On 2026-01-15 10:45 AM, Eelco Chaudron wrote:
> External email: Use caution opening links or attachments
>
>
> On 15 Jan 2026, at 0:42, Ilya Maximets wrote:
>
>> On 1/9/26 9:03 PM, Dima Chumak via dev wrote:
>>> This patch series introduces infrastructure and user-facing improvements
>>> for multi-table routing in OVS. The main motivation is to enable more
>>> advanced routing scenarios, such as policy-based routing with source
>>> address selectors. For example, this can be used to support
>>> OVN-Kubernetes multi-VTEP topology where nodes may have multiple SR-IOV
>>> network adapters and to facilitate selection of which VTEP to use to
>>> send/receive the packets to/from the wire.
>>>
>>> The core of this series adds support for multiple routing tables within
>>> OVS. This is a prerequisite for importing non-default routing tables
>>> from the kernel and enables advanced routing lookups that consider
>>> parameters beyond just the destination address (e.g., source address).
>>>
>>> Additional routing tables are now created by reading the Routing Policy
>>> Database (RPDB) from the kernel. Only tables referenced by RPDB rules
>>> with a table lookup action are imported, and rule priorities and table
>>> IDs are preserved. The current implementation supports RPDB rules with a
>>> source address selector (`[not] from IP`).
>>>
>>> User interface improvements:
>>>
>>> - The `ovs-appctl ovs/route/show` command now accepts an optional
>>> `table=ID` or `table=all` parameter, allowing users to display routes
>>> from specific or all tables.
>>>
>>> - The `ovs-appctl ovs/route/add` and `ovs/route/del` commands accept a
>>> `table=ID` parameter for adding or deleting user routes in non-default
>>> tables.
>>>
>>> - A new `ovs-appctl ovs/route/rule/show` command is introduced to
>>> display the internal routing rules database, sorted by priority.
>>>
>>> - New `ovs-appctl ovs/route/rule/{add,del}` commands are introduced to
>>> add and delete user-configured routing rules in OVS.
>>>
>>> - The `ovs-appctl ovs/route/lookup` command now supports an optional
>>> `src=IP` parameter for lookups that match on source IP address.
>>>
>>> Example usage:
>>>
>>> - Show all routes, including those from non-default tables:
>>>
>>> ovs-appctl ovs/route/show table=all
>>>
>>> - Add a route to a specific table:
>>>
>>> ovs-appctl ovs/route/add 10.7.7.0/24 br-phy0 table=10
>>>
>>> - Add user routing rules:
>>>
>>> ovs-appctl ovs/route/rule/add from=all table=10
>>> ovs-appctl ovs/route/rule/add -6 from=all table=11
>>>
>>> - Show routing rules:
>>>
>>> ovs-appctl ovs/route/rule/show [-6]
>>>
>>> - Lookup a route with a source IP:
>>>
>>> ovs-appctl ovs/route/lookup 10.0.0.5 src=10.0.0.2
>>>
>>> v4 -> v5: Changes based on Ilya's feedback:
>>>
>>> * Fixed issue with incorrect inverted rule match for a mismatched
>>> address family.
>>> * Standard IPv6 rules are imported by default.
>>> * ovs-appctl ovs/route/rule/show displays only IPv4 rules by default
>>> and IPv6 rules are shown with -6 flag only.
>>> * Extended 'route/rule lookup' unit-test to cover inverted rules.
>>>
>>> v3 -> v4: Changes based on Ilya's feedback:
>>>
>>> * Added flag to identify user-added routes instead of relying on
>>> priority and table ID.
>>> * Improved locking for non-standard routing table creation.
>>> * Added flag to distinguish IPv6 and IPv4 routing rules.
>>> * Corrected route matching for mixed IPv6 and IPv4 routes in the
>>> same routing table.
>>>
>>> v2 -> v3: Changes based on Ilya's feedback:
>>>
>>> * Use cmap instead of hashmap for classifiers.
>>> * Don't treat standard tables in a special way.
>>> * Don't treat standard routing rules in a special way.
>>> * For src_ip validation in route lookup use local table only.
>>> * Add system test for un-supported routing rules.
>>>
>>> v1 -> v2: Changes based on Ilya's feedback:
>>>
>>> * Split default classifier into three: local, main and default.
>>> * Rules based routing is the only way now.
>>> * The three default rules are always present, on non-Linux systems
>>> too.
>>> * Rules list is implemented with pvector instead of rculist.
>>> * Added more unit tests for rules, including tunnel-push-pop test.
>>> * Rules related appctl commands are grouped under ovs/route/rule/*
>>> prefix.
>>> * Implemented new appctl commands for adding and deleting
>>> user-configured rules.
>>> * Updated manpage and tunneling documentation with the new commands
>>> and parameters.
>>>
>>> Dima Chumak (11):
>>> ovs-router: Add infrastructure for multi-table routing.
>>> route-table: Introduce multi-table route lookup.
>>> doc: Fix font formatting in ofproto-tnl-unixctl.man.
>>> ovs-router: Add 'table=id' parameter in ovs/route/show.
>>> ovs-router: Drop 'local' and add 'user' flag to ovs_router_entry.
>>> ovs-router: Introduce ovs/route/rule/show command.
>>> ovs-router: Add system test for tables and rules.
>>> ovs-router: Add 'table=id' parameter in ovs/route/{add,del}.
>>> ovs-router: Add 'src=src_ip' parameter in ovs/route/lookup.
>>> ovs-router: Introduce ovs/route/rule/{add,del} commands.
>>> ovs-router: Add test for lookup with rules.
>>>
>>> Documentation/howto/userspace-tunneling.rst | 20 +-
>>> NEWS | 10 +
>>> lib/netdev-dummy.c | 12 +-
>>> lib/ovs-router.c | 876 +++++++++++++++++---
>>> lib/ovs-router.h | 28 +-
>>> lib/packets.c | 20 +
>>> lib/packets.h | 7 +
>>> lib/route-table.c | 262 +++++-
>>> lib/route-table.h | 22 +-
>>> ofproto/ofproto-tnl-unixctl.man | 62 +-
>>> tests/nsh.at | 9 +-
>>> tests/ofproto-dpif.at | 11 +-
>>> tests/ovs-router.at | 282 ++++++-
>>> tests/packet-type-aware.at | 19 +-
>>> tests/system-route.at | 187 +++++
>>> tests/test-lib-route-table.c | 5 +-
>>> tests/tunnel-push-pop-ipv6.at | 32 +-
>>> tests/tunnel-push-pop.at | 177 +++-
>>> tests/tunnel.at | 10 +-
>>> 19 files changed, 1828 insertions(+), 223 deletions(-)
>>>
>>
>> Hi. To save some iteration time as we're about to branch for 3.7 release,
>> I fixed a few minor style issues throughout the set and made the following
>> small change to the 'rule/show' command:
>>
>> diff --git a/lib/ovs-router.c b/lib/ovs-router.c
>> --- a/lib/ovs-router.c
>> +++ b/lib/ovs-router.c
>> @@ -907,17 +908,9 @@ ovs_router_rules_show_text(struct ds *ds, bool ipv6)
>> continue;
>> }
>> if (rule->user) {
>> - if (rule->ipv4) {
>> - ds_put_format(ds, "User: ");
>> - } else {
>> - ds_put_format(ds, "User6: ");
>> - }
>> + ds_put_format(ds, "User: ");
>> } else {
>> - if (rule->ipv4) {
>> - ds_put_format(ds, "Cached: ");
>> - } else {
>> - ds_put_format(ds, "Cached6: ");
>> - }
>> + ds_put_format(ds, "Cached: ");
>> }
>> ds_put_format(ds, "%"PRIu32": ", rule->prio);
>> if (rule->invert) {
>> ---
>>
>> (There is no need to print the extra '6', as we're only printing rules for
>> one family that was explicitly requested.)
>>
>> With that, applied the series to main.
>>
>> It's a nice feature to have. Thanks!
>>
>> Best regards, Ilya Maximets.
>
> Looks like this series introduced some Coverity issues :(
> Dima, can you take a look and send a patch?
Sure, I've sent the fixes. I don't have access to Coverity to verify
them though.
Regards
Dima
>
> I haven’t looked at them myself at this time.
>
> Cheers,
>
> Eelco
>
>
> Hi,
>
>
> Please find the latest report on new defect(s) introduced to *openvswitch*
> found with Coverity Scan.
>
> - *New Defects Found:* 2
> - *Defects Shown:* Showing 2 of 2 defect(s)
>
> Defect Details
>
> ** CID 556928: Resource leaks (RESOURCE_LEAK)
> /lib/ovs-router.c: 861 in ovs_router_rules_show_json()
>
>
> _____________________________________________________________________________________________
> *** CID 556928: Resource leaks (RESOURCE_LEAK)
> /lib/ovs-router.c: 861 in ovs_router_rules_show_json()
> 855 struct ds ds;
> 856
> 857 PVECTOR_FOR_EACH (rule, &rules) {
> 858 struct json *entry = json_object_create();
> 859
> 860 if (rule->ipv4 == ipv6) {
> CID 556928: Resource leaks (RESOURCE_LEAK)
> Variable "entry" going out of scope leaks the storage it points to.
> 861 continue;
> 862 }
> 863
> 864 json_object_put(entry, "priority",
> json_integer_create(rule->prio));
> 865 json_object_put(entry, "user",
> json_integer_create(rule->user));
> 866 json_object_put(entry, "invert",
> json_boolean_create(rule->invert));
>
> ** CID 556927: Integer handling issues (INTEGER_OVERFLOW)
> /lib/ovs-router.c: 1034 in ovs_router_rule_add_cmd()
>
>
> _____________________________________________________________________________________________
> *** CID 556927: Integer handling issues (INTEGER_OVERFLOW)
> /lib/ovs-router.c: 1034 in ovs_router_rule_add_cmd()
> 1028 struct router_rule *rule;
> 1029 uint32_t prev_prio = 0;
> 1030
> 1031 PVECTOR_FOR_EACH (rule, &rules) {
> 1032 if ((!prio && rule->prio) ||
> 1033 (rule->prio - prev_prio > 1)) {
> CID 556927: Integer handling issues (INTEGER_OVERFLOW)
> Expression "rule->prio - 1U", where "rule->prio" is known to be equal to
> 0, underflows the type of "rule->prio - 1U", which is type "unsigned int".
> 1034 prio = rule->prio - 1;
> 1035 }
> 1036 prev_prio = rule->prio;
> 1037 }
> 1038 }
> 1039 ovs_router_rule_add(prio, invert, true, src_len, &from,
> table, ipv4);
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
