git.onelab.eu Git - sliver-openvswitch.git/log

meta-flow: Correctly set destination MAC in mf_set_flow_value().

Signed-off-by: Ben Pfaff <blp@nicira.com>

Fix memory leaks.

Found by valgrind.

Reported-by: Ethan Jackson <ethan@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto: Fix use-after-free error when ports disappear.

update_port() can delete the port for which it is called, if the underlying
network device has been destroyed, so HMAP_FOR_EACH is unsafe in
ofproto_run().

Less obviously, update_port() can delete unrelated ports. For example,
suppose that initially device A is port 1 and device B is port 2. If
update_port("A") runs just after this, then it will ofport_remove() both
ports, then ofport_install() A as the new port 2.

So this commit first assembles a list of ports to update, then updates them
in a separate loop.

Without this commit, running "ovs-dpctl del-dp" while ovs-vswitchd is
running consistently causes a crash for me within a few seconds.

Signed-off-by: Ben Pfaff <blp@nicira.com>

vswitchd: Remove port from datapath if it becomes non-operational

If kernel module rejects config changes then vswitchd sets the ofport
column to -1, but does not remove the non-operational port from the
datapath. This patch fixes this problem.

ovs-vsctl add-br ovsbr
ovs-vsctl add-port ovsbr p1
ovs-vsctl add-port ovsbr p2
ovs-vsctl set Interface p1 options:remote_ip=2.1.1.1 options:key=123 type=gre
ovs-vsctl set Interface p2 options:remote_ip=1.1.1.1 options:key=123 type=gre
ovs-vsctl set Interface p2 options:remote_ip=2.1.1.1 options:key=123 type=gre
ovs-dpctl show #observe that p2 does not appear here anymore

Signed-off-by: Ansis Atteka <aatteka@nicira.com>

datapath: Do not send notification if ovs_vport_set_options() failed

There is no need to send a notification if ovs_vport_set_options() failed
and ovs_vport_cmd_set() did not change anything.

Issue#10285

Acked-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: Ansis Atteka <aatteka@nicira.com>

ovsdb-idl: Fix memory leak writing synthetic rows in ovsdb_idl_txn_write().

This could cause a slow but steady memory leak in ovs-vswitchd.

Found by valgrind.

Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Fix log rotation.

Commit 24e81092a1 (debian: Bring Debian packaging in-line with new file
locations) introduced an ambiguous "--t" option invoking ovs-appctl, so
ovs-vswitchd and ovsdb-server were not reopening their log files following
log rotation. This fixes the problem by correct the option name.

Reported-by: Paul Ingram <paul@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

xenserver: Recognize XenServer 5.6-SP2 scripts in RPM %post.

Somehow we forgot to put the md5sums for 5.6-SP2 so users were getting
scary error messages.

Bug #10210.
Reported-by: Ronald Lee <rlee@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Move PKI directory to FHS-compliant location.

The PKI directory is mutable state, so it should be in /var, not in /usr.
This commit changes its location and, on systems upgraded from earlier
versions, moves the existing PKI and leaves behind a symlink.

CC: 661090@bugs.debian.org
Reported-by: Andreas Beckmann <debian@abeckmann.de>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif: Fix tag caching for learned flows.

This code in xlate_table_action() is supposed to tag flows in tables that
have special forms so that changes do not require revalidating every flow.
When rule->tag is nonzero, its value can be used, because we know in this
case that rule->cr.wc is the same as table->other_table->wc and that thus
rule->tag caches the return value of the rule_calculate_tag() expression.
When rule->tag is zero (a "catchall" rule) we need to calculate the tag
manually because we have no way to cache it in that case.

I discovered this bug by running an "hping3" between a couple of VMs plus
the following commands on OVS in the middle:

    ovs-ofctl del-flows br0
    ovs-ofctl add-flow br0 "table=0 actions=learn(table=1, \
              idle_timeout=600, NXM_OF_VLAN_TCI[0..11], \
              NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[], \
              output:NXM_OF_IN_PORT[], fin_idle_timeout=10), resubmit(,1)"
    ovs-ofctl add-flow br0 "table=1 priority=0 actions=flood"

Without this patch, flows don't get properly invalidated upon initial MAC
learning, so one sees warnings like the following:

    in_port(2),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),
    eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=0,
    ttl=64,frag=no),tcp(src=13966,dst=0): inconsistency in subfacet
    (actions were: 3,0,1) (correct actions: 1)

This patch fixes the problem and thus avoids these warnings.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif: Avoid segfault deleting facets that execute LEARN actions.

"ovs-ofctl del-flows <bridge>" can result in the following call path:

  delete_flows_loose() in ofproto.c
    -> collect_rules_loose() -- uses 'ofproto_node' inside 'struct rule'
    -> rule_destruct() in ofproto-dpif.c
      -> facet_revalidate()
        -> facet_remove()
          -> facet_flush_stats()
            -> facet_account()
              -> xlate_actions()
                -> xlate_learn_action()
                  -> ofproto_flow_mod() back in ofproto.c
                    -> modify_flow_strict()
                      -> collect_rules_strict() -- also uses 'ofproto_node'

which goes "boom" when we fall back up the call chain because the nested
use of ofproto_node steps on the outer use of ofproto_node.

This commit fixes the problem by refusing to translate "learn" actions
within facet_flush_stats(), breaking the doubled use.

Another possible approach would be to switch to another way to keep track
of rules in the flow_mod implementations, so that there'd be no fighting
over 'ofproto_node'.  But then "ovs-ofctl del-flows" might still leave some
flows around (ones created by "learn" actions as flows are accounted as
facets get deleted), which would be surprising behavior.  And it seems in
general a bad idea to allow recursive flow_mods; the consequences have not
been carefully thought through.

Before this commit, one can reproduce the problem by running an "hping3"
between a couple of VMs plus the following commands on OVS in the middle.
Sometimes you have to run them a few times:

    ovs-ofctl del-flows br0
    ovs-ofctl add-flow br0 "table=0 actions=learn(table=1, \
              idle_timeout=600, NXM_OF_VLAN_TCI[0..11], \
              NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[], \
              output:NXM_OF_IN_PORT[], fin_idle_timeout=10), resubmit(,1)"
    ovs-ofctl add-flow br0 "table=1 priority=0 actions=flood"

This commit has a side effect that leftover unaccounted packets no longer
update the timeouts in MAC learning actions in some cases, when the facets
that cause updates are deleted.  At most one second of updates should  be
lost.

Bug #10184.
Reported-by: Michael Mao <mmao@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

hmap: New function hmap_contains().

This is useful in a situation where one knows that an hmap_node is in some
hmap, but it's not certain which one, and one needs to know whether it is
in a particular one. This is not a very common case; I don't see any
potential users in the current tree, although an upcoming commit will add
one.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif: Fix return type of rule_calculate_tag().

tag_type is currently uint32_t but using uint32_t directly is conceptually
wrong.

Signed-off-by: Ben Pfaff <blp@nicira.com>

learn: Initialize cookie_mask in constructed flow_mod.

Otherwise the "learn" action may not correctly set the cookie in flows that
it creates.

Found by valgrind.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-vsctl: Allow "fake bridges" to be created for VLAN 0.

A fake bridge for VLAN 0 is useful, because it provides a way to create
access ports for VLAN 0. There is no good reason to prevent it.

NIC-464.
Reported-by: Rob Hoes <Rob.Hoes@citrix.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

netdev-linux: Fix use-after-free when netdev_dump_queues() deletes queues.

iface_configure_qos() passes a callback to netdev_dump_queues() that can
delete queues.  The netdev-linux implementation of this function was
unprepared for the callback to delete queues, so this could cause a
use-after-free.  This fixes the problem in netdev_linux_dump_queues() and
documents that netdev_dump_queues() implementations must support deletions
in the callback.

Found by valgrind:

==1593== Invalid read of size 8
==1593==    at 0x4A8C43: netdev_linux_dump_queues (hmap.h:326)
==1593==    by 0x4305F7: bridge_reconfigure (bridge.c:3084)
==1593==    by 0x431384: bridge_run (bridge.c:1892)
==1593==    by 0x432749: main (ovs-vswitchd.c:96)
==1593==  Address 0x632e078 is 8 bytes inside a block of size 32 free'd
==1593==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==1593==    by 0x4A4D74: hfsc_class_delete (netdev-linux.c:3250)
==1593==    by 0x42AA59: iface_delete_queues (bridge.c:3055)
==1593==    by 0x4A8C8C: netdev_linux_dump_queues (netdev-linux.c:1881)
==1593==    by 0x4305F7: bridge_reconfigure (bridge.c:3084)
==1593==    by 0x431384: bridge_run (bridge.c:1892)

Bug #10164.
Reported-by: Ram Jothikumar <ram@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Use a different way to avoid failing install without kernel module.

The dh_installinit --error-handler option makes a lot of sense, but after
playing with it for a while I could not figure out a nice way to use it
only for openvswitch-switch without either duplicating the dh_installinit
fragments in postinst and prerm (the actual bug that was reported) or
omitting them for some package.

Also, we forgot to write the error handler function for the prerm.

This commit switches to a different way to avoid failing the install when
the kernel module is not available, without using --error-handler.

CC: 663051@bugs.debian.org
Reported-by: Thomas Goirand <zigo@debian.org>
Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovsdb-doc: Use minus sign in negative numbers in nroff output.

ovs-vswitchd.conf.db.5 has autogenerated text "at least -1" in one place.
This '-' should be a minus sign, but ovsdb-doc was generating it as a
hyphen.

Found by lintian.

Reported-by: Thomas Goirand <zigo@debian.org>
Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovsdb-doc: Convert '-' preceding a number as a minus sign, not a hyphen.

ovs-vswitchd.conf.db.5 contains the following sentence:

   If the interface cannot be added then Open vSwitch sets this column
   to -1.

The '-' in "-1" should be a minus sign, not a hyphen, but the heuristic
in ovsdb-doc wasn't smart enough.  This commit improves the heuristic and
fixes the problem.

Found by lintian.

Reported-by: Thomas Goirand <zigo@debian.org>
Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovsdb-doc: Put NAME section into generated manpage.

This makes the manpage indexable by standard system tools.

Found by lintian.

Reported-by: Thomas Goirand <zigo@debian.org>
Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Avoid unit test failure when doing "unofficial" builds.

The configure option --with-build-number=0 is interpreted differently in
different places. The configure script itself accepts 0 as an actual
build number and puts '#define BUILDNR "+build0"' into config.h. The
code in python/automake.mk treats 0 as "no build number" and puts
'BUILDNR = ""' into version.py.

This commit avoids the problem by not passing 0 as a build number.

Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

doc: Fix typo in manpage.

Found by lintian.

Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Thomas Goirand <zigo@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Bump standards-version to 3.9.3.

No other changes necessary.

Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Thomas Goirand <zigo@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Remove some useless files from the dkms pacakge.

This commit removes useless files from the dkms package that caused
lintian warnings.

(Many of the other files in the dkms package are also useless but do not
cause lintian warnings so they are less important.)

Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Thomas Goirand <zigo@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Remove po-debconf build dependency.

Open vSwitch no longer uses Debconf at all, for some time now.

Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Thomas Goirand <zigo@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Build-depend on python-all to pull in all Python versions.

Open vSwitch should support all Python versions in the distribution. This
is the way to do it.

Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Thomas Goirand <zigo@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Add missing ${python:Depends} to openvswitch-test package.

Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Thomas Goirand <zigo@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Improve long descriptions so as to better describe the packages.

Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Thomas Goirand <zigo@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

netlink-socket: Increase Netlink socket receive buffer size.

Open vSwitch userspace can set up flows at a high rate, but it is somewhat
"bursty" in opportunities to set up flows, by which I mean that OVS sets up
a batch of flows, then goes off and does some other work for a while, then
sets up another batch of flows, and so on. The result is that, if a large
number of packets that need flow setups come in all at once, then some of
them can overflow the relatively small kernel-to-user buffers.

This commit increases the kernel-to-user buffers from the default of
approximately 120 kB each to 1 MB each. In one somewhat synthetic test
case that I ran based on an "hping3" that generated a load of about 20,000
new flows per second (including both requests and replies), this reduced
the packets dropped at the kernel-to-user interface from about 30% to none.
I expect that it will similarly improve packet loss in workloads where
flow arrival is not easily predictable.

(This has little effect on workloads generated by "ovs-benchmark rate"
because that benchmark is effectively "self-clocking", that is, a new flow
is triggered only by a reply to a request made earlier, which means that
the number of buffered packets at any given has a known, constant upper
limit.)

Bug #10210.
Signed-off-by: Ben Pfaff <blp@nicira.com>

tests: Skip "strings at least 2 characters long" test for narrow Python.

Narrow Python can't handle Unicode characters outside the BMP, so skip the
test.

Reported-by: Michael Shigorin <mike@osdn.org.ua>
Tested-by: Michael Shigorin <mike@osdn.org.ua>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto: Fix code that keeps track of MTU.

ofport_install() should set the MTU that it finds into the ofport
before calling set_internal_devs_mtu(), because the latter function might
change the MTU and update ofport->mtu and the caller should not incorrectly
overwrite its changes.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-monitor-ipsec: Detect correctly IPSEC configuration changes

If Open vSwitch has IPSEC tunnel (with certificates) and Interface
table was updated, then ovs-monitor-ipsec daemon would incorrectly
remove and readd all existing IPSEC tunnels.

The root cause for this issue was that "peer_cert_file" key was present in
interfaces dictionary, but it was missing in new_interfaces dictionary.

v2: Do not fail buildtests

Issue#10096

Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Reported-by: Niklas Andersson <nandersson@nicira.com>

netdev-linux: Use "read", not "recv", for tap devices.

"recv" only works for sockets, but tap devices aren't sockets.

Makes the userspace switch work again.

Reported-by: Ravi Kerur <Ravi.Kerur@telekom.com>
Reported-by: 胡靖飞 <hujingfei914@msn.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

bond: Incorrectly reported an error in appctl.

The bond/enable-slave and bond/disable-slave ovs-appctl commands
incorrectly reported the 501 error code upon success.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

ovs-xapi-sync: Rerun processing when a db update arrives during a commit.

The logic in ovs-xapi-sync didn't handle the case where ovsdb-server sends
a database update before it replies to a transaction that ovs-xapi-sync
sent, like this:

ovs-xapi-sync              ovsdb-server
-------------              ------------

                      .
                      .
                      .
transaction request  --->
                     <---  database contents update
                     <---  transaction reply
                      .
                      .
                      .

The update was not lost but ovs-xapi-sync would not process it until the
database changed again.

Bug #10082.
Reported-by: Krishna Miriyala <krishna@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

socket-util: Unlink Unix domain sockets that bind but fail to connect.

The error handling path here failed to clean up bound sockets, by removing
them. This fixes the problem.

It was easy to observe this bug by running "ovs-vsctl" without
"ovsdb-server" running.

Bug #9811.
Bug #9769.
Reported-by: Michael <mhu@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: Fix checksum update for actions on UDP packets.

When modifying IP addresses or ports on a UDP packet we don't
correctly follow the rules for unchecksummed packets. This meant
that packets without a checksum can be given a incorrect new checksum
and packets with a checksum can become marked as being unchecksummed.
This fixes it to handle those requirements.

Bug #8937

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

datapath: Honor dp_ifindex, when specified, for vport lookup by name.

When OVS_VPORT_ATTR_NAME is specified and dp_ifindex is nonzero, the
logical behavior would be for the vport name lookup scope to be limited
to the specified datapath, but in fact the dp_ifindex value was ignored.
This commit causes the search scope to be honored.

Bug #9889.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

vswitchd: Document behavior of 802.1p priorities with VLAN splinters.

Reported-by: likunyun <kunyunli@hotmail.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

bridge: Remove unwanted ports at time of ofproto creation.

The reconfiguration code only deleted unwanted ports for bridges that had
been created in previous (re)configurations.  In fact, we should run this
step even for bridges that are newly added, e.g. to delete ports that
were added by a previous run of ovs-vswitchd and deleted from the database
between runs.

Before this commit, the following left "int" in datapath br0.  After this
commit, "int" is properly deleted:

1. With ovs-vswitchd running:
      # ovs-vsctl add-br br0
      # ovs-vsctl add-port br0 int -- set interface int type=internal
2. Kill ovs-vswitchd, then:
      # ovs-vsctl --no-wait -- del-port br0 int
3. Restart ovs-vswitchd.

Bug #9957.
Reported-by: Hiroshi Tanaka <htanaka@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

Revert "connmgr: Make "enable-async-messages" work for primary controllers too."

Oops. The feature that this modifies is not actually present on
this branch, breaking the build.

This reverts commit 1d5260da440959adfc1b2be7a4b476e7970bf08d.

connmgr: Make "enable-async-messages" work for primary controllers too.

I only tested this feature with service controllers.

Bug #9964.
Reported-by: James Schmidt <jschmidt@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

netdev: Fix typo in error message.

Found by inspection.

Signed-off-by: Ben Pfaff <blp@nicira.com>

timeval: Add "time/stop" unixctl command, for use in unit tests.

Although we try to avoid it, some unit tests are necessarily
timing-sensitive. The new "time/stop" command that this commit adds should
help with that, by preventing time from advancing from the viewpoint of
the OVS "timeval" functions except when "time/warp" explicitly advances
the current time. This should allow the unit tests that need it to become
reproducible regardless of the speed at which the tests run.

This commit adds one use of "time/stop" to the unit test suite, in the one
timing-sensitive test of which I am currently aware.

Bug #9782.
Reported-by: Tim Chen <tchen@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

INSTALL.Linux: minor typo

s/ovsdmonitor/ovsdbmonitor/

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

tests: Prefer development Python files over installed ones.

A developer may have Open vSwitch installed, in which case many of
the Python files which are tested will be in both the development
tree and the system Python library. When running unit tests, we
want to test the development tree, so it's better to prefer
importing those files.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

xenserver: Restart ovs-xapi-sync on kmod reload.

Some users never restart OVS, they just reload the kernel module on
each new version. Since ovs-xapi-sync is a daemon, a restart is
required to use the new code. Therefore, without this patch, users
could unwittingly use stale versions of ovs-xapi-sync.

Bug #9919.
Signed-off-by: Ethan Jackson <ethan@nicira.com>
Diagnosed-by: Ben Pfaff <blp@nicira.com>

xenserver: Always update the bridge ID in ovs-xapi-sync.

In some cases we were seeing this column get stale.

Bug #9929.
Signed-off-by: Ethan Jackson <ethan@nicira.com>
Diagnosed-by: Justin Pettit <jpettit@nicira.com>

debian: Fix exit status of openvswitch-switch init script "status" command.

The init script ends with an explicit "exit 0" so nonzero exit codes from
"ovs-ctl status" were being lost.

Bug #9714.
Reported-by: Paul Ingram <paul@nicira.com>
CC: Sujatha Shetty <sshetty@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

dpif-linux: Make dpif_linux_port_query_by_name() query only one datapath.

The kernel will report a vport with the given name in any datapath, but
userspace only wants a vport with the given name in a specific datapath.
Receiving information on a vport in an unexpected datapath yields bizarre
and hard-to-debug problems.

Bug #9889.
Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif: Cleanup STP on ports when disabled on their bridge.

When STP is enabled on a bridge, the STP module puts its ports in
an STP_LISTENING state until STP converges.  This causes all
traffic destined for these ports to be dropped.  If STP is disabled
on the bridge, but not explicitly disabled on its ports, the bridge
fails to remove the STP state from these ports.  Therefore, if a
port is in an STP_LISTENING state, it will remain in that state and
continue to drop all traffic indefinitely.  This patch fixes the
issue.

Signed-off-by: Ethan Jackson <ethan@nicira.com>
Bug #9157.

ovs-ofctl: Fix "snoop" command.

The vconn that "snoop" opens does not process and reply to requests, so
sending a request to set the packet-in format will hang forever, which
means that "snoop" never actually prints any of the traffic that it
receives.

Bug #9346.
Reported-by: Alan Shieh <ashieh@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

cfm: Allow manual override of CFM fault status.

This can be useful when testing.

Suggested-by: Reid Price <reid@nicira.com>
Signed-off-by: Ethan Jackson <ethan@nicira.com>

configure: Try to extract kernel source directory from build Makefile.

OVS needs to inspect the headers in the kernel source directory at build
time. Debian keeps moving the source directory relative to the build
directory and doesn't provide an obvious way to find the source directory,
so in the past we've used some name-based heuristics to essentially guess
where it is.

This commit introduces a new heuristic that I hope will be more reliable:
extracting the source directory from the Makefile in the build directory.
In Debian's case, it looks like the Makefile generally contains a line of
the form "MAKEARGS := -C <srcdir> O=<outdir>". This commit extracts the
source directory from that line.

To avoid regressions this commit retains the older heuristics as fallbacks.

CC: 659685@bugs.debian.org
Reported-by: Thomas Goirand <zigo@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

vswitchd: Always configure a default queue for QoS.

When an interface has QoS configured but no default queue (queue 0), OVS
has until now installed that QoS configuration literally, which causes all
packets destined for this default queue to be dropped. This behavior is
usually both unexpected and undesirable.

This commit changes behavior so that, when no default queue is configured,
OVS uses a default "empty" configuration for the default queue. This
behavior should be more acceptable when QoS is slightly misconfigured.

I tested that, without this patch, configuring only queue 1 causes "tc
class show" to show only queue 1 (handle 1:2) for linux-htb and linux-hfsc,
and that with this patch it shows configurations for both queue 0 (handle
1:1) and queue 1.

Bug #5583.
Feature #7413.
Signed-off-by: Ben Pfaff <blp@nicira.com>

xenserver: Fix iteration of dictionary.

Fix bug in commit 3249bb907a1dab9b0, which incorrectly assumed that
get_all_records_where() returned a list. It in fact returns a
dictionary and the list iteratory needs to change to account for this.

Thanks to Nicira for pointing this out.

NIC-454.

Reported-by: David Tsai <dtsai@nicira.com>
Acked-by: Rob Hoes <rob.hoes@citrix.com>
Signed-off-by: Dominic Curran <dominic.curran@citrix.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Update changelog for 1.4.0-2 upload

Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Use provided kernel source dir instead of host kernel version.

DKMS passes in an explicit variable for the kernel source directory, so we
should use that instead of `uname -r`.

CC: 659685@bugs.debian.org
Reported-by: Thomas Goirand <thomas@goirand.fr>
Tested-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Do not run "make" if "configure" fails during DKMS build.

There is no point in trying to run "make" if "configure" failed. The
"make" will fail too and the log will be harder to read.

CC: Thomas Goirand <zigo@debian.org>
CC: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Fix dependencies for openvswitch-datapath-dkms package.

The OVS kernel module, like other kernel modules, does not need a working
userspace build environment, but the OVS "configure" script and makefiles
don't support a kernel-only build, so "configure" fails if libc6-dev is
not installed.

It would be better to change the "configure" script and makefiles to handle
this special case, but that was more work than I initially expected it to
be.

Bug #8606.
Reported-by: Edwin Chiu <echiu@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-xapi-sync: Always set iface-id, not just when xs-vif-uuid changes.

When XAPI moves an interface from one bridge to another, the vif script
removes the vif from one bridge and adds it to (possibly) a different
bridge in a single transaction.  The new record does not have an iface-id
initially (because the vif script never adds the iface-id initially) but
it has the same name and xs-vif-uuid as the old one, so the caching logic
in ovs-xapi-sync failed to add a new iface-id.  This commit fixes the
caching logic.

Observed on XenServer 5.6.100.  It's possible that XAPI behavior changed in
later versions so the bug cannot be triggered there, but we have not
checked.

Bug #9414.
Reported-by: Duffie Cooley <dcooley@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif: Don't output to in_port even if in_port is OFPP_LOCAL.

Signed-off-by: Aaron Rosen <arosen@clemson.edu>
[Ben Pfaff added the test.]
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Don't install Python modules for obsolete Python versions.

Python 2.4 is obsolete, not present in Debian squeeze or sid, so don't
install Python modules for it.

It would be better to just put the files directly into
/usr/share/pyshared/ovs/, instead of in site-packages for some specific
Python version, but this causes problems for builds on squeeze, as
documented in commit bc3aa0bf5 (debian: Make python-openvswitch packaging
work with squeeze dh_python2.):

    The dh_python2 helper in Debian squeeze has a limitation that is not
    mentioned anywhere, as far as I can tell: Python files must be in
    /usr/lib/python#.#/site-packages to be installed.  The version in Debian
    wheezy does not have the same limitation.

    This meant that building the Debian packages on squeeze silently produced
    a broken python-openvswitch package, whereas building the same thing on
    wheezy built a working package.

    This fixes the problem by putting the .py files where squeeze expects them.
    It works on wheezy too.

A before-and-after "debdiff" shows that the only significant effect of this
commit is to drop python2.4 symlinks.

CC: horms@debian.org
Reported-by: Luca Falavigna <ftpmaster@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Add dependency on ${misc:Depends} to openvswitch-test

This is necessary as openvswitch-test makes use of debhelper.

As reported by lintian.

Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>

vswitchd: Make the MAC entry aging time configurable.

NICS-11.
Signed-off-by: Ben Pfaff <blp@nicira.com>

mac-learning: Increase MAC learning timeout to 300 seconds.

When Cisco (and other?) routers are configured in high-availability modes,
they use two different MAC addresses.  The router uses MAC 1 only for ARP
replies.  The router uses MAC 2 for forwarding IP packets to end hosts.
When a MAC learning switch is attached to the router, therefore, it will
only learn the location of MAC 1 from ARP replies.  If the end host's ARP
cache refresh timer is longer than the switch's MAC learning timeout, then
packets to the router will be flooded from the MAC learning timeout until
the next ARP reply.

This commit fixes the problem by increasing the MAC learning timeout from
60 seconds to 300 seconds.  According to research by Sanjay Sane, this is
always sufficient, even with operating systems that use ARP timeouts
longer than 300 seconds (such as FreeBSD and Mac OS, which have 1200
seconds ARP timeouts)  because the routers that cause this problem send
unsolicited ARP replies every 180 seconds.

This issue arises in any situation where traffic between two hosts flows
only in one direction.  The explanation above describes only one special
case.

NICS-11.
Signed-off-by: Ben Pfaff <blp@nicira.com>

sflow_agent: Use snprintf() in place of sprintf().

These functions use sprintf() into a 1000-byte buffer. It appears to me
that the strings they format are either short, fixed-length strings or the
output of strerror(), neither of which should ordinarily overflow.
However, using snprintf() cannot hurt.

Launchpad bug #914160.
Reported-by: Matthias Klose <doko@ubuntu.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto-dpif: Fix merge error that caused memory leak.

Commit 5aa0fe5be (ofproto-dpif: Fix use-after-free error in
handle_miss_upcalls().), a crossport from master of commit 33bb0caa6,
did not include this necessary change, causing a memory leak.

Bug #9493.
Reported-by: Michael Hu <mhu@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

Set dates for 1.4.0 release.

NEWS: Point out userspace is compatible with Linux 3.3 OVS kernel module.

ofproto-dpif: Fix use-after-free error in handle_miss_upcalls().

When handle_flow_miss() saw that subfacet did not have any actions, then
the associated packet would get freed early, in the loop that constructs
the set of batched operations.  However, there would still be a "flow_put"
operation that referenced the key that shares the same memory block as the
packet.  The memory allocator would overwrite the first few bytes of this
block, causing bizarre errors in the flow_put.

This commit changes the memory release strategy to be less error-prone, by
deferring all freeing of packets to the end of the function.  With this
change, every packet gets freed in the same place, instead of having some
packets freed in one place and other packets freed in another.

Here is the valgrind report that pinpoints the problem:

Invalid read of size 4
   at 0x4026838: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
   by 0x80E9B52: dpif_linux_flow_to_ofpbuf (dpif-linux.c:1714)
   by 0x80E9C77: dpif_linux_operate (dpif-linux.c:883)
   by 0x80AFB5A: dpif_operate (dpif.c:994)
   by 0x809A03B: handle_upcalls (ofproto-dpif.c:2758)
   by 0x809A23A: run_fast (ofproto-dpif.c:757)
   by 0x808C04E: ofproto_run_fast (ofproto.c:963)
   by 0x806DFB6: bridge_run_fast (bridge.c:1811)
   by 0x8074B59: main (ovs-vswitchd.c:98)
Address 0x4427948 is 80 bytes inside a block of size 2,048 free'd
   at 0x402421C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
   by 0x80CD865: ofpbuf_delete (ofpbuf.c:187)
   by 0x80CD8AA: ofpbuf_list_delete (ofpbuf.c:531)
   by 0x8099F06: handle_upcalls (ofproto-dpif.c:2747)
   by 0x809A23A: run_fast (ofproto-dpif.c:757)
   by 0x808C04E: ofproto_run_fast (ofproto.c:963)
   by 0x806DFB6: bridge_run_fast (bridge.c:1811)
   by 0x8074B59: main (ovs-vswitchd.c:98)

Bug #9346.
Reported-by: Alan Shieh <ashieh@nicira.com>
Reported-by: Ethan Jackson <ethan@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

table: Avoid segmentation fault when printing an empty cell in JSON format.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-ctl: Restore ability to create 256 bridges.

OVS is supposed to support at least 256 bridges simultaneously, but the
file descriptor count was a little too low for that.

Build tested only.

Bug #8218.
Reported-by: Luca Giraudo <lgiraudo@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ofproto: Optionally flush all learning tables with appctl.

Signed-off-by: Ethan Jackson <ethan@nicira.com>

tests: Fix broken interface-reconfigure tests.

Commit acfb4e9597 updated the interface-reconfigure scripts without
updating the corresponding tests, causing false test failures.

Signed-off-by: Ben Pfaff <blp@nicira.com>

debian: Delete log files correctly when packages are purged.

Debian Policy 10.8 says "Log files should be removed when the package is
purged (but not when it is only removed)," but the Open vSwitch packages
didn't properly implement this:

   - The openvswitch-brcompat and openvswitch-pki packages didn't delete
     their log files at purge time.

   - The openvswitch-switch package deleted all of the log files at purge
     time, even those owned by openvswitch-brcompat or openvswitch-pki.

This commit fixes both problems.

CC: 656448@bugs.debian.org
Reported-by: Andreas Beckmann <debian@abeckmann.de>
Signed-off-by: Ben Pfaff <blp@nicira.com>

xenserver: Only replace XenServer hosts scripts that we recognize.

Open vSwitch comes with slightly improved versions of upstream Citrix
XenSever host scripts.  Until now, the Open vSwitch RPMs have always
installed its own versions of the scripts over the Citrix versions.  This
commit changes behavior to replace the scripts only if we recognize the
exact versions being replaced.  This approach seems safer given that the
benefits of the OVS changes are minor and we don't want to break any
upstream changes inadvertently.

Signed-off-by: Ben Pfaff <blp@nicira.com>

xenserver: Synchronize scripts with XenServer 6.0.0.

This commit updates the "vif" and "interface-reconfigure" scripts installed
by Open vSwitch on Citrix XenServer with those in XenServer 6.0.0.

Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: Fix version check for 3.2.

We support Linux 3.2 and all of its patch levels but the current
check only allows for 3.2.0.

Reported-by: Justin Pettit <jpettit@nicira.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

ofproto-dpif: Revalidate flows after "fdb/flush".

Otherwise bad translations can stick around.

Bug #9253.
Reported-by: Paul Ingram <paul@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: Correct GRE checksum offset.

If a statically defined GRE key is used with checksums then the
checksum will overwrite the key. This is because the key is set
at header caching time and the checksum is set at packet processing
time and we don't update the offset on packet processing because
we don't do anything with the key.

Reported-by: Christos Argyropoulos <cargious@netmode.ntua.gr>
Signed-off-by: Jesse Gross <jesse@nicira.com>

ofproto-dpif: Fix "ofproto/trace" command.

Commit 0e15264f96e3c (unixctl: Implement quoting.) broke one form of
ofproto/trace. This fixes it.

Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: Enforce mutual exclusion between bridge and brcompat_mod.

In kernels 2.6.36, Open vSwitch can (and does) safely coexist with the
Linux bridge module, but it does not make sense to load both bridge and
brcompat_mod at the same time. Until now, nothing has prevented both from
loading; when they both load, confusion (at best) results. This fixes
the problem by enforcing mutual exclusion.

Bug #9226.
Launchpad bug #917309.
Reported-by: Rogério Vinhal Nunes
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

netdev-dummy: Fix use-after-free error.

Found by valgrind.

Signed-off-by: Ben Pfaff <blp@nicira.com>

Declare the version as "1.5.0".

datapath: IFF_OVS_DATAPATH is backported by RHEL 6.2.

On kernels 2.6.37 and above IFF_OVS_DATAPATH has a unique value upstream,
on 2.6.36 we define it to be IFF_BRIDGE_PORT and below to 0. There isn't
really a good reason to use IFF_BRIDGE_PORT on 2.6.36 (and it's perhaps
bad because it's checked in a few places and we don't want those checks
to trigger on just this kernel) and it makes it difficult to know what
value we should use in the face of backporting. Therefore, this just
uses 0 on the places where we don't have a real value.

Reported-by: Benoit ML <ben42ml@gmail.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

dpif-netdev: Make port numbers predictable for dummy dpif, for unit tests.

The unit tests feed a lot of flows through the ofproto-dpif "trace"
command, which means that they need to know the port numbers of the ports
that they create. Until now, they've had to actually query those port
numbers from the database, which is a bit of unnecessary overhead for unit
tests.

This commit makes dummy dpif port numbers predictable: if the name of a
port contains a number, then the dummy dpif uses that number, if it is
valid and available, as the port number.

This commit also simplifies the unit tests that previously queried port
numbers to depend on the new behavior.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ofp-util: Extend message decoding data structures with version field.

This makes it possible to add entries for decoding OpenFlow messages with
newer versions, e.g. OpenFlow 1.1 or 1.2. However, no actual messages for
newer versions are actually implemented yet; that will come later.

Signed-off-by: Ben Pfaff <blp@nicira.com>

nicira-ext: Rename "struct nxt_*" to "struct nx_*".

Most structures in this file have an "nx_" prefix, so this makes naming
more consistent.

Signed-off-by: Ben Pfaff <blp@nicira.com>

SubmittingPatches: Fix typo.

Reported-by: Reid Price <reid@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

vswitchd: Document maximum queue_id for Linux QoS.

The code enforces an exclusive maximum of 0xf000 on queue_ids for
Linux queueing disciplines, but the documentation doesn't mention
this limitation.

Reported-by: Michael Mao <mmoa@nicira.com>
Signed-off-by: Ethan Jackson <ethan@nicira.com>

odp-util: Handle ipv6 in set nw action.

Rather than silently skipping ipv6 action generation, following patch
generates OVS_ACTION_ATTR_SET action for ipv6. Datapath which do not
support ipv6 action can reject this action.

Bug #8758
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>

ofproto-dpif: Honor statistics in packet_out().

A "packet out" ordinarily isn't accounted to any OpenFlow rule,
because its actions come directly from the controller instead of
from an OpenFlow rule. However, any "resubmit" actions or output
to OFPP_TABLE within the set of actions do bring in actions from a
rule, and the "packet out" should be accounted to the rule in that
case. This commit implements that behavior.

Reported-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: Ethan Jackson <ethan@nicira.com>

Don't specify program name in passive connection man page fragments.

The vconn and ovsdb passive connection man page fragments used the
PN (program name) macro to describe their functionality. This was
usually correct, but in the case of ovs-vsctl, they may be used to
describe configuring ovs-vswitchd. This commit rewords the fragments to
make them correct regardless of whether they're describing a local or
remote passive connection.

Signed-off-by: Justin Pettit <jpettit@nicira.com>

ovsdb-tool: Use typical db and schema install locations as defaults.

This makes ovsdb-tool easier to use in the common case.

Feature #7756.
Requested-by: Reid Price <reid@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

datapath: Fix multipart datapath dumps.

The logic to split up the list of datapaths into multiple Netlink messages
was simply wrong, causing the list to be terminated after the first part.
Only about the first 50 datapaths would be dumped. This fixes the
problem.

Bug #9124.
Reported-by: Paul Ingram <paul@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>

NEWS: Fix typo.

Signed-off-by: Ben Pfaff <blp@nicira.com>

ovs-vsctl: Add set relational operators to "find" command.

Requested-by: Shih-Hao Li <shli@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

ovsdb-data: Short-circuit ovsdb_datum_includes_all() in trivial case.

Signed-off-by: Ben Pfaff <blp@nicira.com>

news: Mention NXM_PACKET_IN.

Signed-off-by: Ethan Jackson <ethan@nicira.com>