git.onelab.eu Git - sliver-openvswitch.git/log

nicira-ext: Support matching IPv6 traffic.

Provides ability to match over IPv6 traffic in the same manner as IPv4.
Currently, the matching fields include:

    - IPv6 source and destination addresses (ipv6_src and ipv6_dst)
    - Traffic Class (nw_tos)
    - Next Header (nw_proto)
    - ICMPv6 Type and Code (icmp_type and icmp_code)
    - TCP and UDP Ports over IPv6 (tp_src and tp_dst)

When defining IPv6 rules, the Nicira Extensible Match (NXM) extension to
OVS must be used.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

nicira-ext: Support matching ARP source and target hardware addresses.

OpenFlow 1.0 doesn't allow matching on the ARP source and target
hardware address.  This has caused us to introduce hacks such as the
Drop Spoofed ARP action.  Now that we have extensible match, we can
match on more fields within ARP:

    - Source Hardware Address (arp_sha)
    - Target Hardware Address (arp_tha)

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

lib: Replace IP_TYPE_ references with IPPROTO_.

A few common IP protocol types were defined in "lib/packets.h". However,
we already assume the existence of <netinet/in.h> which contains a more
exhaustive list and should be available on POSIX systems.

lib: Move l4 flow hash to the flow library.

This commit moves hash_symmetric_l4() to the flow library so that
it may be used in future patches.

ovs-vlan-test: clearly indicate failure.

Debian: Make ovsdb-server use manager_options column to find managers.

ovsdb-server: Write manager status information to Manager table.

This commit makes the status of manager connections visible via the Manager
table in the database. Two new columns have been created for this purpose:
'is_connected' and 'status'. The former is a boolean flag, and the latter is a
string-string map which may contain the keys "last_error", "state", and
"time_in_state".

Requested-by: Keith Amidon <keith@nicira.com>
Reviewed by: Ben Pfaff.
Feature #3692.

tests: Add test suite for packets.h.

This only tests ip_is_cidr(), since that is the only tricky function
currently defined. This will get more use once IPv6 functions are
added.

ovs-ofctl: Group NXM field matches into own subsection of man page.

A number of new matching fields are going to be introduced shortly that
will require NXM (Nicira Extended Match). Rather than repeating the
same description for each field, this change groups them together with a
common preface.

ovs-ofctl: Fix small typo about nw_tos in man page.

lib: Fix off-by-one error in route-table.

datapath: Dump flow actions only if there is room.

Expanding an skbuff in a netlink dump handler doesn't work well.  We
weren't updating the truesize of the skb or the allocation within the
socket that netlink_dump() had put the skb in.  The code had other bugs
too.

This commit fixes the problem (in my tests, anyway) by avoiding expanding
the reply skbuff to fill in the actions.  Instead, in such a case the
userspace client has to do a separate "get" action to get the actions.
This commit also updates userspace to do this automatically for dumps in
the cases where the caller cares (only "ovs-dpctl dump-flows" currently
cares).

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Bug #4520.

datapath: Fix behavior of NLA_NESTED for pre-2.6.29 kernels.

Before v2.6.29, a NLA_NESTED attribute, if it was present, was not allowed
to be empty.  However, OVS depends on the ability to accept empty
attributes.  For example, a present but empty ODP_FLOW_ATTR_ACTIONS on
ODP_FLOW_CMD_SET replaces the existing set of actions by an empty "drop"
action, whereas a missing ODP_FLOW_ATTR_ACTIONS leaves the existing
actions, if any, unchanged.

NLA_NESTED is different from NLA_UNSPEC in only two ways:

* If the size of the nested attributes is zero, no further size checks
  are performed.

* If the size of the nested attributes is not zero and no length
  parameter is specified the minimum size of nested attributes is
  NLA_HDRLEN.

nla_parse_nested() validates that there is at least enough space for
NLA_HDRLEN, so neither of these conditions are important, and we might
as well use NLA_UNSPEC with old kernels.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

dpif-linux: Always pass an actions attribute in dpif_flow_put().

The kernel expects that ODP_FLOW_NEW always has an ODP_FLOW_ATTR_ACTIONS
attribute, even though that attribute may be empty to drop all of the
packets in the flow. Similarly, ODP_FLOW_SET as used by
dpif_linux_flow_put() should always have such an attribute, since it is
used by OVS to update the flow's actions. So make it possible for
dpif_linux_flow_to_ofpbuf() to pass an empty actions attribute, and make
dpif_linux_flow_put() always force that behavior if the actions_len passed
to it is 0.

This fixes EINVAL error creating flows to drop packets.

Acked-by: Jesse Gross <jesse@nicira.com>

lib: route-table improvements.

This commit makes several changes to the route_table code used to
populate tunnel_egress_iface.

- It removes name_table code from netdev-vport and puts it into
  route-table.

- It no longer attempts to build the name_table dynamically by
  listening to rtnetlink-link notifications.  Instead it dumps the
  entire table, and uses rtnetlink-link notifications to indicate a
  re-dump is required.

- It forces rtnetlink-link notifications to re-dump the routing
  table.  This fixes an issue where bringing an interface down or
  removing it altogether would not have the expected effect on
  related tunnel_egress_ifaces.

lib: netdev-vport improperly initialized route-table.

netdev-vport unregistered the routing table in its destroy
function, but registered it in its init function. This could
cause the routing table to be unregistered when it shouldn't have
been causing segmentation faults.

Bug #4526.

tests: Fix tests with UCS-2 Python.

Python can be built with either UCS2 or UCS4 support. When built
with UCS2 the python related surrogate pairs tests cannot pass.
This commit handles this situation more gracefully.

dpif-linux: Read flow used time.

We were never storing the flow used time from the Netlink message
into our local struct, which caused flows to timeout prematurely.

Acked-by: Ben Pfaff <blp@nicira.com>

datapath: Fix flow time used computation.

The current reporting of flow last used time has two issues that
cause it to incorrectly report the system monotonic time when the
flow was last used.

The first is that it simply converts the stored jiffies value to
milliseconds by scaling with a constant.  This does not work because
jiffies is not zero based and can wrap around on 32-bit platforms.

The second is there is no guarantee that jiffies advances at the
same rate as the RTC based monotonic time that userspace uses.
A variety of factors can cause differences, including system suspend
and clock drift.  These are not too important for relatively short
time periods such as the duration of the flow (nor is the flow timing
precision of extreme importance).  However, when the time being
measured is the duration since system boot (assuming that the above
issues had been addressed) the difference can become significant.

This addresses both issues by restoring behavior similar to the
previous method of computing the flow used time, though in a
slightly different form to reflect the needs of the Netlink code.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

datapath: Avoid nla_parse_nested const warning on < 2.6.22.

We mark our Netlink policies as const for safety but the argument
to nla_parse_nested didn't become const until 2.6.22, which provokes
warnings. This casts away the constness on affected kernels to
avoid the warnings.

Reported-by: Justin Pettit <jpettit@nicira.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

util: New ovs_retval_to_string() function.

Many OVS functions return 0, EOF, or errno. There are several places in the
codebase where a return value is converted to a string. All must decide whether
the return value is set, and if it is, whether it is an errno value, EOF, or
otherwise invalid. This commit consolidates that code.

Reviewed by Ben Pfaff.

datapath: Correct version check for genetlink net namespaces.

Network namespaces were introduced in 2.6.24, not 2.6.19 as some of the
version checks were looking for. This caused compile errors in that
kernel range when the functions couldn't be found. In addition,
namespace support wasn't initially available in Netlink so the netns
headers weren't included, causing compile problems for a few more
kernels.

Reported-by: Justin Pettit <jpettit@nicira.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

datapath: Drop allocation of memory for ODP_PACKET_ATTR_TYPE.

When doing an upcall we allocate memory for ODP_PACKET_ATTR_TYPE.
However, ODP_PACKET_ATTR_TYPE does not exist - the type is specified
by the command.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

odp-util: Print EtherTypes consistently.

The '#' format specifier doesn't respect the field width modifier,
so EtherTypes are printed with variable length. Zero is not a valid
EtherType so there isn't a need for the logic to dynamically insert
the 0x prefix (if the EtherType isn't specified it won't be printed
at all). This fixes the EtherType to have the intended format and
also changes the vlan TPID to match.

dpif-linux: Add missing NLM_F_ECHO flag to flow requests.

Flow transactions expect a response after the operation has completed
but the request did not have NLM_F_ECHO set. This caused userspace
to receive only the Netlink ACK instead of a real response, making
it appear that the operation had failed when it actually succeeded.

dpif-linux: Remove extraneous name variable.

Fixes a "used uninitialized" warning.

datapath: Use multicast groups allocated for upcalls.

We allocate a number of multicast groups and stripe upcalls across
them using a hash function. However, instead of using the ID of
the selected group for the upcall multicast we were directly using
the output of the hash function. In the best case this leads to
intermittent failures when we choose an invalid group ID (such as
0) or in the worse case could lead to access of unallocated memory.
This fixes that by looking up the group we have been allocated.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

debian: Remove extra space in switch init script.

datapath: s/ODPAT_/ODP_ACTION_ATTR_/ to fit new naming scheme.

Jesse suggested this naming scheme, so I'm adjusting existing names to
fit it.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

dpif: Remove dpif_get_all_names().

None of the remaining dpif implementations have more than one name per
dpif, so there's no need for this function anymore.

Suggested-by: Jesse Gross <jesse@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Change dp_idx to dp_ifindex, the ifindex of the local port.

I can't see any real value in maintaining a dp_idx separate from the
ifindex of the local port. With the current implementation it also
artificially limits the number of datapaths.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

dpif-linux: Replace 'minor' by 'dp_idx'.

The dp_idx used to be the character device minor number, but there's no
character device anymore, so rename for clarity.

Reviewed by Justin Pettit.

datapath: Convert ODP_FLOW_* commands to use AF_NETLINK socket layer.

This completes the transition to the Generic Netlink interface, and
so this commit restores support for Linux 2.6.18 and later.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Convert ODP_VPORT_* to use AF_NETLINK socket layer.

This commit calls genl_lock() and thus doesn't support Linux before
2.6.35, which wasn't exported before that version. That problem will
be fixed once the whole userspace interface transitions to Generic
Netlink a few commits from now.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Convert ODP_DP_* commands to use AF_NETLINK socket layer.

This commit calls genl_lock() and thus doesn't support Linux before
2.6.35, which wasn't exported before that version. That problem will
be fixed once the whole userspace interface transitions to Generic
Netlink a few commits from now.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Convert upcalls and ODP_EXECUTE to use AF_NETLINK socket layer.

This commit calls genl_lock() and thus doesn't support Linux before
2.6.35, which wasn't exported before that version. That problem will
be fixed once the whole userspace interface transitions to Generic
Netlink a few commits from now.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Adopt Generic Netlink-compatible locking.

The kernel Generic Netlink layer always holds a mutex (genl_lock) when it
invokes callbacks, so that means that there is no point in having
per-datapath mutexes or a separate vport lock. This commit removes them.

This commit breaks support for Linux before 2.6.35 because it calls
genl_lock(), which wasn't exported before that version. That problem will
be fixed once the whole userspace interface transitions to Generic
Netlink a few commits from now.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Eliminate vport_mutex by protecting vport table with RCU.

The vport_mutex really only protects the vport dev_table, which isn't very
much. By getting rid of it we take one step toward simplifying the vswitch
locking, which will necessarily have to be based mainly around the Generic
Netlink genl_mutex once we switch to Generic Netlink.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Backport more Netlink functions.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Backport genl_register_family_with_ops().

Besides the user introduced in this commit, the new Netlink-based datapath
communication code will use this function.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Reported-by: Justin Pettit <jpettit@nicira.com>

datapath: Extend compatibility code for genl_register_mc_group().

The existing compatibility code for genl_register_mc_group() always returns
the same value because the only caller (in brcompat_mod) only needs a
single multicast group. However, when the datapath is converted over to
using Netlink in an upcoming commit, openvswitch_mod will start needing a
number of multicast groups, so this commit adds this ability.

The multicast group ranges differ for brcompat_mod and openvswitch_mod so
that they don't interfere with one another. (This would waste time in
ovs-brcompatd and ovs-vswitchd, although it would not be fatal.)

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

Eliminate ODPL_* from userspace-facing interface.

Reviewed by Justin Pettit.

datapath: Get rid of ODPP_NONE.

This definition wasn't actually useful for the kernel--the only place that
it was used it didn't really have to be, so this commit removes it from
datapath-protocol.h. It is still marginally useful in userspace, at least
as a value that converts to and from OpenFlow port number OFPP_NONE, so
move it to odp-util.c.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Convert ODP_EXECUTE to use Netlink framing.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Remove non-standard nla_put_be{16,32,64} functions.

These aren't part of any version of Linux, so delete them now that the code
does not use them.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Suggested-by: Jesse Gross <jesse@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Convert datapath operations to use Netlink framing.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Convert ODP_FLOW_* and ODP_EXECUTE to put dp_idx into message.

When the datapath moves to the Netlink protocol it won't have a minor
number to use, so we have to put the dp_idx in the message.

This also changes the kernel implementation of ODP_FLOW_FLUSH to do the
datapath locking inside flush_flows() instead of inside openvswitch_ioctl()
but doesn't change that command's userspace interface, which still passes
a datapath number as the ioctl argument.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Eliminate 'flags' member from odp_flow.

Nothing was productively using the 'flags' member of odp_flow, so this
commit removes it.

ODPFF_ZERO_TCP_FLAGS isn't used at all (as of the previous commit).

ODPFF_EOF has been replaced by a special case of the 'key_len' member.
This will go away, too, once AF_NETLINK starts being used.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

ofproto: Avoid using ODPFF_ZERO_TCP_FLAGS.

I'm planning to remove this flag, since it is a bit of a wart, so this
commit deletes its only actual user.

Reviewed by Ethan Jackson <ethan@nicira.com>.

ofproto: Generalize facet_put__() so that it is more useful.

This immediately makes it useful in facet_revalidate(). An upcoming
patch will add one more user.

This commit should not change any externally visible behavior. It
is a pure code refactoring.

Reviewed by Ethan Jackson <ethan@nicira.com>.

ofproto: Fix test for installability change when revalidating.

ctx.may_set_up_flow will become the new facet->may_install, so it's that
value that we should check instead of the current facet->may_install when
deciding whether to update the datapath flow.

Reviewed by Ethan Jackson <ethan@nicira.com>.

dpif: Eliminate ODPPF_* constants from client-visible interface.

Following this commit, the ODPPF_* constants are only used in
Linux-specific parts of OVS userspace code. This allows the actual Linux
datapath interface to evolve more freely.

Reviewed by Justin Pettit.

dpif: Eliminate "struct odp_flow_stats" from client-visible interface.

Following this commit, "struct odp_flow_stats" is only used in
Linux-specific parts of OVS userspace code. This allows the actual Linux
datapath interface to evolve more freely.

Reviewed by Justin Pettit.

dpif: Eliminate "struct odp_flow" from client-visible interface.

Following this commit, "struct odp_flow" and related data structures are
only used in Linux-specific parts of OVS userspace code. This allows the
actual Linux datapath interface to evolve more freely.

Reviewed by Justin Pettit.

datapath: Change ODP_FLOW_GET to retrieve only a single flow at a time.

This brings the code closer to what the Netlink interface will need to
implement.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Drop port information from odp_stats.

As with n_flows, n_ports was used regularly by userspace to determine how
much memory to allocate when listing ports, but it is no longer needed for
that. max_ports, on the other hand, is necessary but it is also a fixed
value for the kernel datapath right now and if we expand it we can also
come up with a way to report the expanded value.

The remaining members of odp_stats are actually real statistics that I
intend to keep.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Drop queue information from odp_stats.

This queue information will be available through the kernel socket layer
once we move over to Netlink socket as transports, so we might as well get
rid of the redundancy.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Drop flow information from odp_stats.

Userspace used to use the n_flows information here to decide how much
memory needed to be allocated to list flows, but that isn't necessary any
longer now that listing flows uses an iterator abstraction. The
cur_capacity and max_capacity members are just curiosities and don't
provide much information; if the implementation ever changes away from
the current hash table implementation then they could become meaningless
anyhow.

But more than anything, these aren't really the kind of statistics that
networking people usually care about.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Change userspace vport interface to use Netlink attributes.

One of the goals for Open vSwitch is to decouple kernel and userspace
software, so that either one can be upgraded or rolled back independent of
the other.  To do this in full generality, it must be possible to add new
features to the kernel vport layer without changing userspace software.
The customary way to do this in the Linux networking stack is to use
Netlink and in particular Netlink attributes.  This commit adopts that
model for the vport layer.  It does not yet actually start using the
Netlink socket layer, which will come later.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Make VERIFY_NUL_STRING verify the string length too.

It's better to use HAVE_NLA_NUL_STRING than a version check because the
Xen 2.6.18 kernels backport NLA_NUL_STRING and the nla_policy changes.

Just defining NLA_NUL_STRING to an innocuous value doesn't work, because
Linux before 2.6.19 doesn't define a 'len' member in struct nla_policy at
all (it was named 'minlen' and had different semantics), so attempting to
initialize it caused compile errors.

Grouping things this way also makes it clearer what needs to be deleted
when upstreaming.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Change vport type from string to integer enumeration.

I plan to make the vport type part of the standard header stuck on each
Netlink message related to a vport. As such, it is more convenient to use
an integer than a string. In addition, by being fundamentally different
from strings, using an integer may reduce the confusion we've had in the
past over the differences in userspace and kernel names for network device
and vport types.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

dpif: Eliminate "struct odp_port" from client-visible interface.

Following this commit, "struct odp_port" is only used in Linux-specific
parts of OVS userspace code. This allows the actual Linux datapath
interface to evolve more freely.

Reviewed by Justin Pettit.

ovs-dpctl: Use netdev_get_config() to print vport configurations.

This is cleaner than parsing "odp_port"s directly. It takes one step
toward eliminating use of odp_port from any userspace code outside of
lib/netdev-vport.c and lib/dpif-linux.c.

Reviewed by Justin Pettit.

netdev: Make netdev arguments fetchable, and implement for netdev-vport.

This gives network device implementations the opportunity to fetch an
existing device's configuration and store it as their arguments, so that
netdev clients can find out how an existing device is configured.

So far netdev-vport is the only implementation that needs to use this.

The next commit will add use by clients.

Reviewed by Justin Pettit.

datapath: Drop datapath index and port number from Ethtool output.

I introduced this a long time ago as an efficient way for userspace to find
out whether and where an internal device was attached, but I've always
considered it an ugly kluge. Now that ODP_VPORT_QUERY can fetch a vport's
info regardless of datapath, it is no longer necessary. This commit
stops using Ethtool for this purpose and drops the feature.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Make it possible to query vports by name regardless of datapath.

Until now it has only been possible to query a vport if you know what
datapath it is on.  This doesn't really make sense, so this commit removes
that restriction.  It is a little bigger than one might naturally expect
because locking changes are required.

This also allows us to get rid of the ETHTOOL_GDRVINFO kluge that has
bothered me for a long time.  The next commit does that.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Change listing ports to use an iterator concept.

One of the goals for Open vSwitch is to decouple kernel and userspace
software, so that either one can be upgraded or rolled back independent of
the other.  To do this in full generality, it must be possible to add new
features to the kernel vport layer without changing userspace software.  In
turn, that means that the odp_port structure must become variable-length.
This does not, however, fit in well with the ODP_PORT_LIST ioctl in its
current form, because that would require userspace to know how much space
to allocate for each port in advance, or to allocate as much space as
could possibly be needed.  Neither choice is very attractive.

This commit prepares for a different solution, by replacing ODP_PORT_LIST
by a new ioctl ODP_VPORT_DUMP that retrieves information about a single
vport from the datapath on each call.  It is much cleaner to allocate the
maximum amount of space for a single vport than to do so for possibly a
large number of vports.

It would be faster to retrieve a number of vports in batch instead of just
one at a time, but that will naturally happen later when the kernel
datapath interface is changed to use Netlink, so this patch does not bother
with it.

The Netlink version won't need to take the starting port number from
userspace, since Netlink sockets can keep track of that state as part
of their "dump" feature.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Report kernel's flow key when passing packets up to userspace.

One of the goals for Open vSwitch is to decouple kernel and userspace
software, so that either one can be upgraded or rolled back independent of
the other.  To do this in full generality, it must be possible to change
the kernel's idea of the flow key separately from the userspace version.

This commit takes one step in that direction by making the kernel report
its idea of the flow that a packet belongs to whenever it passes a packet
up to userspace.  This means that userspace can intelligently figure out
what to do:

   - If userspace's notion of the flow for the packet matches the kernel's,
     then nothing special is necessary.

   - If the kernel has a more specific notion for the flow than userspace,
     for example if the kernel decoded IPv6 headers but userspace stopped
     at the Ethernet type (because it does not understand IPv6), then again
     nothing special is necessary: userspace can still set up the flow in
     the usual way.

   - If userspace has a more specific notion for the flow than the kernel,
     for example if userspace decoded an IPv6 header but the kernel
     stopped at the Ethernet type, then userspace can forward the packet
     manually, without setting up a flow in the kernel.  (This case is
     bad from a performance point of view, but at least it is correct.)

This commit does not actually make userspace flexible enough to handle
changes in the kernel flow key structure, although userspace does now
have enough information to do that intelligently.  This will have to wait
for later commits.

This commit is bigger than it would otherwise be because it is rolled
together with changing "struct odp_msg" to a sequence of Netlink
attributes.  The alternative, to do each of those changes in a separate
patch, seemed like overkill because it meant that either we would have to
introduce and then kill off Netlink attributes for in_port and tun_id, if
Netlink conversion went first, or shove yet another variable-length header
into the stuff already after odp_msg, if adding the flow key to odp_msg
went first.

This commit will slow down performance of checksumming packets sent up to
userspace.  I'm not entirely pleased with how I did it.  I considered a
couple of alternatives, but none of them seemed that much better.
Suggestions welcome.  Not changing anything wasn't an option,
unfortunately.  At any rate some slowdown will become unavoidable when OVS
actually starts using Netlink instead of just Netlink framing.

(Actually, I thought of one option where we could avoid that: make
userspace do the checksum instead, by passing csum_start and csum_offset as
part of what goes to userspace.  But that's not perfect either.)

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Convert odp_flow_key to use Netlink attributes instead.

One of the goals for Open vSwitch is to decouple kernel and userspace
software, so that either one can be upgraded or rolled back independent of
the other.  To do this in full generality, it must be possible to change
the kernel's idea of the flow key separately from the userspace version.
In turn, that means that flow keys must become variable-length.  This
commit makes that change using Netlink attribute sequences.

This commit does not actually make userspace flexible enough to handle
changes in the kernel flow key structure, because userspace doesn't yet
have enough information to do that intelligently.  Upcoming commits will
fix that.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

datapath: Change listing flows to use an iterator concept.

One of the goals for Open vSwitch is to decouple kernel and userspace
software, so that either one can be upgraded or rolled back independent of
the other.  To do this in full generality, it must be possible to change
the kernel's idea of the flow key separately from the userspace version.
In turn, that means that flow keys must become variable-length.  This does
not, however, fit in well with the ODP_FLOW_LIST ioctl in its current form,
because that would require userspace to know how much space to allocate
for each flow's key in advance, or to allocate as much space as could
possibly be needed.  Neither choice is very attractive.

This commit prepares for a different solution, by replacing ODP_FLOW_LIST
by a new ioctl ODP_FLOW_DUMP that retrieves a single flow from the datapath
on each call.  It is much cleaner to allocate the maximum amount of space
for a single flow key than to do so for possibly a very large number of
flow keys.

As a side effect, this patch also fixes a race condition that sometimes
made "ovs-dpctl dump-flows" print an error: previously, flows were listed
and then their actions were retrieved, which left a window in which
ovs-vswitchd could delete the flow.  Now dumping a flow and its actions is
a single step, closing that window.

Dumping all of the flows in a datapath is no longer an atomic step, so now
it is possible to miss some flows or see a single flow twice during
iteration, if the flow table is modified by another process.  It doesn't
look like this should be a problem for ovs-vswitchd.

It would be faster to retrieve a number of flows in batch instead of just
one at a time, but that will naturally happen later when the kernel
datapath interface is changed to use Netlink, so this patch does not bother
with it.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

stream: Fix error message.

This message is supposed to be helpful but with the arguments in the wrong
order it was just confusing.

ovsdb-server: Correct Manager inactivity probe column name.

ovsdb-server tries to read from a column named 'probe_interval' in the Manager
table, but the column is actually named 'inactivity_probe', so a
user-configured probe interval will never be used.

Debian: Don't include ovs-vlan-test man page in "common" package.

Commit f0d3bc (Debian: install man pages) added a few missing man pages
to the Debian "openvswitch-switch" package. The ovs-vlan-test man page
was already part of the "openvswitch-common" package, so the duplicate
man page causes installation problems.

Signed-off-by: Justin Pettit <jpettit@nicira.com>

tests: Tolerate different versions of tcpdump.

The tcpdump output format differs slightly from one version to another, so
this test that runs tcpdump would fail depending on the system it was run
on. This commit fixes the problem by using "sed" to trim off the part of
the line that can differ.

Reported-by: Justin Pettit <jpettit@nicira.com>

datapath: Make VERIFY_NUL_STRING return a negative error code.

This is the common kernel convention. None of the callers currently do
anything with the return code except for test whether it is nonzero, so
they don't need any changes.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

xenserver: Use "ovs-dpctl dump-dps" instead of parsing "ovs-dpctl show".

Might as well use the dump-dps command as intended.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

ovs-dpctl: Use datapath enumeration functions instead of guessing names.

I'm planning to get rid of userspace knowledge of ODP_MAX and this change
gets rid of one user of it.

Reviewed by Justin Pettit.

netdev: Use shash and smap functions instead of inlined substitutes.

This simplifies the code and makes it easier to extend in upcoming commits.

Reviewed by Justin Pettit.

shash: New "smap" functions for working with string-to-string maps.

An shash always has string keys and sometimes it hash string values as
well. Usually the general-purpose shash functions are fine for working
with string-to-string maps, but this commit introduces a few more
specialized functions that only work with string-to-string maps. It's not
clear yet to me whether this should actually be a new data structure, so
for now the new functions just work on shashes.

This commit also converts one user of shash_destroy() to use smap_destroy().
This is the only existing user of these functions that I spotted as a
trivial conversion candidate while grepping.

These new functions will see more use in the following commit.

Reviewed by Justin Pettit.

odp-util: Improve formatting of bogus empty action attributes.

Before this change, these were formatted as:
,***%u leftover bytes***
After this change, they are formatted as:
<empty>,***%u leftover bytes***

Reviewed by Ethan Jackson <ethan@nicira.com>.

netlink-socket: Log Generic Netlink family names.

The ids for Generic Netlink family names aren't very helpful because they
can vary from machine to machine and even from one boot to the next. So
this change logs their names too.

This only affects logging at DBG level.

Reviewed by Ethan Jackson <ethan@nicira.com>.

netlink-socket: Consistently log sequence numbers in hexadecimal.

nlmsghdr_to_string() wrote sequence numbers in hex, but nl_sock_transact()
wrote them in decimal. This consistently switches to hexadecimal.

Reviewed by Ethan Jackson <ethan@nicira.com>.

netlink-socket: Make dumping and doing transactions on same nl_sock safe.

It's not safe to use a single Netlink fd to do multiple operations in an
synchronous way.  Some of the limitations are fundamental; for example, the
kernel only supports a single "dump" operation at a time.  Others are
limitations imposed by the OVS coding style; for example, our Netlink
library is not callback based, so nothing can be done about incoming
messages that can't be handled immediately.  Regardless, in OVS multicast
groups, transactions, and dumps cannot coexist on a single nl_sock.

This is only mildly irritating at the moment, but it will become much worse
later on, when dpif-linux shifts to using Netlink dumps for listing various
kinds of datapath entities.  When that happens, a dump will be in progress
in situations where the dpif-linux client might want to do other
operations.  For example, it is reasonable for the client to list flows
and, in the middle, look up information on vports mentioned in those flows.
It might be possible to simply ban and avoid such nested operations--I have
not even audited the source tree to find out whether we do anything like
that already--but that seems like an unnecessary cramp on our coding style.
Furthermore, it's difficult to explain and justify without understanding
the implementation.

This patch takes another approach, by improving the Netlink socket library
to avoid artificial constraints.  When an operation, or a dump, or joining
a multicast group would cause a problem, this patch makes the library
transparently create a separate Netlink socket.  This solves the problem
without putting any onerous restrictions on use.

This commit also slightly simplifies netdev_vport_reset_names().  It had
been written to destroy the dump object before the Netlink socket that it
used, but this is no longer necessary and doing it in the opposite order
saved a few lines of code.

Reviewed by Ethan Jackson <ethan@nicira.com>.

netlink-socket: Slightly improve logging of Generic Netlink messages.

This makes the stream of requests and replies very slightly easier to
understand.

Reviewed by Justin Pettit.

netlink-socket: New function for draining the receive buffer.

This will be used in an upcoming patch.

Reviewed by Justin Pettit.

netlink-socket: Add functions for joining and leaving multicast groups.

When this library was originally implemented, support for Linux 2.4 was
important. The Netlink implementation in Linux only added support for
joining and leaving multicast groups after a socket is bound as of Linux
2.6.14, so the library did not support it either. But the current version
of Open vSwitch targets Linux 2.6.18 and over, so it's fine to add this
support now, and this commit does so.

This will be used more extensively in upcoming commits.

Reviewed by Justin Pettit.

netlink: Add nl_attr_type constants for big-endian values.

These are semantically identical, so they might as well share existing
values, but they help to document the endianness of attributes in Netlink
attribute policies.

Acked-by: Jesse Gross <jesse@nicira.com>

netlink: Log duplicate attributes in nl_policy_parse().

This made finding one particular bug slightly easier for me.

Reviewed by Justin Pettit.

netlink: New functions for finding a specific attribute.

These functions are useful in the occasional case where a piece of code
only cares about one or a few attributes, probably knows that the format
is correct, and doesn't want to go to the trouble of doing a full parse.
Upcoming commits will add a user.

Reviewed by Justin Pettit.

hmap: New function hmap_at_position().

This function offers a way to iterate through an hmap in situations where
it is not safe to retain a node pointer.

Acked-by: Jesse Gross <jesse@nicira.com>

ofpbuf: New function ofpbuf_clone_data_with_headroom().

This new function is a simple helper that creates a new ofpbuf with some
initial contents plus a caller-specified amount of headroom.

This will be used in upcoming commits.

Acked-by: Jesse Gross <jesse@nicira.com>

ofpbuf: Enable ofpbuf_push() to expand headroom.

Until now, ofpbuf_put() has been able to reallocate an ofpbuf to
expand the tailroom, but ofpbuf_push() has not been able to expand
the headroom in an analogous way.  This omission is simply because
it has never been useful to do this.  However, an upcoming change
will make the amount of headroom in an ofpbuf passed up from a
dpif to ofproto harder to predict.  It seems that we might as well
simply implement expanding headroom, so this commit does that.

Acked-by: Jesse Gross <jesse@nicira.com>

ofpbuf: New function ofpbuf_use_stack().

This new function is useful in a situation where a small stack-allocated
buffer is usually appropriate but occasionally it must be expanded.

Acked-by: Jesse Gross <jesse@nicira.com>

Debian: install man pages

Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

xenserver: Support fail_mode override at network level.

This patch allows the Pool object's vswitch-controller-fail-mode
setting to be overridden on by Network object.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

tests: Skip frequently hanging "closes standard fds" tests

The "closes standard fds" test frequently hangs, which causes builds to
not complete. Skip these tests until we have time to debug the cause.

vswitchd: Initialize SSL keys before making SSL connections.

Otherwise, if SSL is configured at startup then the first connection
attempt fails with warnings about keys not be configured.

Bug #4448.

stream-ssl: Only cache SSL sessions after they shut down.

A cached SSL session may only be used for new connections after the initial
connection has shut down. As far as I can tell, nothing in the OpenSSL
documentation actually comes out and says this, but it is implied by
various examples found around the web and doing it this way makes caching
work much more reliably in my testing.

Bug #4448.

stream-ssl: Set a session context ID string on our SSL_CTX.

In the finest OpenSSL tradition of putting important documentation only in
code comments, ssl/ssl_sess.c in the OpenSSL tree has the following comment
inside ssl_get_prev_session():

   /* We can't be sure if this session is being used out of
    * context, which is especially important for SSL_VERIFY_PEER.
    * The application should have used SSL[_CTX]_set_session_id_context.
    *
    * For this error case, we generate an error instead of treating
    * the event like a cache miss (otherwise it would be easy for
    * applications to effectively disable the session cache by
    * accident without anyone noticing).
    */

This meant that ovs-controller couldn't effectively cache SSL server
sessions and we got a weird error whenever ovs-vswitchd tried.

Bug #4448.
CC: David Tsai <dtsai@nicira.com>
CC: Jeremy Stribling <strib@nicira.com>

ovs-bugtool: Indiscriminately capture all openvswitch log files.

ovs-bugtool was only capturing openvswitch core files. This commit
causes it to capture all files under /var/log/openvswitch and
/var/log/core. It also moves the ovs-bugtool output to
/var/log/ovs-bugtool.

Reported-by: Ben Pfaff <blp@nicira.com>
Bug #4481.