gratuitous ARPs reflected
on bond slaves don't cause confusion (this is rule #4 in
vswitchd/INTERNALS).

These improvements mean that it is no longer necessary to have this
strange special case at all.  Therefore, this commit removes it.

I found this while investigating reports from code that I added to
occasionally check that flow actions were correct.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto: Fix detection of in-use VLANs based on the flow table.

I swear I tested this, but the code was obviously wrong.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Reported-by: Brendan Kelley <bkelley@nicira.com>
Bug #8729.

AUTHORS: Move Rob Hoes to list of commit contributors.

He is the author of at least commit 3249bb907a1d (xenserver: Reduce number of
xapi DB calls in plugin).

Signed-off-by: Ben Pfaff <blp@nicira.com>

AUTHORS: Add Dominic Curran <dominic.curran@citrix.com>.

Signed-off-by: Ben Pfaff <blp@nicira.com>

vswitchd: Also consider access port VLANs as "in use" for VLAN splinters.

It's natural to add an access port to a bridge and expect that trunk ports
will then immediately start to work properly with that VLAN without
additional configuration. This change makes that happen.

Signed-off-by: Ben Pfaff <blp@nicira.com>

unixctl: Improve readability of "help" output for long command names.

Without this change, if a unixctl command name is 23 character long or
longer, no space appeared between the command name and its usage. This
commit ensures that at least one space always appears.

No command yet has a name this long. I discovered this issue when I added
one that does.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif: Fix GCC warning.

gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-48) warned:

    ofproto/ofproto-dpif.c: In function 'bundle_send_learning_packets':
    ofproto/ofproto-dpif.c:1835: warning: dereferencing type-punned pointer
    will break strict-aliasing rules

I agree that its analysis matches what the C standard says.  This commit
fixes the problem and avoids the warning.

The assignment to 'port' isn't actually necessary.  I included it because
I like to have a variable with the correct type near the use of that type
through a "void *".  Then "grep" for that type is more effective, and the
compiler will be able to diagnose any later change to (in this case) the
type of the first parameter to send_packet().

Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif: Omit "execute" operation entirely when there are no actions.

There's no point in executing an empty set of actions.

dpif_execute() has had this optimization internally for a long time but
dpif_operate() doesn't. For dpif_operate() it seems like a bigger win to
optimize it at this higher level, avoiding adding any operation to the
array at all.

Signed-off-by: Ben Pfaff <blp@nicira.com>

Debian: Depend on python (>= 2.7) | python-argparse

Depend on python (>= 2.7) | python-argparse instead of
python-argparse to avoid pulling in python2.6

See: http://bugs.debian.org/653645

Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-ofctl: Fix "cookie mask" issue in diff-flows command.

Commit e729e79 (Add ability to restrict flow mods and flow stats
requests to cookies.) introduced a cookie_mask field to the
ofputil_flow_stats_request struct that allowed restricting the flows to
a particular cookie pattern. The diff-flows command uses the
read_flows_from_switch() function, which did not properly initialize
this field, which would cause it to miss flows. This commit sets the
value to zero, which allows any cookie.

Bug #8984

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Reported-by: Luca Giraudo <lgiraudo@nicira.com>

Add ability to restrict flow mods and flow stats requests to cookies.

With this commit, it is possible to limit flow deletions and
modifications to specific cookies. It also provides the ability to
dump flows based on their cookies.

Signed-off-by: Justin Pettit <jpettit@nicira.com>

ovs-ofctl: Fix error in man page related to TCI masks.

Signed-off-by: Justin Pettit <jpettit@nicira.com>