Re: [ovs-dev] [PATCH v2 09/11] dpctl: Refactor opt_dpif_open().

2018-08-01 Thread Darrell Ball
On Wed, Aug 1, 2018 at 9:53 PM, Darrell Ball  wrote:

> Thanks for the patch Yi-hung
>
> This patch does not seem to fit with this series somehow; it seems more
> related
> to flushing conntrack by zone and tuple ?
>

My apologies; after I reached the details of patch 10, I see why you wanted
to add
patch 9 as part of the series.



>
> I had a generic change in my queue. I think it is more straightforward,
> since it
> keeps opt_dpif_open() simple and improves the error handling and also
> simplifies
> dpctl_flush_conntrack() and any potential similar functions.
>
> https://patchwork.ozlabs.org/patch/952580/
>
>
>
>
> On 8/1/18, 5:45 PM, "ovs-dev-boun...@openvswitch.org on behalf of Yi-Hung
> Wei" 
> wrote:
>
> Make opt_dpif_open() to support mulitple optional arguments.  It will
> be useful for the following patches.
>
> Signed-off-by: Yi-Hung Wei 
> ---
>  lib/dpctl.c | 85 ++
> ++-
>  1 file changed, 44 insertions(+), 41 deletions(-)
>
> diff --git a/lib/dpctl.c b/lib/dpctl.c
> index 4f1e443f2662..35733774b331 100644
> --- a/lib/dpctl.c
> +++ b/lib/dpctl.c
> @@ -191,14 +191,40 @@ parsed_dpif_open(const char *arg_, bool create,
> struct dpif **dpifp)
>   *
>   * The datapath name is not a mandatory parameter for this command.
> If
>   * it is not specified -- so 'argc' < 'max_args' -- we retrieve it
> from
> - * the current setup, assuming only one exists.  On success stores the
> - * opened dpif in '*dpifp'. */
> + * the current setup, assuming only one exists.
> + * For commands with multiple optional arguments, we try to use the
> first
> + * argument as the dpif name. If it is failed, then we fallback to
> + * retrieve it form the current setup.
> + * On success stores the opened dpif in '*dpifp', and the next
> arugment
> + * to be parsed in '*indexp'.  */
>  static int
>  opt_dpif_open(int argc, const char *argv[], struct dpctl_params
> *dpctl_p,
> -  uint8_t max_args, struct dpif **dpifp)
> +  uint8_t max_args, struct dpif **dpifp, bool multi_opt,
> +  int *indexp)
>  {
> +char *dpname;
>  int error = 0;
> -char *dpname = argc >= max_args ? xstrdup(argv[1]) :
> get_one_dp(dpctl_p);
> +
> +if (indexp) {
> +*indexp = 1;
> +}
> +
> +if (multi_opt && argc > 1) {
> +error = parsed_dpif_open(argv[1], false, dpifp);
> +if (!error) {
> +if (indexp) {
> +*indexp = 2;
> +}
> +return 0;
> +} else if (argc == max_args) {
> +dpctl_error(dpctl_p, error, "invalid datapath");
> +return error;
> +}
> +dpname = get_one_dp(dpctl_p);
> +} else {
> +dpname = argc >= max_args ? xstrdup(argv[1]) :
> get_one_dp(dpctl_p);
> +}
> +
>  if (!dpname) {
>  error = EINVAL;
>  dpctl_error(dpctl_p, error, "datapath not found");
> @@ -863,7 +889,7 @@ dpctl_dump_flows(int argc, const char *argv[],
> struct dpctl_params *dpctl_p)
>  }
>  }
>
> -error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif);
> +error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif, false, NULL);
>  if (error) {
>  goto out_free;
>  }
> @@ -990,7 +1016,7 @@ dpctl_put_flow(int argc, const char *argv[], enum
> dpif_flow_put_flags flags,
>  struct simap port_names;
>  int n, error;
>
> -error = opt_dpif_open(argc, argv, dpctl_p, 4, &dpif);
> +error = opt_dpif_open(argc, argv, dpctl_p, 4, &dpif, false, NULL);
>  if (error) {
>  return error;
>  }
> @@ -1092,7 +1118,7 @@ dpctl_get_flow(int argc, const char *argv[],
> struct dpctl_params *dpctl_p)
>  struct ds ds;
>  int n, error;
>
> -error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif);
> +error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif, false, NULL);
>  if (error) {
>  return error;
>  }
> @@ -1141,7 +1167,7 @@ dpctl_del_flow(int argc, const char *argv[],
> struct dpctl_params *dpctl_p)
>  struct simap port_names;
>  int n, error;
>
> -error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif);
> +error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif, false, NULL);
>  if (error) {
>  return error;
>  }
> @@ -1210,7 +1236,7 @@ dpctl_del_flows(int argc, const char *argv[],
> struct dpctl_params *dpctl_p)
>  {
>  struct dpif *dpif;
>
> -int error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif);
> +int error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif, false,
> NULL);
>  if (error) {
>  return error;
>  }
> @@ -1271,7 

Re: [ovs-dev] [PATCH 10/11] dpctl: Implement dpctl commands for conntrack per zone limit

2018-08-01 Thread Darrell Ball
Thanks for the patch Yi-hung



On Wed, Aug 1, 2018 at 3:46 PM, Yi-Hung Wei  wrote:

> This patch implments the following three commands on dpctl so that
> users can use ovs-dpctl or ovs-appctl to set, delete, and get the
> per zone limit.
>
> For example,
>


Do these commands need a ‘zone’ keyword
eg) ct-set-zone-limits



>
> $ ovs-appctl dpctl/ct-set-limits default=10 zone=0,limit=5 zone=1,limit=3
>

I wonder if it makes sense to write

‘zone=default,limit=10’

so that ‘default’ is treated like any zone?



> $ ovs-appctl dpct/ct-del-limits zone=0
>


I wonder if we set zone limit to zero (unlimited), it could be like
deleting a zone limit.

$ ovs-appctl dpctl/ct-set-limits zone=1,limit=0

in which case, we don’t need a special command for delete, such as:

$ ovs-appctl dpct/ct-del-limits zone=1



So, we would have just ‘set’ and ‘get’ commands remaining.




> $ ovs-appctl dpct/ct-get-limits zone=1,2,3
>
> Signed-off-by: Yi-Hung Wei 
> ---
>  NEWS  |   2 +
>  lib/ct-dpif.c |  67 +++
>  lib/ct-dpif.h |   4 ++
>  lib/dpctl.c   | 169 ++
> +++-
>  lib/dpctl.man |  18 +++
>  5 files changed, 259 insertions(+), 1 deletion(-)
>
> diff --git a/NEWS b/NEWS
> index 8270ef46ea34..31c5a1e400dc 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -19,6 +19,8 @@ v2.10.0 - xx xxx 
> default it always accepts names and in interactive use it displays
> them;
> use --names or --no-names to override.  See ovs-ofctl(8) for
> details.
> - ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
> +   - ovs-dpctl:
> + * New commands "ct-set-limits", "ct-del-limits", and "ct-get-limits".
> - OpenFlow:
>   * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
>   * OpenFlow 1.5 extensible statistics (OXS) now implemented.
> diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
> index a772799fe347..bb809d9920b5 100644
> --- a/lib/ct-dpif.c
> +++ b/lib/ct-dpif.c
> @@ -629,3 +629,70 @@ ct_dpif_free_zone_limits(struct ovs_list
> *zone_limits)
>  free(p);
>  }
>  }
> +
> +/* Parses a specification of a conntrack zone limit from 's' into '*pzone'
> + * and '*plimit'.  Returns true on success.  Otherwise, returns false and
> + * and puts the error message in 'ds'. */
> +bool
> +ct_dpif_parse_zone_limit_tuple(const char *s, uint16_t *pzone,
> +   uint32_t *plimit, struct ds *ds)
> +{
> +char *pos, *key, *value, *copy, *err;
> +bool parsed_limit = false, parsed_zone = false;
> +
> +pos = copy = xstrdup(s);
> +while (ofputil_parse_key_value(&pos, &key, &value)) {
> +if (!*value) {
> +ds_put_format(ds, "field %s missing value", key);
> +goto error;
> +}
> +
> +if (!strcmp(key, "zone")) {
> +err = str_to_u16(value, key, pzone);
> +if (err) {
> +free(err);
> +goto error_with_msg;
> +}
> +parsed_zone = true;
> +}  else if (!strcmp(key, "limit")) {
> +err = str_to_u32(value, plimit);
> +if (err) {
> +free(err);
> +goto error_with_msg;
> +}
> +parsed_limit = true;
> +} else {
> +ds_put_format(ds, "invalid zone limit field: %s", key);
> +goto error;
> +}
> +}
> +
> +if (parsed_zone == false || parsed_limit == false) {
> +ds_put_format(ds, "failed to parse zone limit");
> +goto error;
> +}
> +
> +free(copy);
> +return true;
> +
> +error_with_msg:
> +ds_put_format(ds, "failed to parse field %s", key);
> +error:
> +free(copy);
> +return false;
> +}
> +
> +void
> +ct_dpif_format_zone_limits(uint32_t default_limit,
> +   const struct ovs_list *zone_limits, struct ds
> *ds)
> +{
> +struct ct_dpif_zone_limit *zone_limit;
> +
> +ds_put_format(ds, "default_limit=%"PRIu32, default_limit);
> +
> +LIST_FOR_EACH (zone_limit, node, zone_limits) {
> +ds_put_format(ds, " zone=%"PRIu16, zone_limit->zone);
> +ds_put_format(ds, ",limit=%"PRIu32, zone_limit->limit);
> +ds_put_format(ds, ",count=%"PRIu32, zone_limit->count);
> +}
> +}
> diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
> index c80e18b72b56..c9cfb258b133 100644
> --- a/lib/ct-dpif.h
> +++ b/lib/ct-dpif.h
> @@ -223,5 +223,9 @@ void ct_dpif_push_zone_limit(struct ovs_list *,
> uint16_t zone, uint32_t limit,
>   uint32_t count);
>  struct ct_dpif_zone_limit * ct_dpif_pop_zone_limit(struct ovs_list *);
>  void ct_dpif_free_zone_limits(struct ovs_list *);
> +bool ct_dpif_parse_zone_limit_tuple(const char *s, uint16_t *pzone,
> +uint32_t *plimit, struct ds *);
> +void ct_dpif_format_zone_limits(uint32_t default_limit,
> +const struct ovs_list *, struct ds *);
>
>  #endif /* CT_DPIF_H */
> diff --

Re: [ovs-dev] [PATCH v2 03/11] datapath: compat: Introduce static key support

2018-08-01 Thread Darrell Ball
Thanks for the patch Yi-hung

On 8/1/18, 5:42 PM, "ovs-dev-boun...@openvswitch.org on behalf of Yi-Hung Wei" 
 wrote:

This is a feature that is needed for a follow up patch
in ovs kernel datapath.

It is usually implied that patch in a series is needed by a subsequent patch in 
the same series.
Would you mind expanding the commit message on the general utility?

Also, the upstream commit id is embedded in the file, static_key.h

+ * This backport is based on upstream net-next commit 11276d5306b8
+ * ("locking/static_keys: Add a new static_key interface").

Would it be possible to bring it into the commit message also?



Signed-off-by: Yi-Hung Wei 
---
 acinclude.m4 |  3 +
 datapath/linux/Modules.mk|  1 +
 datapath/linux/compat/include/linux/static_key.h | 70 

 3 files changed, 74 insertions(+)
 create mode 100644 datapath/linux/compat/include/linux/static_key.h

diff --git a/acinclude.m4 b/acinclude.m4
index 96fcad55a7cb..341edbbd70f1 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -467,6 +467,9 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   OVS_GREP_IFELSE([$KSRC/include/linux/err.h], [IS_ERR_OR_NULL])
   OVS_GREP_IFELSE([$KSRC/include/linux/err.h], [PTR_ERR_OR_ZERO])
 
+  OVS_GREP_IFELSE([$KSRC/include/linux/jump_label.h], 
[DEFINE_STATIC_KEY_FALSE],
+  [OVS_DEFINE([HAVE_UPSTREAM_STATIC_KEY])])
+
   OVS_GREP_IFELSE([$KSRC/include/linux/etherdevice.h], 
[eth_hw_addr_random])
   OVS_GREP_IFELSE([$KSRC/include/linux/etherdevice.h], [ether_addr_copy])
 
diff --git a/datapath/linux/Modules.mk b/datapath/linux/Modules.mk
index f5c3b6580ad7..2fec6500e7c8 100644
--- a/datapath/linux/Modules.mk
+++ b/datapath/linux/Modules.mk
@@ -63,6 +63,7 @@ openvswitch_headers += \
linux/compat/include/linux/reciprocal_div.h \
linux/compat/include/linux/rtnetlink.h \
linux/compat/include/linux/skbuff.h \
+   linux/compat/include/linux/static_key.h \
linux/compat/include/linux/stddef.h \
linux/compat/include/linux/types.h \
linux/compat/include/linux/u64_stats_sync.h \
diff --git a/datapath/linux/compat/include/linux/static_key.h 
b/datapath/linux/compat/include/linux/static_key.h
new file mode 100644
index ..ea59e3e285a1
--- /dev/null
+++ b/datapath/linux/compat/include/linux/static_key.h
@@ -0,0 +1,70 @@
+#ifndef _STATIC_KEY_WRAPPER_H
+#define _STATIC_KEY_WRAPPER_H
+
+#include_next 
+#ifndef HAVE_UPSTREAM_STATIC_KEY
+/*
+ * This backport is based on upstream net-next commit 11276d5306b8
+ * ("locking/static_keys: Add a new static_key interface").
+ *
+ * For kernel that does not support the new static key interface,
+ * we do not backport the jump label support but the fall back version
+ * of static key that is simply a conditional branch.
+ */
+
+struct static_key_true {
+   struct static_key key;
+};
+
+struct static_key_false {
+   struct static_key key;
+};
+
+#define rpl_STATIC_KEY_INIT_TRUE   { .enabled = ATOMIC_INIT(1) }
+#define rpl_STATIC_KEY_INIT_FALSE  { .enabled = ATOMIC_INIT(0) }
+
+#define STATIC_KEY_TRUE_INIT   \
+   (struct static_key_true) { .key = rpl_STATIC_KEY_INIT_TRUE,  }
+#define STATIC_KEY_FALSE_INIT  \
+   (struct static_key_false){ .key = rpl_STATIC_KEY_INIT_FALSE, }
+
+#define DEFINE_STATIC_KEY_TRUE(name)   \
+   struct static_key_true name = STATIC_KEY_TRUE_INIT
+
+#define DEFINE_STATIC_KEY_FALSE(name)  \
+   struct static_key_false name = STATIC_KEY_FALSE_INIT
+
+static inline int rpl_static_key_count(struct static_key *key)
+{
+   return atomic_read(&key->enabled);
+}
+
+static inline void rpl_static_key_enable(struct static_key *key)
+{
+   int count = rpl_static_key_count(key);
+
+   WARN_ON_ONCE(count < 0 || count > 1);
+
+   if (!count)
+   static_key_slow_inc(key);
+}
+
+static inline void rpl_static_key_disable(struct static_key *key)
+{
+   int count = rpl_static_key_count(key);
+
+   WARN_ON_ONCE(count < 0 || count > 1);
+
+   if (count)
+   static_key_slow_dec(key);
+}
+
+#define static_branch_likely(x)
likely(static_key_enabled(&(x)->key))
+#define static_branch_unlikely(x)  unlikely(static_key_enabled(&(x)->key))
+
+#define static_branch_enable(x)rpl_static_key_enable(&(x)->key)
+#define static_branch_disable(x)   rpl_static_key_disable(&(x)->key)
+
+#endif /* HAVE_UPSTREAM_STATIC_KEY */
+
+#endif /* _STATIC_KEY_WRAPPER_H */
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
  

Re: [ovs-dev] [PATCH v2 02/11] datapath: compat: Backports nf_conncount

2018-08-01 Thread Darrell Ball
Thanks for the patch Yi-hung



On 8/1/18, 5:42 PM, "ovs-dev-boun...@openvswitch.org on behalf of Yi-Hung Wei" 
 wrote:

This patch backports the nf_conncount backend that counts the number
of connections matching an arbitrary key.  The following patch will
use the feature to support connection tracking zone limit in ovs
kernel datapath.

This backport is based on an upstream net-next commit 5c789e131cbb
("netfilter: nf_conncount: Add list lock and gc worker, and RCU for
init tree search") that applies a couple of techniques to optimize
nf_conncount performance.

The upstream nf_conncount has a couple of export functions while
this patch only export the ones that ovs kernel module needs.


Could you specify what is not included in this patch from upstream?
Is it just some parts were excluded or other logic changes as well?



Signed-off-by: Yi-Hung Wei 
---
 acinclude.m4   |   2 +
 datapath/linux/Modules.mk  |   2 +
 .../include/net/netfilter/nf_conntrack_count.h |  61 ++
 datapath/linux/compat/nf_conncount.c   | 637 
+
 4 files changed, 702 insertions(+)
 create mode 100644 
datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
 create mode 100644 datapath/linux/compat/nf_conncount.c

diff --git a/acinclude.m4 b/acinclude.m4
index 731bc07be8fa..96fcad55a7cb 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -625,6 +625,8 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], 
[nf_nat_alloc_null_binding])
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_range2])
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_seqadj.h], 
[nf_ct_seq_adjust])
+  OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_count.h], 
[nf_conncount_gc_list],
+  [OVS_DEFINE([HAVE_UPSTREAM_NF_CONNCOUNT])])
 
   OVS_GREP_IFELSE([$KSRC/include/linux/random.h], [prandom_u32])
   OVS_GREP_IFELSE([$KSRC/include/linux/random.h], [prandom_u32_max])
diff --git a/datapath/linux/Modules.mk b/datapath/linux/Modules.mk
index 04ea5b756b6c..f5c3b6580ad7 100644
--- a/datapath/linux/Modules.mk
+++ b/datapath/linux/Modules.mk
@@ -17,6 +17,7 @@ openvswitch_sources += \
linux/compat/ip6_tunnel.c \
linux/compat/lisp.c \
linux/compat/netdevice.c \
+   linux/compat/nf_conncount.c \
linux/compat/nf_conntrack_core.c \
linux/compat/nf_conntrack_proto.c \
linux/compat/nf_conntrack_reasm.c \
@@ -100,6 +101,7 @@ openvswitch_headers += \
linux/compat/include/net/vxlan.h \
linux/compat/include/net/netfilter/nf_conntrack.h \
linux/compat/include/net/netfilter/nf_conntrack_core.h \
+   linux/compat/include/net/netfilter/nf_conntrack_count.h \
linux/compat/include/net/netfilter/nf_conntrack_expect.h \
linux/compat/include/net/netfilter/nf_conntrack_helper.h \
linux/compat/include/net/netfilter/nf_conntrack_labels.h \
diff --git 
a/datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h 
b/datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
new file mode 100644
index ..fd536f3e1854
--- /dev/null
+++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
@@ -0,0 +1,61 @@
+#ifndef _NF_CONNTRACK_COUNT_WRAPPER_H
+#define _NF_CONNTRACK_COUNT_WRAPPER_H
+
+#include 
+
+#ifdef HAVE_UPSTREAM_NF_CONNCOUNT
+#include_next 
+
+static inline int rpl_nf_conncount_modinit(void)
+{
+return 0;
+}
+
+static inline void rpl_nf_conncount_modexit(void)
+{
+}
+
+#else
+#include 
+#include 
+#define CONFIG_NETFILTER_CONNCOUNT 1
+struct nf_conncount_data;
+
+enum nf_conncount_list_add {
+   NF_CONNCOUNT_ADDED, /* list add was ok */
+   NF_CONNCOUNT_ERR,   /* -ENOMEM, must drop skb */
+   NF_CONNCOUNT_SKIP,  /* list is already reclaimed by gc */
+};
+
+struct nf_conncount_list {
+   spinlock_t list_lock;
+   struct list_head head;  /* connections with the same filtering key */
+   unsigned int count; /* length of list */
+   bool dead;
+};
+
+struct nf_conncount_data
+*rpl_nf_conncount_init(struct net *net, unsigned int family,
+  unsigned int keylen);
+
+void rpl_nf_conncount_destroy(struct net *net, unsigned int family,
+ struct nf_conncount_data *data);
+
+unsigned int rpl_nf_conncount_count(struct net *net,
+   struct nf_conncount_data *data,
+   const u32 *key,
+   const struct nf_conntrack_tuple *tuple,
+

Re: [ovs-dev] [PATCH v2 00/11] conntrack zone limitation

2018-08-01 Thread Darrell Ball
Thanks for the series Yi-hung

I will help review it.

I have a few general queries initially.

Darrell

On 8/1/18, 5:41 PM, "ovs-dev-boun...@openvswitch.org on behalf of Yi-Hung Wei" 
 wrote:

This patch series implements connection tracking zone limitation to
limit the maximum number of conntrack entries in the conntrack table
for every zone.  This feature aims to resolve a problem that if one
of the VM/container under attack that abuses the usage the conntrack
entries, it may block the others from committing valid conntrack
entries into the conntrack table.  

To address this issue, this patch series proposes to have a
fine-grained mechanism that could limit the # of conntrack entries
per-zone.  For example, we can designate different zone to different VM,
and set conntrack limit to each zone.  By providing this isolation, a
mis-behaved VM only consumes the conntrack entries in its own zone, and
it will not influence other well-behaved VMs.  Moreover, the users can
set various conntrack limit to different zone based on their preference.

This patch series consist of dpif layer support, kernel backports to
support this features in dpif-netlinkt, dpif-netlink implementation,
dpctl commands, and a system traffic test to verify this feature.

v1->v2: Fix a rebase error. Only patch 8 has changed.

Yi-Hung Wei (11):
  compat: Backport nf_ct_netns_{get,put}()
  datapath: compat: Backports nf_conncount
  datapath: compat: Introduce static key support
  datapath: Add conntrack limit netlink definition
  datapath: conntrack: Support conntrack zone limit
  dpif: Support conntrack zone limit.
  ct-dpif: Helper functions for conntrack zone limit
  dpif-netlink: Implement conntrack zone limiit
  dpctl: Refactor opt_dpif_open().
  dpctl: Implement dpctl commands for conntrack per zone limit
  system-traffic: Add conntrack per zoen limit test case

 NEWS   |   3 +
 acinclude.m4   |   9 +
 datapath/compat.h  |   8 +
 datapath/conntrack.c   | 551 +-
 datapath/conntrack.h   |   9 +-
 datapath/datapath.c|   7 +-
 datapath/datapath.h|   3 +
 datapath/linux/Modules.mk  |   7 +-
 datapath/linux/compat/include/linux/openvswitch.h  |  28 +
 datapath/linux/compat/include/linux/static_key.h   |  70 +++
 .../compat/include/net/netfilter/nf_conntrack.h|   8 +
 .../include/net/netfilter/nf_conntrack_count.h |  61 ++
 .../linux/compat/include/uapi/linux/netfilter.h|  14 +
 datapath/linux/compat/nf_conncount.c   | 637 
+
 datapath/linux/compat/nf_conntrack_proto.c | 112 
 lib/ct-dpif.c  | 129 +
 lib/ct-dpif.h  |  20 +
 lib/dpctl.c| 252 ++--
 lib/dpctl.man  |  18 +
 lib/dpif-netdev.c  |   3 +
 lib/dpif-netlink.c | 199 +++
 lib/dpif-provider.h|  26 +
 tests/system-traffic.at|  75 +++
 23 files changed, 2202 insertions(+), 47 deletions(-)
 create mode 100644 datapath/linux/compat/include/linux/static_key.h
 create mode 100644 
datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
 create mode 100644 datapath/linux/compat/include/uapi/linux/netfilter.h
 create mode 100644 datapath/linux/compat/nf_conncount.c
 create mode 100644 datapath/linux/compat/nf_conntrack_proto.c

-- 
2.7.4

___
dev mailing list
d...@openvswitch.org

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.openvswitch.org%2Fmailman%2Flistinfo%2Fovs-dev&data=02%7C01%7Cdball%40vmware.com%7C43dc76263e044a9776fb08d5f810abbf%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C1%7C0%7C636687672857189783&sdata=UamO%2FNcn3WkKcCT770y3HqcIPYgahhsbt%2FUkVFRCDoU%3D&reserved=0


___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH v2 09/11] dpctl: Refactor opt_dpif_open().

2018-08-01 Thread Darrell Ball
Thanks for the patch Yi-hung

This patch does not seem to fit with this series somehow; it seems more related
to flushing conntrack by zone and tuple ?

I had a generic change in my queue. I think it is more straightforward, since it
keeps opt_dpif_open() simple and improves the error handling and also simplifies
dpctl_flush_conntrack() and any potential similar functions. 

https://patchwork.ozlabs.org/patch/952580/




On 8/1/18, 5:45 PM, "ovs-dev-boun...@openvswitch.org on behalf of Yi-Hung Wei" 
 wrote:

Make opt_dpif_open() to support mulitple optional arguments.  It will
be useful for the following patches.

Signed-off-by: Yi-Hung Wei 
---
 lib/dpctl.c | 85 
-
 1 file changed, 44 insertions(+), 41 deletions(-)

diff --git a/lib/dpctl.c b/lib/dpctl.c
index 4f1e443f2662..35733774b331 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -191,14 +191,40 @@ parsed_dpif_open(const char *arg_, bool create, 
struct dpif **dpifp)
  *
  * The datapath name is not a mandatory parameter for this command.  If
  * it is not specified -- so 'argc' < 'max_args' -- we retrieve it from
- * the current setup, assuming only one exists.  On success stores the
- * opened dpif in '*dpifp'. */
+ * the current setup, assuming only one exists.
+ * For commands with multiple optional arguments, we try to use the first
+ * argument as the dpif name. If it is failed, then we fallback to
+ * retrieve it form the current setup.
+ * On success stores the opened dpif in '*dpifp', and the next arugment
+ * to be parsed in '*indexp'.  */
 static int
 opt_dpif_open(int argc, const char *argv[], struct dpctl_params *dpctl_p,
-  uint8_t max_args, struct dpif **dpifp)
+  uint8_t max_args, struct dpif **dpifp, bool multi_opt,
+  int *indexp)
 {
+char *dpname;
 int error = 0;
-char *dpname = argc >= max_args ? xstrdup(argv[1]) : 
get_one_dp(dpctl_p);
+
+if (indexp) {
+*indexp = 1;
+}
+
+if (multi_opt && argc > 1) {
+error = parsed_dpif_open(argv[1], false, dpifp);
+if (!error) {
+if (indexp) {
+*indexp = 2;
+}
+return 0;
+} else if (argc == max_args) {
+dpctl_error(dpctl_p, error, "invalid datapath");
+return error;
+}
+dpname = get_one_dp(dpctl_p);
+} else {
+dpname = argc >= max_args ? xstrdup(argv[1]) : get_one_dp(dpctl_p);
+}
+
 if (!dpname) {
 error = EINVAL;
 dpctl_error(dpctl_p, error, "datapath not found");
@@ -863,7 +889,7 @@ dpctl_dump_flows(int argc, const char *argv[], struct 
dpctl_params *dpctl_p)
 }
 }
 
-error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif, false, NULL);
 if (error) {
 goto out_free;
 }
@@ -990,7 +1016,7 @@ dpctl_put_flow(int argc, const char *argv[], enum 
dpif_flow_put_flags flags,
 struct simap port_names;
 int n, error;
 
-error = opt_dpif_open(argc, argv, dpctl_p, 4, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 4, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1092,7 +1118,7 @@ dpctl_get_flow(int argc, const char *argv[], struct 
dpctl_params *dpctl_p)
 struct ds ds;
 int n, error;
 
-error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1141,7 +1167,7 @@ dpctl_del_flow(int argc, const char *argv[], struct 
dpctl_params *dpctl_p)
 struct simap port_names;
 int n, error;
 
-error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1210,7 +1236,7 @@ dpctl_del_flows(int argc, const char *argv[], struct 
dpctl_params *dpctl_p)
 {
 struct dpif *dpif;
 
-int error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif);
+int error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1271,7 +1297,7 @@ dpctl_dump_conntrack(int argc, const char *argv[],
 argc--;
 }
 
-error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1313,34 +1339,11 @@ dpctl_flush_conntrack(int argc, const char *argv[],
 struct

[ovs-dev] [patch v1] dpctl: Simplify dpctl_flush_conntrack.

2018-08-01 Thread Darrell Ball
The function dpctl_flush_conntrack() and other such functions with
multiple optional arguments can be simplified by introducing a new
function to check whether a valid datapath name is supplied as an
argument to the functions.

opt_dpif_open() can also make use of this new function to allow it
to handle callers with multiple optional arguments.

Signed-off-by: Darrell Ball 
---
 lib/dpctl.c | 61 +++--
 tests/system-traffic.at |  8 +++
 2 files changed, 38 insertions(+), 31 deletions(-)

diff --git a/lib/dpctl.c b/lib/dpctl.c
index 4f1e443..d4381ea 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -187,18 +187,41 @@ parsed_dpif_open(const char *arg_, bool create, struct 
dpif **dpifp)
 return result;
 }
 
+static bool
+check_for_dpif_arg(int argc, const char *argv[])
+{
+if (argc > 1) {
+struct dpif *dpif;
+int error = parsed_dpif_open(argv[1], false, &dpif);
+if (!error) {
+dpif_close(dpif);
+return true;
+}
+}
+
+return false;
+}
+
 /* Open a dpif with an optional name argument.
  *
- * The datapath name is not a mandatory parameter for this command.  If
- * it is not specified -- so 'argc' < 'max_args' -- we retrieve it from
- * the current setup, assuming only one exists.  On success stores the
- * opened dpif in '*dpifp'. */
+ * The datapath name is not a mandatory parameter for this command.  If it is
+ * not specified, we retrieve it from the current setup, assuming only one
+ * exists.  On success stores the opened dpif in '*dpifp'. */
 static int
 opt_dpif_open(int argc, const char *argv[], struct dpctl_params *dpctl_p,
   uint8_t max_args, struct dpif **dpifp)
 {
+char *dpname = NULL;
 int error = 0;
-char *dpname = argc >= max_args ? xstrdup(argv[1]) : get_one_dp(dpctl_p);
+
+if (check_for_dpif_arg(argc, argv)) {
+dpname = xstrdup(argv[1]);
+} else {
+if (argc != max_args) {
+dpname = get_one_dp(dpctl_p);
+}
+}
+
 if (!dpname) {
 error = EINVAL;
 dpctl_error(dpctl_p, error, "datapath not found");
@@ -1313,34 +1336,18 @@ dpctl_flush_conntrack(int argc, const char *argv[],
 struct ct_dpif_tuple tuple, *ptuple = NULL;
 struct ds ds = DS_EMPTY_INITIALIZER;
 uint16_t zone, *pzone = NULL;
-char *name;
 int error, i = 1;
-bool got_dpif = false;
 
 /* Parse datapath name. It is not a mandatory parameter for this command.
  * If it is not specified, we retrieve it from the current setup,
  * assuming only one exists. */
-if (argc >= 2) {
-error = parsed_dpif_open(argv[i], false, &dpif);
-if (!error) {
-got_dpif = true;
-i++;
-} else if (argc == 4) {
-dpctl_error(dpctl_p, error, "invalid datapath");
-return error;
-}
+if (check_for_dpif_arg(argc, argv)) {
+i++;
 }
-if (!got_dpif) {
-name = get_one_dp(dpctl_p);
-if (!name) {
-return EINVAL;
-}
-error = parsed_dpif_open(name, false, &dpif);
-free(name);
-if (error) {
-dpctl_error(dpctl_p, error, "opening datapath");
-return error;
-}
+
+error = opt_dpif_open(argc, argv, dpctl_p, 4, &dpif);
+if (error) {
+return error;
 }
 
 /* Parse zone */
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index cbd9542..f53e51b 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -1124,17 +1124,17 @@ ovs-appctl: ovs-vswitchd: server returned an error
 ])
 
 AT_CHECK([ovs-appctl dpctl/ct-set-maxconns one-bad-dp 10], [2], [], [dnl
-ovs-vswitchd: opening datapath (Address family not supported by protocol)
+ovs-vswitchd: datapath not found (Invalid argument)
 ovs-appctl: ovs-vswitchd: server returned an error
 ])
 
 AT_CHECK([ovs-appctl dpctl/ct-get-maxconns one-bad-dp], [2], [], [dnl
-ovs-vswitchd: opening datapath (Address family not supported by protocol)
+ovs-vswitchd: datapath not found (Invalid argument)
 ovs-appctl: ovs-vswitchd: server returned an error
 ])
 
 AT_CHECK([ovs-appctl dpctl/ct-get-nconns one-bad-dp], [2], [], [dnl
-ovs-vswitchd: opening datapath (Address family not supported by protocol)
+ovs-vswitchd: datapath not found (Invalid argument)
 ovs-appctl: ovs-vswitchd: server returned an error
 ])
 
@@ -1164,7 +1164,7 @@ AT_CHECK([ovs-appctl dpctl/ct-get-maxconns], [], [dnl
 10
 ])
 
-OVS_TRAFFIC_VSWITCHD_STOP(["/could not create datapath one-bad-dp of unknown 
type system/d"])
+OVS_TRAFFIC_VSWITCHD_STOP(["/could not create datapath.*/d"])
 AT_CLEANUP
 
 AT_SETUP([conntrack - IPv6 ping])
-- 
1.9.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] Spende von $ 4,800,000.00!

2018-08-01 Thread Gloria Adelaida Elias Mejia
Hallo, Sie haben eine Spende von $ 4,800,000.00, ich habe die America Lotterie 
im Wert von $ 40 Millionen gewonnen und ich gebe einen Teil davon an fünf 
glückliche Menschen und Wohltätigkeitseinrichtungen zum Gedenken an meine 
verstorbene Frau, die an Krebs starb.

Spendenreferenznummer: BBIB / AVL017 / 28392

Kontaktieren Sie mich für weitere Informationen: tomcrist...@gmail.com

Prost
Tom Crist
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] Spende von $ 4,800,000.00!

2018-08-01 Thread Gloria Adelaida Elias Mejia
Hallo, Sie haben eine Spende von $ 4,800,000.00, ich habe die America Lotterie 
im Wert von $ 40 Millionen gewonnen und ich gebe einen Teil davon an fünf 
glückliche Menschen und Wohltätigkeitseinrichtungen zum Gedenken an meine 
verstorbene Frau, die an Krebs starb.

Spendenreferenznummer: BBIB / AVL017 / 28392

Kontaktieren Sie mich für weitere Informationen: tomcrist...@gmail.com

Prost
Tom Crist
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [ovs-dev, v2, 10 of 11] dpctl: Implement dpctl commands for conntrack per zone limit

2018-08-01 Thread 0-day Robot
Bleep bloop.  Greetings Yi-Hung Wei, I am a robot and I have tried out your 
patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.


checkpatch:
WARNING: Line is 115 characters long (recommended limit is 79)
#331 FILE: lib/dpctl.man:277:
\*(DX\fBct\-set\-limits\fR [\fIdp\fR] [\fBdefault=\fIdefault_limit\fR] 
[\fBzone=\fIzone\fR,\fBlimit=\fIlimit\fR]...

Lines checked: 350, Warnings: 1, Errors: 0


Please check this out.  If you feel there has been an error, please email 
acon...@bytheb.org

Thanks,
0-day Robot
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v2 11/11] system-traffic: Add conntrack per zoen limit test case

2018-08-01 Thread Yi-Hung Wei
Signed-off-by: Yi-Hung Wei 
---
 tests/system-traffic.at | 75 +
 1 file changed, 75 insertions(+)

diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index cbd954257ae8..1e6bf1e75565 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -2918,6 +2918,81 @@ 
tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=
 OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
+AT_SETUP([conntrack - limit by zone])
+CHECK_CONNTRACK()
+CHECK_CT_DPIF_FLUSH_BY_CT_TUPLE()
+OVS_TRAFFIC_VSWITCHD_START()
+
+ADD_NAMESPACES(at_ns0, at_ns1)
+
+ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
+ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
+
+AT_DATA([flows.txt], [dnl
+priority=1,action=drop
+priority=10,arp,action=normal
+priority=100,in_port=1,udp,action=ct(commit),2
+priority=100,in_port=2,udp,action=ct(zone=3,commit),1
+])
+
+AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
+
+AT_CHECK([ovs-appctl dpctl/ct-set-limits default=10 zone=0,limit=5 
zone=1,limit=15 zone=2,limit=3 zone=3,limit=3])
+AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=1,2,4])
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3], [],[dnl
+default_limit=10 zone=0,limit=5,count=0 zone=1,limit=10,count=0 
zone=2,limit=10,count=0 zone=3,limit=3,count=0
+])
+
+dnl Test UDP from port 1
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100020008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100030008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100040008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100050008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100060008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100070008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100080008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100090008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a0101020001000a0008
 actions=resubmit(,0)"])
+
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3,4,5], [0], [dnl
+default_limit=10 zone=0,limit=5,count=5 zone=1,limit=10,count=0 
zone=2,limit=10,count=0 zone=3,limit=3,count=0 zone=4,limit=10,count=0 
zone=5,limit=10,count=0
+])
+
+dnl Test ct-get-limits for all zoens
+AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
+default_limit=10 zone=0,limit=5,count=5 zone=3,limit=3,count=0
+])
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1," | 
sort ], [0], [dnl
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=3),reply=(src=10.1.1.2,dst=10.1.1.1,sport=3,dport=1)
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=4),reply=(src=10.1.1.2,dst=10.1.1.1,sport=4,dport=1)
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=5),reply=(src=10.1.1.2,dst=10.1.1.1,sport=5,dport=1)
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=6),reply=(src=10.1.1.2,dst=10.1.1.1,sport=6,dport=1)
+])
+
+dnl Test UDP from port 2
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 
packet=5054000a505400090800451c0011a4cd0a0101030a010104000100020008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 
packet=5054000a505400090800451c0011a4cd0a0101030a010104000100030008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 
packet=5054000a505400090800451c0011a4cd0a0101030a010104000100040008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 
packet=5054000a505400090800451c0011a4cd0a0101030a010104000100050008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 
packet=5054000a505400090800451c0011a4cd0a0101030a010104000100060008
 actions=resubmit(,0)"])
+
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,3], [0], [dnl
+default_limit=10 zone=0,limit=5,count=5 zone=3,limit=3,count=3

[ovs-dev] [PATCH v2 09/11] dpctl: Refactor opt_dpif_open().

2018-08-01 Thread Yi-Hung Wei
Make opt_dpif_open() to support mulitple optional arguments.  It will
be useful for the following patches.

Signed-off-by: Yi-Hung Wei 
---
 lib/dpctl.c | 85 -
 1 file changed, 44 insertions(+), 41 deletions(-)

diff --git a/lib/dpctl.c b/lib/dpctl.c
index 4f1e443f2662..35733774b331 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -191,14 +191,40 @@ parsed_dpif_open(const char *arg_, bool create, struct 
dpif **dpifp)
  *
  * The datapath name is not a mandatory parameter for this command.  If
  * it is not specified -- so 'argc' < 'max_args' -- we retrieve it from
- * the current setup, assuming only one exists.  On success stores the
- * opened dpif in '*dpifp'. */
+ * the current setup, assuming only one exists.
+ * For commands with multiple optional arguments, we try to use the first
+ * argument as the dpif name. If it is failed, then we fallback to
+ * retrieve it form the current setup.
+ * On success stores the opened dpif in '*dpifp', and the next arugment
+ * to be parsed in '*indexp'.  */
 static int
 opt_dpif_open(int argc, const char *argv[], struct dpctl_params *dpctl_p,
-  uint8_t max_args, struct dpif **dpifp)
+  uint8_t max_args, struct dpif **dpifp, bool multi_opt,
+  int *indexp)
 {
+char *dpname;
 int error = 0;
-char *dpname = argc >= max_args ? xstrdup(argv[1]) : get_one_dp(dpctl_p);
+
+if (indexp) {
+*indexp = 1;
+}
+
+if (multi_opt && argc > 1) {
+error = parsed_dpif_open(argv[1], false, dpifp);
+if (!error) {
+if (indexp) {
+*indexp = 2;
+}
+return 0;
+} else if (argc == max_args) {
+dpctl_error(dpctl_p, error, "invalid datapath");
+return error;
+}
+dpname = get_one_dp(dpctl_p);
+} else {
+dpname = argc >= max_args ? xstrdup(argv[1]) : get_one_dp(dpctl_p);
+}
+
 if (!dpname) {
 error = EINVAL;
 dpctl_error(dpctl_p, error, "datapath not found");
@@ -863,7 +889,7 @@ dpctl_dump_flows(int argc, const char *argv[], struct 
dpctl_params *dpctl_p)
 }
 }
 
-error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif, false, NULL);
 if (error) {
 goto out_free;
 }
@@ -990,7 +1016,7 @@ dpctl_put_flow(int argc, const char *argv[], enum 
dpif_flow_put_flags flags,
 struct simap port_names;
 int n, error;
 
-error = opt_dpif_open(argc, argv, dpctl_p, 4, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 4, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1092,7 +1118,7 @@ dpctl_get_flow(int argc, const char *argv[], struct 
dpctl_params *dpctl_p)
 struct ds ds;
 int n, error;
 
-error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1141,7 +1167,7 @@ dpctl_del_flow(int argc, const char *argv[], struct 
dpctl_params *dpctl_p)
 struct simap port_names;
 int n, error;
 
-error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1210,7 +1236,7 @@ dpctl_del_flows(int argc, const char *argv[], struct 
dpctl_params *dpctl_p)
 {
 struct dpif *dpif;
 
-int error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif);
+int error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1271,7 +1297,7 @@ dpctl_dump_conntrack(int argc, const char *argv[],
 argc--;
 }
 
-error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1313,34 +1339,11 @@ dpctl_flush_conntrack(int argc, const char *argv[],
 struct ct_dpif_tuple tuple, *ptuple = NULL;
 struct ds ds = DS_EMPTY_INITIALIZER;
 uint16_t zone, *pzone = NULL;
-char *name;
 int error, i = 1;
-bool got_dpif = false;
 
-/* Parse datapath name. It is not a mandatory parameter for this command.
- * If it is not specified, we retrieve it from the current setup,
- * assuming only one exists. */
-if (argc >= 2) {
-error = parsed_dpif_open(argv[i], false, &dpif);
-if (!error) {
-got_dpif = true;
-i++;
-} else if (argc == 4) {
-dpctl_error(dpctl_p, error, "invalid datapath");
-return error;
-}
-}
-if (!got_dpif) {
-name = get_one_dp(dpctl_p);
-if (!name) {
-return EINVAL;
-}
-error = parsed_dpif_open(name, false, &dpif);
-free(name);
-if (error) {
-dpctl_error(dpctl_p, error, "opening datapath");
-return error

[ovs-dev] [PATCH v2 10/11] dpctl: Implement dpctl commands for conntrack per zone limit

2018-08-01 Thread Yi-Hung Wei
This patch implments the following three commands on dpctl so that
users can use ovs-dpctl or ovs-appctl to set, delete, and get the
per zone limit.

For example,

$ ovs-appctl dpctl/ct-set-limits default=10 zone=0,limit=5 zone=1,limit=3
$ ovs-appctl dpct/ct-del-limits zone=0
$ ovs-appctl dpct/ct-get-limits zone=1,2,3

Signed-off-by: Yi-Hung Wei 
---
 NEWS  |   2 +
 lib/ct-dpif.c |  67 +++
 lib/ct-dpif.h |   4 ++
 lib/dpctl.c   | 169 +-
 lib/dpctl.man |  18 +++
 5 files changed, 259 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 8270ef46ea34..31c5a1e400dc 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,8 @@ v2.10.0 - xx xxx 
default it always accepts names and in interactive use it displays them;
use --names or --no-names to override.  See ovs-ofctl(8) for details.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
+   - ovs-dpctl:
+ * New commands "ct-set-limits", "ct-del-limits", and "ct-get-limits".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
  * OpenFlow 1.5 extensible statistics (OXS) now implemented.
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index a772799fe347..bb809d9920b5 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -629,3 +629,70 @@ ct_dpif_free_zone_limits(struct ovs_list *zone_limits)
 free(p);
 }
 }
+
+/* Parses a specification of a conntrack zone limit from 's' into '*pzone'
+ * and '*plimit'.  Returns true on success.  Otherwise, returns false and
+ * and puts the error message in 'ds'. */
+bool
+ct_dpif_parse_zone_limit_tuple(const char *s, uint16_t *pzone,
+   uint32_t *plimit, struct ds *ds)
+{
+char *pos, *key, *value, *copy, *err;
+bool parsed_limit = false, parsed_zone = false;
+
+pos = copy = xstrdup(s);
+while (ofputil_parse_key_value(&pos, &key, &value)) {
+if (!*value) {
+ds_put_format(ds, "field %s missing value", key);
+goto error;
+}
+
+if (!strcmp(key, "zone")) {
+err = str_to_u16(value, key, pzone);
+if (err) {
+free(err);
+goto error_with_msg;
+}
+parsed_zone = true;
+}  else if (!strcmp(key, "limit")) {
+err = str_to_u32(value, plimit);
+if (err) {
+free(err);
+goto error_with_msg;
+}
+parsed_limit = true;
+} else {
+ds_put_format(ds, "invalid zone limit field: %s", key);
+goto error;
+}
+}
+
+if (parsed_zone == false || parsed_limit == false) {
+ds_put_format(ds, "failed to parse zone limit");
+goto error;
+}
+
+free(copy);
+return true;
+
+error_with_msg:
+ds_put_format(ds, "failed to parse field %s", key);
+error:
+free(copy);
+return false;
+}
+
+void
+ct_dpif_format_zone_limits(uint32_t default_limit,
+   const struct ovs_list *zone_limits, struct ds *ds)
+{
+struct ct_dpif_zone_limit *zone_limit;
+
+ds_put_format(ds, "default_limit=%"PRIu32, default_limit);
+
+LIST_FOR_EACH (zone_limit, node, zone_limits) {
+ds_put_format(ds, " zone=%"PRIu16, zone_limit->zone);
+ds_put_format(ds, ",limit=%"PRIu32, zone_limit->limit);
+ds_put_format(ds, ",count=%"PRIu32, zone_limit->count);
+}
+}
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index c80e18b72b56..c9cfb258b133 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -223,5 +223,9 @@ void ct_dpif_push_zone_limit(struct ovs_list *, uint16_t 
zone, uint32_t limit,
  uint32_t count);
 struct ct_dpif_zone_limit * ct_dpif_pop_zone_limit(struct ovs_list *);
 void ct_dpif_free_zone_limits(struct ovs_list *);
+bool ct_dpif_parse_zone_limit_tuple(const char *s, uint16_t *pzone,
+uint32_t *plimit, struct ds *);
+void ct_dpif_format_zone_limits(uint32_t default_limit,
+const struct ovs_list *, struct ds *);
 
 #endif /* CT_DPIF_H */
diff --git a/lib/dpctl.c b/lib/dpctl.c
index 35733774b331..560f713cfd51 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -199,7 +199,7 @@ parsed_dpif_open(const char *arg_, bool create, struct dpif 
**dpifp)
  * to be parsed in '*indexp'.  */
 static int
 opt_dpif_open(int argc, const char *argv[], struct dpctl_params *dpctl_p,
-  uint8_t max_args, struct dpif **dpifp, bool multi_opt,
+  int max_args, struct dpif **dpifp, bool multi_opt,
   int *indexp)
 {
 char *dpname;
@@ -1683,6 +1683,167 @@ dpctl_ct_get_nconns(int argc, const char *argv[],
 return error;
 }
 
+static int
+dpctl_ct_set_limits(int argc, const char *argv[],
+struct dpctl_params *dpctl_p)
+{
+struct dpif *dpif;
+struct ds ds = DS_EMPTY_INITIALIZER;
+int error, i = 1;
+uint32_t default_limi

[ovs-dev] [PATCH v2 08/11] dpif-netlink: Implement conntrack zone limiit

2018-08-01 Thread Yi-Hung Wei
This patch provides the implementation of conntrack zone limit
in dpif-netlink.  It basically utilizes the netlink API to
communicate with OVS kernel module to set, delete, and get conntrack
zone limit.

Signed-off-by: Yi-Hung Wei 
---
 lib/dpif-netlink.c | 202 -
 1 file changed, 199 insertions(+), 3 deletions(-)

diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c
index ee98a3b7d8b6..365b38047fe1 100644
--- a/lib/dpif-netlink.c
+++ b/lib/dpif-netlink.c
@@ -213,6 +213,7 @@ static int ovs_vport_family;
 static int ovs_flow_family;
 static int ovs_packet_family;
 static int ovs_meter_family;
+static int ovs_ct_limit_family;
 
 /* Generic Netlink multicast groups for OVS.
  *
@@ -2919,6 +2920,195 @@ dpif_netlink_ct_flush(struct dpif *dpif OVS_UNUSED, 
const uint16_t *zone,
 }
 }
 
+static int
+dpif_netlink_set_limits(struct dpif *dpif OVS_UNUSED,
+const uint32_t *default_limits,
+const struct ovs_list *zone_limits)
+{
+struct ofpbuf *request;
+struct ovs_header *ovs_header;
+size_t opt_offset;
+int err;
+struct ovs_zone_limit req_zone_limit;
+
+if (ovs_ct_limit_family < 0) {
+return EOPNOTSUPP;
+}
+
+request = ofpbuf_new(NL_DUMP_BUFSIZE);
+nl_msg_put_genlmsghdr(request, 0, ovs_ct_limit_family,
+  NLM_F_REQUEST | NLM_F_ECHO, OVS_CT_LIMIT_CMD_SET,
+  OVS_CT_LIMIT_VERSION);
+
+ovs_header = ofpbuf_put_uninit(request, sizeof *ovs_header);
+ovs_header->dp_ifindex = 0;
+
+opt_offset = nl_msg_start_nested(request, OVS_CT_LIMIT_ATTR_ZONE_LIMIT);
+if (default_limits) {
+req_zone_limit.zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE;
+req_zone_limit.limit = *default_limits;
+nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit);
+}
+
+if (!ovs_list_is_empty(zone_limits)) {
+struct ct_dpif_zone_limit *zone_limit;
+
+LIST_FOR_EACH (zone_limit, node, zone_limits) {
+req_zone_limit.zone_id = zone_limit->zone;
+req_zone_limit.limit = zone_limit->limit;
+nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit);
+}
+}
+nl_msg_end_nested(request, opt_offset);
+
+err = nl_transact(NETLINK_GENERIC, request, NULL);
+ofpbuf_uninit(request);
+return err;
+}
+
+static int
+dpif_netlink_zone_limits_from_ofpbuf(const struct ofpbuf *buf,
+ uint32_t *default_limit,
+ struct ovs_list *zone_limits)
+{
+static const struct nl_policy ovs_ct_limit_policy[] = {
+[OVS_CT_LIMIT_ATTR_ZONE_LIMIT] = { .type = NL_A_NESTED,
+   .optional = true },
+};
+
+struct ofpbuf b = ofpbuf_const_initializer(buf->data, buf->size);
+struct nlmsghdr *nlmsg = ofpbuf_try_pull(&b, sizeof *nlmsg);
+struct genlmsghdr *genl = ofpbuf_try_pull(&b, sizeof *genl);
+struct ovs_header *ovs_header = ofpbuf_try_pull(&b, sizeof *ovs_header);
+
+struct nlattr *attr[ARRAY_SIZE(ovs_ct_limit_policy)];
+
+if (!nlmsg || !genl || !ovs_header
+|| nlmsg->nlmsg_type != ovs_ct_limit_family
+|| !nl_policy_parse(&b, 0, ovs_ct_limit_policy, attr,
+ARRAY_SIZE(ovs_ct_limit_policy))) {
+return EINVAL;
+}
+
+
+if (!attr[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]) {
+return EINVAL;
+}
+
+int rem = NLA_ALIGN(
+nl_attr_get_size(attr[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]));
+const struct ovs_zone_limit *zone_limit =
+nl_attr_get(attr[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]);
+
+while (rem >= sizeof *zone_limit) {
+if (zone_limit->zone_id == OVS_ZONE_LIMIT_DEFAULT_ZONE) {
+*default_limit = zone_limit->limit;
+} else if (zone_limit->zone_id < OVS_ZONE_LIMIT_DEFAULT_ZONE ||
+   zone_limit->zone_id > UINT16_MAX) {
+} else {
+ct_dpif_push_zone_limit(zone_limits, zone_limit->zone_id,
+zone_limit->limit, zone_limit->count);
+}
+rem -= NLA_ALIGN(sizeof *zone_limit);
+zone_limit = ALIGNED_CAST(struct ovs_zone_limit *,
+(unsigned char *) zone_limit  + NLA_ALIGN(sizeof *zone_limit));
+}
+return 0;
+}
+
+static int
+dpif_netlink_get_limits(struct dpif *dpif OVS_UNUSED, uint32_t *default_limit,
+const struct ovs_list *zone_limits_request,
+struct ovs_list *zone_limits_reply)
+{
+struct ofpbuf *request, *reply;
+struct ovs_header *ovs_header;
+struct ovs_zone_limit req_zone_limit;
+struct ct_dpif_zone_limit *zone_limit;
+size_t opt_offset;
+int err;
+
+if (ovs_ct_limit_family < 0) {
+return EOPNOTSUPP;
+}
+
+request = ofpbuf_new(NL_DUMP_BUFSIZE);
+nl_msg_put_genlmsghdr(request, 0, ovs_ct_limit_family,
+NLM_F_REQUEST 

[ovs-dev] [PATCH v2 07/11] ct-dpif: Helper functions for conntrack zone limit

2018-08-01 Thread Yi-Hung Wei
This patch implments some helper function for conntrack zone limit.
It will be useful for the following patches.

Signed-off-by: Yi-Hung Wei 
---
 lib/ct-dpif.c | 32 
 lib/ct-dpif.h |  4 
 2 files changed, 36 insertions(+)

diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index d1e8a6b8b4a9..a772799fe347 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -597,3 +597,35 @@ error:
 free(copy);
 return false;
 }
+
+void
+ct_dpif_push_zone_limit(struct ovs_list *zone_limits, uint16_t zone,
+uint32_t limit, uint32_t count)
+{
+struct ct_dpif_zone_limit *zone_limit = xmalloc(sizeof *zone_limit);
+zone_limit->zone = zone;
+zone_limit->limit = limit;
+zone_limit->count = count;
+ovs_list_push_back(zone_limits, &zone_limit->node);
+}
+
+/* The caller takes ownership of 'struct ct_dpif_zone_limit *', and is
+ * responsible to free that struct. */
+struct ct_dpif_zone_limit *
+ct_dpif_pop_zone_limit(struct ovs_list *zone_limits)
+{
+struct ct_dpif_zone_limit *zone_limit;
+LIST_FOR_EACH_POP (zone_limit, node, zone_limits) {
+return zone_limit;
+}
+OVS_NOT_REACHED();
+}
+
+void
+ct_dpif_free_zone_limits(struct ovs_list *zone_limits)
+{
+while (!ovs_list_is_empty(zone_limits)) {
+struct ct_dpif_zone_limit *p = ct_dpif_pop_zone_limit(zone_limits);
+free(p);
+}
+}
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index 4e83bc555e03..c80e18b72b56 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -219,5 +219,9 @@ void ct_dpif_format_tuple(struct ds *, const struct 
ct_dpif_tuple *);
 uint8_t ct_dpif_coalesce_tcp_state(uint8_t state);
 void ct_dpif_format_tcp_stat(struct ds *, int, int);
 bool ct_dpif_parse_tuple(struct ct_dpif_tuple *, const char *s, struct ds *);
+void ct_dpif_push_zone_limit(struct ovs_list *, uint16_t zone, uint32_t limit,
+ uint32_t count);
+struct ct_dpif_zone_limit * ct_dpif_pop_zone_limit(struct ovs_list *);
+void ct_dpif_free_zone_limits(struct ovs_list *);
 
 #endif /* CT_DPIF_H */
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v2 06/11] dpif: Support conntrack zone limit.

2018-08-01 Thread Yi-Hung Wei
This patch defines the dpif interface to support conntrack
per zone limit.  Basically, OVS users can use this interface
to set, delete, and get the conntrack per zone limit for various
dpif interfaces.  The following patch will make use of the proposed
interface to implement the feature.

Signed-off-by: Yi-Hung Wei 
---
 lib/ct-dpif.c   | 30 ++
 lib/ct-dpif.h   | 12 
 lib/dpif-netdev.c   |  3 +++
 lib/dpif-netlink.c  |  3 +++
 lib/dpif-provider.h | 26 ++
 5 files changed, 74 insertions(+)

diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index 5fa3a97727e1..d1e8a6b8b4a9 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -164,6 +164,36 @@ ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns)
 : EOPNOTSUPP);
 }
 
+int
+ct_dpif_set_limits(struct dpif *dpif, const uint32_t *default_limit,
+   const struct ovs_list *zone_limits)
+{
+return (dpif->dpif_class->ct_set_limits
+? dpif->dpif_class->ct_set_limits(dpif, default_limit,
+  zone_limits)
+: EOPNOTSUPP);
+}
+
+int
+ct_dpif_get_limits(struct dpif *dpif, uint32_t *default_limit,
+   const struct ovs_list *zone_limits_in,
+   struct ovs_list *zone_limits_out)
+{
+return (dpif->dpif_class->ct_get_limits
+? dpif->dpif_class->ct_get_limits(dpif, default_limit,
+  zone_limits_in,
+  zone_limits_out)
+: EOPNOTSUPP);
+}
+
+int
+ct_dpif_del_limits(struct dpif *dpif, const struct ovs_list *zone_limits)
+{
+return (dpif->dpif_class->ct_del_limits
+? dpif->dpif_class->ct_del_limits(dpif, zone_limits)
+: EOPNOTSUPP);
+}
+
 void
 ct_dpif_entry_uninit(struct ct_dpif_entry *entry)
 {
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index 09e7698cf2bc..4e83bc555e03 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -191,6 +191,13 @@ struct ct_dpif_dump_state {
 struct dpif *dpif;
 };
 
+struct ct_dpif_zone_limit {
+uint16_t zone;
+uint32_t limit;
+uint32_t count;
+struct ovs_list node; /* In ct_zone_limits */
+};
+
 int ct_dpif_dump_start(struct dpif *, struct ct_dpif_dump_state **,
const uint16_t *zone, int *);
 int ct_dpif_dump_next(struct ct_dpif_dump_state *, struct ct_dpif_entry *);
@@ -200,6 +207,11 @@ int ct_dpif_flush(struct dpif *, const uint16_t *zone,
 int ct_dpif_set_maxconns(struct dpif *dpif, uint32_t maxconns);
 int ct_dpif_get_maxconns(struct dpif *dpif, uint32_t *maxconns);
 int ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns);
+int ct_dpif_set_limits(struct dpif *dpif, const uint32_t *default_limit,
+   const struct ovs_list *);
+int ct_dpif_get_limits(struct dpif *dpif, uint32_t *default_limit,
+   const struct ovs_list *, struct ovs_list *);
+int ct_dpif_del_limits(struct dpif *dpif, const struct ovs_list *);
 void ct_dpif_entry_uninit(struct ct_dpif_entry *);
 void ct_dpif_format_entry(const struct ct_dpif_entry *, struct ds *,
   bool verbose, bool print_stats);
diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index 26d07b39c9af..63368e365da4 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -6825,6 +6825,9 @@ const struct dpif_class dpif_netdev_class = {
 dpif_netdev_ct_set_maxconns,
 dpif_netdev_ct_get_maxconns,
 dpif_netdev_ct_get_nconns,
+NULL,   /* ct_set_limits */
+NULL,   /* ct_get_limits */
+NULL,   /* ct_del_limits */
 dpif_netdev_meter_get_features,
 dpif_netdev_meter_set,
 dpif_netdev_meter_get,
diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c
index f669b1108d61..ee98a3b7d8b6 100644
--- a/lib/dpif-netlink.c
+++ b/lib/dpif-netlink.c
@@ -3252,6 +3252,9 @@ const struct dpif_class dpif_netlink_class = {
 NULL,   /* ct_set_maxconns */
 NULL,   /* ct_get_maxconns */
 NULL,   /* ct_get_nconns */
+NULL,   /* ct_set_limits */
+NULL,   /* ct_get_limits */
+NULL,   /* ct_del_limits */
 dpif_netlink_meter_get_features,
 dpif_netlink_meter_set,
 dpif_netlink_meter_get,
diff --git a/lib/dpif-provider.h b/lib/dpif-provider.h
index 62b3598acfc5..53a4fbdf7ae8 100644
--- a/lib/dpif-provider.h
+++ b/lib/dpif-provider.h
@@ -444,6 +444,32 @@ struct dpif_class {
 /* Get number of connections tracked. */
 int (*ct_get_nconns)(struct dpif *, uint32_t *nconns);
 
+/* Connection tracking per zone limit */
+
+/* Per zone conntrack limit sets the maximum allowed connections in zones
+ * to provide resource isolation.  If a per zone limit for a particular
+ * zone is not available in the datapath, it defaults to the default
+ * per zone lim

[ovs-dev] [PATCH v2 05/11] datapath: conntrack: Support conntrack zone limit

2018-08-01 Thread Yi-Hung Wei
Upstream commit:
commit 11efd5cb04a184eea4f57b68ea63463158d1
Author: Yi-Hung Wei 
Date:   Thu May 24 17:56:43 2018 -0700

openvswitch: Support conntrack zone limit

Currently, nf_conntrack_max is used to limit the maximum number of
conntrack entries in the conntrack table for every network namespace.
For the VMs and containers that reside in the same namespace,
they share the same conntrack table, and the total # of conntrack entries
for all the VMs and containers are limited by nf_conntrack_max.  In this
case, if one of the VM/container abuses the usage the conntrack entries,
it blocks the others from committing valid conntrack entries into the
conntrack table.  Even if we can possibly put the VM in different network
namespace, the current nf_conntrack_max configuration is kind of rigid
that we cannot limit different VM/container to have different # conntrack
entries.

To address the aforementioned issue, this patch proposes to have a
fine-grained mechanism that could further limit the # of conntrack entries
per-zone.  For example, we can designate different zone to different VM,
and set conntrack limit to each zone.  By providing this isolation, a
mis-behaved VM only consumes the conntrack entries in its own zone, and
it will not influence other well-behaved VMs.  Moreover, the users can
set various conntrack limit to different zone based on their preference.

The proposed implementation utilizes Netfilter's nf_conncount backend
to count the number of connections in a particular zone.  If the number of
connection is above a configured limitation, ovs will return ENOMEM to the
userspace.  If userspace does not configure the zone limit, the limit
defaults to zero that is no limitation, which is backward compatible to
the behavior without this patch.

The following high leve APIs are provided to the userspace:
  - OVS_CT_LIMIT_CMD_SET:
* set default connection limit for all zones
* set the connection limit for a particular zone
  - OVS_CT_LIMIT_CMD_DEL:
* remove the connection limit for a particular zone
  - OVS_CT_LIMIT_CMD_GET:
* get the default connection limit for all zones
* get the connection limit for a particular zone

Signed-off-by: Yi-Hung Wei 
Acked-by: Pravin B Shelar 
Signed-off-by: David S. Miller 

Signed-off-by: Yi-Hung Wei 
---
 NEWS |   1 +
 datapath/compat.h|   8 +
 datapath/conntrack.c | 551 ++-
 datapath/conntrack.h |   9 +-
 datapath/datapath.c  |   7 +-
 datapath/datapath.h  |   3 +
 6 files changed, 574 insertions(+), 5 deletions(-)

diff --git a/NEWS b/NEWS
index 27ef12d599d9..8270ef46ea34 100644
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,7 @@ v2.10.0 - xx xxx 
- Linux datapath
  * Add support for compiling OVS with the latest Linux 4.14 kernel.
  * Added support for meters.
+ * Add support for conntrack zone limit.
- ovn:
  * Implemented icmp4/icmp6/tcp_reset actions in order to drop the packet
and reply with a RST for TCP or ICMPv4/ICMPv6 unreachable message for
diff --git a/datapath/compat.h b/datapath/compat.h
index 816f754c64e2..98b68640a372 100644
--- a/datapath/compat.h
+++ b/datapath/compat.h
@@ -26,6 +26,7 @@
 #include 
 #include 
 #include 
+#include 
 
 /* Even though vanilla 3.10 kernel has grp->id, RHEL 7 kernel is missing
  * this field. */
@@ -59,8 +60,14 @@ static inline int __init compat_init(void)
if (err)
goto error_frag6_exit;
 
+   err = rpl_nf_conncount_modinit();
+   if (err)
+   goto error_nf_conncount_exit;
+
return 0;
 
+error_nf_conncount_exit:
+   rpl_nf_conncount_modexit();
 error_frag6_exit:
nf_ct_frag6_cleanup();
 error_ipfrag_exit:
@@ -69,6 +76,7 @@ error_ipfrag_exit:
 }
 static inline void compat_exit(void)
 {
+   rpl_nf_conncount_modexit();
ip6_output_exit();
nf_ct_frag6_cleanup();
rpl_ipfrag_fini();
diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index 42c7929055f0..c6e731bf5978 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -21,8 +21,11 @@
 #include 
 #include 
 #include 
+#include 
 #include 
+#include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -87,6 +90,31 @@ struct ovs_conntrack_info {
 #endif
 };
 
+#ifIS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
+#define OVS_CT_LIMIT_UNLIMITED 0
+#define OVS_CT_LIMIT_DEFAULT OVS_CT_LIMIT_UNLIMITED
+#define CT_LIMIT_HASH_BUCKETS 512
+static DEFINE_STATIC_KEY_FALSE(ovs_ct_limit_enabled);
+
+struct ovs_ct_limit {
+   /* Elements in ovs_ct_limit_info->limits hash table */
+   struct hlist_node hlist_node;
+   struct rcu_head rcu;
+   u16 zone;
+   u32 limit;
+};
+
+struct ovs_ct_limit_info {
+   u32 default_limit;
+   struct hlist_head *limits;
+   struct nf_conncount_data *dat

[ovs-dev] [PATCH v2 04/11] datapath: Add conntrack limit netlink definition

2018-08-01 Thread Yi-Hung Wei
Upstream commit:
commit 5972be6b2495c6bffbf97517fd1c070eef78
Author: Yi-Hung Wei 
Date:   Thu May 24 17:56:42 2018 -0700

openvswitch: Add conntrack limit netlink definition

Define netlink messages and attributes to support user kernel
communication that uses the conntrack limit feature.

Signed-off-by: Yi-Hung Wei 
Acked-by: Pravin B Shelar 
Signed-off-by: David S. Miller 

Signed-off-by: Yi-Hung Wei 
---
 datapath/linux/compat/include/linux/openvswitch.h | 28 +++
 1 file changed, 28 insertions(+)

diff --git a/datapath/linux/compat/include/linux/openvswitch.h 
b/datapath/linux/compat/include/linux/openvswitch.h
index 8e5f3b6fbfb1..aaeb0341ab51 100644
--- a/datapath/linux/compat/include/linux/openvswitch.h
+++ b/datapath/linux/compat/include/linux/openvswitch.h
@@ -1004,4 +1004,32 @@ enum ovs_meter_band_type {
 
 #define OVS_METER_BAND_TYPE_MAX (__OVS_METER_BAND_TYPE_MAX - 1)
 
+/* Conntrack limit */
+#define OVS_CT_LIMIT_FAMILY  "ovs_ct_limit"
+#define OVS_CT_LIMIT_MCGROUP "ovs_ct_limit"
+#define OVS_CT_LIMIT_VERSION 0x1
+
+enum ovs_ct_limit_cmd {
+   OVS_CT_LIMIT_CMD_UNSPEC,
+   OVS_CT_LIMIT_CMD_SET,   /* Add or modify ct limit. */
+   OVS_CT_LIMIT_CMD_DEL,   /* Delete ct limit. */
+   OVS_CT_LIMIT_CMD_GET/* Get ct limit. */
+};
+
+enum ovs_ct_limit_attr {
+   OVS_CT_LIMIT_ATTR_UNSPEC,
+   OVS_CT_LIMIT_ATTR_ZONE_LIMIT,   /* Nested struct ovs_zone_limit. */
+   __OVS_CT_LIMIT_ATTR_MAX
+};
+
+#define OVS_CT_LIMIT_ATTR_MAX (__OVS_CT_LIMIT_ATTR_MAX - 1)
+
+#define OVS_ZONE_LIMIT_DEFAULT_ZONE -1
+
+struct ovs_zone_limit {
+   int zone_id;
+   __u32 limit;
+   __u32 count;
+};
+
 #endif /* _LINUX_OPENVSWITCH_H */
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v2 03/11] datapath: compat: Introduce static key support

2018-08-01 Thread Yi-Hung Wei
This is a feature that is needed for a follow up patch
in ovs kernel datapath.

Signed-off-by: Yi-Hung Wei 
---
 acinclude.m4 |  3 +
 datapath/linux/Modules.mk|  1 +
 datapath/linux/compat/include/linux/static_key.h | 70 
 3 files changed, 74 insertions(+)
 create mode 100644 datapath/linux/compat/include/linux/static_key.h

diff --git a/acinclude.m4 b/acinclude.m4
index 96fcad55a7cb..341edbbd70f1 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -467,6 +467,9 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   OVS_GREP_IFELSE([$KSRC/include/linux/err.h], [IS_ERR_OR_NULL])
   OVS_GREP_IFELSE([$KSRC/include/linux/err.h], [PTR_ERR_OR_ZERO])
 
+  OVS_GREP_IFELSE([$KSRC/include/linux/jump_label.h], 
[DEFINE_STATIC_KEY_FALSE],
+  [OVS_DEFINE([HAVE_UPSTREAM_STATIC_KEY])])
+
   OVS_GREP_IFELSE([$KSRC/include/linux/etherdevice.h], [eth_hw_addr_random])
   OVS_GREP_IFELSE([$KSRC/include/linux/etherdevice.h], [ether_addr_copy])
 
diff --git a/datapath/linux/Modules.mk b/datapath/linux/Modules.mk
index f5c3b6580ad7..2fec6500e7c8 100644
--- a/datapath/linux/Modules.mk
+++ b/datapath/linux/Modules.mk
@@ -63,6 +63,7 @@ openvswitch_headers += \
linux/compat/include/linux/reciprocal_div.h \
linux/compat/include/linux/rtnetlink.h \
linux/compat/include/linux/skbuff.h \
+   linux/compat/include/linux/static_key.h \
linux/compat/include/linux/stddef.h \
linux/compat/include/linux/types.h \
linux/compat/include/linux/u64_stats_sync.h \
diff --git a/datapath/linux/compat/include/linux/static_key.h 
b/datapath/linux/compat/include/linux/static_key.h
new file mode 100644
index ..ea59e3e285a1
--- /dev/null
+++ b/datapath/linux/compat/include/linux/static_key.h
@@ -0,0 +1,70 @@
+#ifndef _STATIC_KEY_WRAPPER_H
+#define _STATIC_KEY_WRAPPER_H
+
+#include_next 
+#ifndef HAVE_UPSTREAM_STATIC_KEY
+/*
+ * This backport is based on upstream net-next commit 11276d5306b8
+ * ("locking/static_keys: Add a new static_key interface").
+ *
+ * For kernel that does not support the new static key interface,
+ * we do not backport the jump label support but the fall back version
+ * of static key that is simply a conditional branch.
+ */
+
+struct static_key_true {
+   struct static_key key;
+};
+
+struct static_key_false {
+   struct static_key key;
+};
+
+#define rpl_STATIC_KEY_INIT_TRUE   { .enabled = ATOMIC_INIT(1) }
+#define rpl_STATIC_KEY_INIT_FALSE  { .enabled = ATOMIC_INIT(0) }
+
+#define STATIC_KEY_TRUE_INIT   \
+   (struct static_key_true) { .key = rpl_STATIC_KEY_INIT_TRUE,  }
+#define STATIC_KEY_FALSE_INIT  \
+   (struct static_key_false){ .key = rpl_STATIC_KEY_INIT_FALSE, }
+
+#define DEFINE_STATIC_KEY_TRUE(name)   \
+   struct static_key_true name = STATIC_KEY_TRUE_INIT
+
+#define DEFINE_STATIC_KEY_FALSE(name)  \
+   struct static_key_false name = STATIC_KEY_FALSE_INIT
+
+static inline int rpl_static_key_count(struct static_key *key)
+{
+   return atomic_read(&key->enabled);
+}
+
+static inline void rpl_static_key_enable(struct static_key *key)
+{
+   int count = rpl_static_key_count(key);
+
+   WARN_ON_ONCE(count < 0 || count > 1);
+
+   if (!count)
+   static_key_slow_inc(key);
+}
+
+static inline void rpl_static_key_disable(struct static_key *key)
+{
+   int count = rpl_static_key_count(key);
+
+   WARN_ON_ONCE(count < 0 || count > 1);
+
+   if (count)
+   static_key_slow_dec(key);
+}
+
+#define static_branch_likely(x)
likely(static_key_enabled(&(x)->key))
+#define static_branch_unlikely(x)  unlikely(static_key_enabled(&(x)->key))
+
+#define static_branch_enable(x)rpl_static_key_enable(&(x)->key)
+#define static_branch_disable(x)   rpl_static_key_disable(&(x)->key)
+
+#endif /* HAVE_UPSTREAM_STATIC_KEY */
+
+#endif /* _STATIC_KEY_WRAPPER_H */
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v2 02/11] datapath: compat: Backports nf_conncount

2018-08-01 Thread Yi-Hung Wei
This patch backports the nf_conncount backend that counts the number
of connections matching an arbitrary key.  The following patch will
use the feature to support connection tracking zone limit in ovs
kernel datapath.

This backport is based on an upstream net-next commit 5c789e131cbb
("netfilter: nf_conncount: Add list lock and gc worker, and RCU for
init tree search") that applies a couple of techniques to optimize
nf_conncount performance.

The upstream nf_conncount has a couple of export functions while
this patch only export the ones that ovs kernel module needs.

Signed-off-by: Yi-Hung Wei 
---
 acinclude.m4   |   2 +
 datapath/linux/Modules.mk  |   2 +
 .../include/net/netfilter/nf_conntrack_count.h |  61 ++
 datapath/linux/compat/nf_conncount.c   | 637 +
 4 files changed, 702 insertions(+)
 create mode 100644 
datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
 create mode 100644 datapath/linux/compat/nf_conncount.c

diff --git a/acinclude.m4 b/acinclude.m4
index 731bc07be8fa..96fcad55a7cb 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -625,6 +625,8 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], 
[nf_nat_alloc_null_binding])
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_range2])
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_seqadj.h], 
[nf_ct_seq_adjust])
+  OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_count.h], 
[nf_conncount_gc_list],
+  [OVS_DEFINE([HAVE_UPSTREAM_NF_CONNCOUNT])])
 
   OVS_GREP_IFELSE([$KSRC/include/linux/random.h], [prandom_u32])
   OVS_GREP_IFELSE([$KSRC/include/linux/random.h], [prandom_u32_max])
diff --git a/datapath/linux/Modules.mk b/datapath/linux/Modules.mk
index 04ea5b756b6c..f5c3b6580ad7 100644
--- a/datapath/linux/Modules.mk
+++ b/datapath/linux/Modules.mk
@@ -17,6 +17,7 @@ openvswitch_sources += \
linux/compat/ip6_tunnel.c \
linux/compat/lisp.c \
linux/compat/netdevice.c \
+   linux/compat/nf_conncount.c \
linux/compat/nf_conntrack_core.c \
linux/compat/nf_conntrack_proto.c \
linux/compat/nf_conntrack_reasm.c \
@@ -100,6 +101,7 @@ openvswitch_headers += \
linux/compat/include/net/vxlan.h \
linux/compat/include/net/netfilter/nf_conntrack.h \
linux/compat/include/net/netfilter/nf_conntrack_core.h \
+   linux/compat/include/net/netfilter/nf_conntrack_count.h \
linux/compat/include/net/netfilter/nf_conntrack_expect.h \
linux/compat/include/net/netfilter/nf_conntrack_helper.h \
linux/compat/include/net/netfilter/nf_conntrack_labels.h \
diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h 
b/datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
new file mode 100644
index ..fd536f3e1854
--- /dev/null
+++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
@@ -0,0 +1,61 @@
+#ifndef _NF_CONNTRACK_COUNT_WRAPPER_H
+#define _NF_CONNTRACK_COUNT_WRAPPER_H
+
+#include 
+
+#ifdef HAVE_UPSTREAM_NF_CONNCOUNT
+#include_next 
+
+static inline int rpl_nf_conncount_modinit(void)
+{
+return 0;
+}
+
+static inline void rpl_nf_conncount_modexit(void)
+{
+}
+
+#else
+#include 
+#include 
+#define CONFIG_NETFILTER_CONNCOUNT 1
+struct nf_conncount_data;
+
+enum nf_conncount_list_add {
+   NF_CONNCOUNT_ADDED, /* list add was ok */
+   NF_CONNCOUNT_ERR,   /* -ENOMEM, must drop skb */
+   NF_CONNCOUNT_SKIP,  /* list is already reclaimed by gc */
+};
+
+struct nf_conncount_list {
+   spinlock_t list_lock;
+   struct list_head head;  /* connections with the same filtering key */
+   unsigned int count; /* length of list */
+   bool dead;
+};
+
+struct nf_conncount_data
+*rpl_nf_conncount_init(struct net *net, unsigned int family,
+  unsigned int keylen);
+
+void rpl_nf_conncount_destroy(struct net *net, unsigned int family,
+ struct nf_conncount_data *data);
+
+unsigned int rpl_nf_conncount_count(struct net *net,
+   struct nf_conncount_data *data,
+   const u32 *key,
+   const struct nf_conntrack_tuple *tuple,
+   const struct nf_conntrack_zone *zone);
+
+#define nf_conncount_init rpl_nf_conncount_init
+#define nf_conncount_destroy rpl_nf_conncount_destroy
+#define nf_conncount_count rpl_nf_conncount_count
+
+int rpl_nf_conncount_modinit(void);
+void rpl_nf_conncount_modexit(void);
+#endif /* HAVE_UPSTREAM_NF_CONNCOUNT */
+
+#define nf_conncount_mod_init rpl_nf_conncount_modinit
+#define nf_conncount_modexit rpl_nf_conncount_modexit
+
+#endif /* _NF_CONNTRACK_COUNT_WRAPPER_H */
diff --git a/datapath/linux/compat/nf_conncount.c 
b/datapath/linux/compat/nf_conncount.c
new file mode 100644
inde

[ovs-dev] [PATCH v2 01/11] compat: Backport nf_ct_netns_{get, put}()

2018-08-01 Thread Yi-Hung Wei
This patch backports nf_ct_netns_get/put() in order to support a feature
in the follow up patch.

nf_ct_netns_{get,put} were first introduced in upstream net-next commit
ecb2421b5ddf ("netfilter: add and use nf_ct_netns_get/put") in kernel
v4.10, and then updated in commmit 7e35ec0e8044 ("netfilter: conntrack:
move nf_ct_netns_{get,put}() to core") in kernel v4.15.  We need to
invoke nf_ct_netns_get/put() when the underlying nf_conntrack_l3proto
supports net_ns_{get,put}().

Therefore, there are 3 cases that we need to consider.
1) Before nf_ct_{get,put}() is introduced.
We just mock nf_ct_nets_{get,put}() and do nothing.

2) After 1) and before v4.15
Backports based on commit 7e35ec0e8044 .

3) Staring from v4.15
Use the upstream version.

Signed-off-by: Yi-Hung Wei 
---
 acinclude.m4   |   4 +
 datapath/linux/Modules.mk  |   4 +-
 .../compat/include/net/netfilter/nf_conntrack.h|   8 ++
 .../linux/compat/include/uapi/linux/netfilter.h|  14 +++
 datapath/linux/compat/nf_conntrack_proto.c | 112 +
 5 files changed, 141 insertions(+), 1 deletion(-)
 create mode 100644 datapath/linux/compat/include/uapi/linux/netfilter.h
 create mode 100644 datapath/linux/compat/nf_conntrack_proto.c

diff --git a/acinclude.m4 b/acinclude.m4
index ad6b5b5e067e..731bc07be8fa 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -588,6 +588,8 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   [OVS_DEFINE([HAVE_NF_HOOKFN_ARG_PRIV])])
   OVS_FIND_FIELD_IFELSE([$KSRC/include/linux/netfilter.h], [nf_hook_ops],
 [owner], [OVS_DEFINE([HAVE_NF_HOOKS_OPS_OWNER])])
+  OVS_GREP_IFELSE([$KSRC/include/linux/netfilter.h], [NFPROTO_INET])
+
 
   OVS_FIND_FIELD_IFELSE([$KSRC/include/linux/netfilter_ipv6.h], [nf_ipv6_ops],
 [fragment.*sock], 
[OVS_DEFINE([HAVE_NF_IPV6_OPS_FRAGMENT])])
@@ -610,6 +612,8 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   [nf_ct_is_untracked])
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_zones.h],
   [nf_ct_zone_init])
+  OVS_FIND_FIELD_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_l3proto.h],
+[net_ns_get])
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_labels.h],
   [nf_connlabels_get])
   OVS_FIND_PARAM_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_labels.h],
diff --git a/datapath/linux/Modules.mk b/datapath/linux/Modules.mk
index 104c32fa16ea..04ea5b756b6c 100644
--- a/datapath/linux/Modules.mk
+++ b/datapath/linux/Modules.mk
@@ -18,6 +18,7 @@ openvswitch_sources += \
linux/compat/lisp.c \
linux/compat/netdevice.c \
linux/compat/nf_conntrack_core.c \
+   linux/compat/nf_conntrack_proto.c \
linux/compat/nf_conntrack_reasm.c \
linux/compat/reciprocal_div.c \
linux/compat/skbuff-openvswitch.c \
@@ -107,5 +108,6 @@ openvswitch_headers += \
linux/compat/include/net/netfilter/nf_nat.h \
linux/compat/include/net/netfilter/ipv6/nf_defrag_ipv6.h \
linux/compat/include/net/sctp/checksum.h \
-   linux/compat/include/net/erspan.h
+   linux/compat/include/net/erspan.h \
+   linux/compat/include/uapi/linux/netfilter.h
 EXTRA_DIST += linux/compat/build-aux/export-check-whitelist
diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack.h 
b/datapath/linux/compat/include/net/netfilter/nf_conntrack.h
index bb40b0f6da2a..50db914a39a1 100644
--- a/datapath/linux/compat/include/net/netfilter/nf_conntrack.h
+++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack.h
@@ -22,4 +22,12 @@ nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum 
ip_conntrack_info info)
skb->nfctinfo = info;
 }
 #endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4,15,0)
+int rpl_nf_ct_netns_get(struct net *net, u8 nfproto);
+void rpl_nf_ct_netns_put(struct net *net, u8 nfproto);
+#define nf_ct_netns_get rpl_nf_ct_netns_get
+#define nf_ct_netns_put rpl_nf_ct_netns_put
+#endif
+
 #endif /* _NF_CONNTRACK_WRAPPER_H */
diff --git a/datapath/linux/compat/include/uapi/linux/netfilter.h 
b/datapath/linux/compat/include/uapi/linux/netfilter.h
new file mode 100644
index ..56895b17b334
--- /dev/null
+++ b/datapath/linux/compat/include/uapi/linux/netfilter.h
@@ -0,0 +1,14 @@
+#ifndef _NETFILTER_WRAPPER_H
+#define _NETFILTER_WRAPPER_H
+
+#include_next 
+
+/*
+ * NFPROTO_INET was introduced in net-next commit 1d49144c0aaa
+ * ("netfilter: nf_tables: add "inet" table for IPv4/IPv6") in v3.14.
+ * Define this symbol to support back to v3.10 kernel. */
+#ifndef HAVE_NFPROTO_INET
+#define NFPROTO_INET 1
+#endif
+
+#endif /* _NETFILTER_WRAPPER_H */
diff --git a/datapath/linux/compat/nf_conntrack_proto.c 
b/datapath/linux/compat/nf_conntrack_proto.c
new file mode 100644
index ..e877d763892d
--- /dev/null
+++ b/datapath/linux/compat/nf_conntrack_proto.c
@@ -0,0 +1,112 @@
+#include 
+
+#inc

[ovs-dev] [PATCH v2 00/11] conntrack zone limitation

2018-08-01 Thread Yi-Hung Wei
This patch series implements connection tracking zone limitation to
limit the maximum number of conntrack entries in the conntrack table
for every zone.  This feature aims to resolve a problem that if one
of the VM/container under attack that abuses the usage the conntrack
entries, it may block the others from committing valid conntrack
entries into the conntrack table.  

To address this issue, this patch series proposes to have a
fine-grained mechanism that could limit the # of conntrack entries
per-zone.  For example, we can designate different zone to different VM,
and set conntrack limit to each zone.  By providing this isolation, a
mis-behaved VM only consumes the conntrack entries in its own zone, and
it will not influence other well-behaved VMs.  Moreover, the users can
set various conntrack limit to different zone based on their preference.

This patch series consist of dpif layer support, kernel backports to
support this features in dpif-netlinkt, dpif-netlink implementation,
dpctl commands, and a system traffic test to verify this feature.

v1->v2: Fix a rebase error. Only patch 8 has changed.

Yi-Hung Wei (11):
  compat: Backport nf_ct_netns_{get,put}()
  datapath: compat: Backports nf_conncount
  datapath: compat: Introduce static key support
  datapath: Add conntrack limit netlink definition
  datapath: conntrack: Support conntrack zone limit
  dpif: Support conntrack zone limit.
  ct-dpif: Helper functions for conntrack zone limit
  dpif-netlink: Implement conntrack zone limiit
  dpctl: Refactor opt_dpif_open().
  dpctl: Implement dpctl commands for conntrack per zone limit
  system-traffic: Add conntrack per zoen limit test case

 NEWS   |   3 +
 acinclude.m4   |   9 +
 datapath/compat.h  |   8 +
 datapath/conntrack.c   | 551 +-
 datapath/conntrack.h   |   9 +-
 datapath/datapath.c|   7 +-
 datapath/datapath.h|   3 +
 datapath/linux/Modules.mk  |   7 +-
 datapath/linux/compat/include/linux/openvswitch.h  |  28 +
 datapath/linux/compat/include/linux/static_key.h   |  70 +++
 .../compat/include/net/netfilter/nf_conntrack.h|   8 +
 .../include/net/netfilter/nf_conntrack_count.h |  61 ++
 .../linux/compat/include/uapi/linux/netfilter.h|  14 +
 datapath/linux/compat/nf_conncount.c   | 637 +
 datapath/linux/compat/nf_conntrack_proto.c | 112 
 lib/ct-dpif.c  | 129 +
 lib/ct-dpif.h  |  20 +
 lib/dpctl.c| 252 ++--
 lib/dpctl.man  |  18 +
 lib/dpif-netdev.c  |   3 +
 lib/dpif-netlink.c | 199 +++
 lib/dpif-provider.h|  26 +
 tests/system-traffic.at|  75 +++
 23 files changed, 2202 insertions(+), 47 deletions(-)
 create mode 100644 datapath/linux/compat/include/linux/static_key.h
 create mode 100644 
datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
 create mode 100644 datapath/linux/compat/include/uapi/linux/netfilter.h
 create mode 100644 datapath/linux/compat/nf_conncount.c
 create mode 100644 datapath/linux/compat/nf_conntrack_proto.c

-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH v4 9/9] Documentation: OVN RBAC and IPsec tutorial

2018-08-01 Thread Qiuyu Xiao
Thanks Ben! I made a few comments below. Other than that, all looks pretty good!

-Qiuyu

On Wed, Aug 1, 2018 at 10:03 AM, Ben Pfaff  wrote:
> On Tue, Jul 31, 2018 at 02:08:54PM -0700, Qiuyu Xiao wrote:
>> This patch adds step-by-step guide for configuring OVN Role-Based Access
>> Control and IPsec.
>>
>> Signed-off-by: Qiuyu Xiao 
>
> You wrote a lot of documentation, and it's really good!  Thank you.
>
> I spent some time working to make it even better.  I'm appending an
> incremental that I'd suggest folding in.  Does it make sense to you?
>
> Thanks,
>
> Ben.
>
> --8<--cut here-->8--
>
> diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst
> index 17dead5010cf..32e55b5acd0d 100644
> --- a/Documentation/howto/ipsec.rst
> +++ b/Documentation/howto/ipsec.rst
> @@ -48,7 +48,10 @@ OVS IPsec aims to provide a simple interface for user to 
> add encryption on OVS
>  tunnels. It supports GRE, GENEVE, VXLAN, and STT tunnel. The IPsec
>  configuration is done by setting options of the tunnel interface and
>  other_config of Open_vSwitch. You can choose different authentication methods
> -and fowarding modes based on your system requirement.
> +and forwarding modes based on your requirements.
> +
> +OVS does not currently provide any support for IPsec encryption for traffic 
> not
> +encapsulated in a tunnel.
>
>  Configuration
>  -
> @@ -59,7 +62,7 @@ Authentication Methods
>  Hosts of the IPsec tunnel need to authenticate each other to build a secure
>  channel. There are three authentication methods:
>
> -1) You can use pre-shared key (PSK) to do authentication. In both hosts, set
> +1) You can use a pre-shared key (PSK) to do authentication. In both hosts, 
> set
> the same PSK value. This PSK is like your password. You should never 
> reveal
> it to untrusted parties. This method is easier to use but less secure than
> the certificate-based methods::
> @@ -72,9 +75,9 @@ channel. There are three authentication methods:
>
> .. note::
>
> -  The local_ip field is required for the IPsec tunnel.
> +  The ``local_ip`` field is required for the IPsec tunnel.
>
> -2) You can use self-signed certificate to do authentication. In each host,
> +2) You can use a self-signed certificate to do authentication. In each host,
> generate a certificate and the paired private key. Copy the certificate of
> the remote host to the local host and configure the OVS as following::
>
> @@ -98,6 +101,10 @@ channel. There are three authentication methods:
>follow the tutorial in :doc:`/tutorials/ipsec` and use ovs-pki(8) to
>generate compatible certificate and key.
>
> +  (Before OVS version 2.10.90, ovs-pki(8) did not generate x.509 v3
> +  certificates, so if your existing PKI was generated by an older 
> version,
> +  it is not suitable for this purpose.)
> +
>  3) You can also use CA-signed certificate to do authentication. First, you 
> need
> to create a CA certificate and sign each host certificate with the CA key
> (please see :doc:`/tutorials/ipsec`). Copy the CA certificate to each
> @@ -133,8 +140,8 @@ actually taking affect to encrypt packets. To offset the 
> risk of unencrypted
>  packets leaking out during this period, you can choose a more secure 
> forwarding
>  mode.  There are three forwarding modes:
>
> -1) The default mode allows unencrypted packets being sent out before IPsec
> -   taking effect::
> +1) The default mode allows unencrypted packets to be sent before IPsec
> +   completes negotiation::
>
>   $ ovs-vsctl add-port br0 ipsec_gre0 -- \
>set interface ipsec_gre0 type=gre \
> @@ -146,7 +153,7 @@ mode.  There are three forwarding modes:
> and/or if there is firewall that can drop the plain packets that
> occasionally leak the tunnel unencrypted on OVSDB (re)configuration 
> events.
>
> -2) The ipsec_skb_mark mode filters unencrypted packets by using skb mark of
> +2) The ipsec_skb_mark mode drops unencrypted packets by using skb_mark of
> tunnel packets::
>
>   $ ovs-vsctl set Open_vSwitch . other_config:ipsec_skb_mark=0/1
> @@ -156,15 +163,15 @@ mode.  There are three forwarding modes:
>  options:remote_ip=2.2.2.2 \
>  options:psk=swordfish
>
> -   OVS IPsec filters unencrypted packets which carry the same skb mark as
> +   OVS IPsec drops unencrypted packets which carry the same skb_mark as
> `ipsec_skb_mark`. By setting the ipsec_skb_mark as 0/1, OVS IPsec prevents
> -   all unencrypted tunnel packets leaving the host since the default skb mark
> +   all unencrypted tunnel packets leaving the host since the default skb_mark
> value for tunnel packets are 0. This affects all OVS tunnels including 
> those
> without IPsec being set up. You can install OpenFlow rules to whitelist
> -   those non-IPsec tunnels by setting the skb mark of the

Re: [ovs-dev] [ovs-dev, 08 of 11] dpif-netlink: Implement conntrack zone limiit

2018-08-01 Thread 0-day Robot
Bleep bloop.  Greetings Yi-Hung Wei, I am a robot and I have tried out your 
patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.


build:
^
lib/dpif-netlink.c:147:13: error: 'dpif_netlink_flow_get_stats' used but never 
defined [-Werror]
 static void dpif_netlink_flow_get_stats(const struct dpif_netlink_flow *,
 ^
lib/dpif-netlink.c:203:13: error: 'report_loss' used but never defined [-Werror]
 static void report_loss(struct dpif_netlink *, struct dpif_channel *,
 ^
lib/dpif-netlink.c:236:13: error: 'dpif_netlink_vport_to_ofpbuf' used but never 
defined [-Werror]
 static void dpif_netlink_vport_to_ofpbuf(const struct dpif_netlink_vport *,
 ^
lib/dpif-netlink.c:238:12: error: 'dpif_netlink_vport_from_ofpbuf' used but 
never defined [-Werror]
 static int dpif_netlink_vport_from_ofpbuf(struct dpif_netlink_vport *,
^
lib/dpif-netlink.c: In function 'dpif_netlink_init':
lib/dpif-netlink.c:4092:1: error: control reaches end of non-void function 
[-Werror=return-type]
 }
 ^
lib/dpif-netlink.c: At top level:
cc1: error: unrecognized command line option "-Wno-null-pointer-arithmetic" 
[-Werror]
cc1: all warnings being treated as errors
make[2]: *** [lib/dpif-netlink.lo] Error 1
make[2]: Leaving directory 
`/var/lib/jenkins/jobs/upstream_build_from_pw/workspace'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory 
`/var/lib/jenkins/jobs/upstream_build_from_pw/workspace'
make: *** [all] Error 2


Please check this out.  If you feel there has been an error, please email 
acon...@bytheb.org

Thanks,
0-day Robot
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH v6 1/2] rhel: support kmod build against multiple 7.2 kernels, rhel6

2018-08-01 Thread Yi-Hung Wei
On Wed, Aug 1, 2018 at 4:00 PM, Martin Xu  wrote:
> This patch extends commit 89dd5819cf18 (rhel: support kmod-openvswitch
> build against multiple kernels, rhel6) to support building kmod RPMs
> with multiple minor revisions within 3.10.0-327 kernels. It was
> discovered for RHEL 7.2 that 41.3 minor revision introduced backward
> incompatible changes.
>
> VMware-BZ: #2170334
>
> Signed-off-by: Martin Xu 
> CC: Greg Rose 
> CC: Ben Pfaff 
> CC: Flavio Leitner 
> CC: Yi-Hung Wei 
> ---
Acked-by: Yi-Hung Wei 
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH v6 2/2] rhel: bug fix kmod spec file, rhel6

2018-08-01 Thread Yi-Hung Wei
On Wed, Aug 1, 2018 at 4:00 PM, Martin Xu  wrote:
> This patch fixes a scenario not working for RHEL7.3 in commit 89dd5819cf18.
> When multiple versions passed into the kversion for the spec file, the
> variable is used as is for the kernel module paths for command
> weak-modules --add-modules. Then the modules cannot be found.
>
> Fixes: 89dd5819cf18 (rhel: support kmod-openvswitch build against
> multiple kernels, rhel6)
>
> Signed-off-by: Martin Xu 
> CC: Greg Rose 
> CC: Ben Pfaff 
> CC: Flavio Leitner 
> CC: Yi-Hung Wei 
> ---

Acked-by: Yi-Hung Wei 
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH v5] rhel: support kmod build against multiple 7.2 kernels, rhel6

2018-08-01 Thread Martin Xu
Thanks for the review. I've separated them into two patches in v6.

Martin

On Wed, Aug 1, 2018 at 3:48 PM, Yi-Hung Wei  wrote:

> On Wed, Aug 1, 2018 at 2:26 PM, Martin Xu  wrote:
> > This patch extends commit 89dd5819cf18 (rhel: support kmod-openvswitch
> > build against multiple kernels, rhel6) to support building kmod RPMs
> > with multiple minor revisions within 3.10.0-327 kernels. It was
> > discovered for RHEL 7.2 that 41.3 minor revision introduced backward
> > incompatible changes.
> >
> > Also fixes a scenario not working for RHEL7.3 in commit 89dd5819cf18.
> > When multiple versions passed into the kversion for the spec file, the
> > variable is used as is for the kernel module paths for command
> > weak-modules --add-modules. Then the modules cannot be found.
> >
> > Fixes: 89dd5819cf18 (rhel: support kmod-openvswitch build against
> > multiple kernels, rhel6)
> >
> > VMware-BZ: #2170334
> >
> > Signed-off-by: Martin Xu 
> > CC: Greg Rose 
> > CC: Ben Pfaff 
> > CC: Flavio Leitner 
> > CC: Yi-Hung Wei 
> > ---
> > v1->v2: added author sign-off signature
> > v2->v3: instead of using hard coded versions for openvswitch kernel
> modules,
> > retrieve the information from kmod package
> > v3->v4: sent wrong v3 patch, some echo's for debugging not removed
> > v4->v5: fix one line that exceeded 79 chars
>
> Thanks for the patch. I think it is much robust than the previous
> version.  I also did some tests on REHL 7.2 and it works great.
>
> One minor comment is that we generally separate bug fix and new
> feature into two patches. It usually makes the commit to be more
> clear.
>
> Acked-by: Yi-Hung Wei 
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v6 2/2] rhel: bug fix kmod spec file, rhel6

2018-08-01 Thread Martin Xu
This patch fixes a scenario not working for RHEL7.3 in commit 89dd5819cf18.
When multiple versions passed into the kversion for the spec file, the
variable is used as is for the kernel module paths for command
weak-modules --add-modules. Then the modules cannot be found.

Fixes: 89dd5819cf18 (rhel: support kmod-openvswitch build against
multiple kernels, rhel6)

Signed-off-by: Martin Xu 
CC: Greg Rose 
CC: Ben Pfaff 
CC: Flavio Leitner 
CC: Yi-Hung Wei 
---
v5->v6: bug fix separated to its own patch

 rhel/kmod-openvswitch-rhel6.spec.in | 6 ++
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/rhel/kmod-openvswitch-rhel6.spec.in 
b/rhel/kmod-openvswitch-rhel6.spec.in
index 7ca4853..afbad96 100644
--- a/rhel/kmod-openvswitch-rhel6.spec.in
+++ b/rhel/kmod-openvswitch-rhel6.spec.in
@@ -98,10 +98,8 @@ else
 [ -d "/lib/modules/$k/kernel/" ] && depmod -a "$k"
 done
 if [ -x "/sbin/weak-modules" ]; then
-for m in openvswitch vport-gre vport-stt vport-geneve \
- vport-lisp vport-vxlan; do
-echo "/lib/modules/%{kversion}/extra/%{oname}/$m.ko"
-done | /sbin/weak-modules --add-modules
+rpm -ql kmod-%{oname} | grep '\.ko$' | \
+/sbin/weak-modules --add-modules
 fi
 fi
 
-- 
1.8.3.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v6 1/2] rhel: support kmod build against multiple 7.2 kernels, rhel6

2018-08-01 Thread Martin Xu
This patch extends commit 89dd5819cf18 (rhel: support kmod-openvswitch
build against multiple kernels, rhel6) to support building kmod RPMs
with multiple minor revisions within 3.10.0-327 kernels. It was
discovered for RHEL 7.2 that 41.3 minor revision introduced backward
incompatible changes.

VMware-BZ: #2170334

Signed-off-by: Martin Xu 
CC: Greg Rose 
CC: Ben Pfaff 
CC: Flavio Leitner 
CC: Yi-Hung Wei 
---
v1->v2: added author sign-off signature
v2->v3: instead of using hard coded versions for openvswitch kernel modules,
retrieve the information from kmod package
v3->v4: sent wrong v3 patch, some echo's for debugging not removed
v4->v5: fix one line that exceeded 79 chars
v5->v6: separate bug fix to a separate commit

 rhel/kmod-openvswitch-rhel6.spec.in|  7 ++-
 ...sr_share_openvswitch_scripts_ovs-kmod-manage.sh | 68 +++---
 2 files changed, 63 insertions(+), 12 deletions(-)

diff --git a/rhel/kmod-openvswitch-rhel6.spec.in 
b/rhel/kmod-openvswitch-rhel6.spec.in
index f18802d..7ca4853 100644
--- a/rhel/kmod-openvswitch-rhel6.spec.in
+++ b/rhel/kmod-openvswitch-rhel6.spec.in
@@ -31,7 +31,8 @@ BuildRoot:  %(mktemp -ud 
%{_tmppath}/%{name}-%{version}-%{release}-XX)
 # for specified kernel version.
 # Use -D 'kversion 3.10.0-693.1.1.el7.x86_64 3.10.0-693.17.1.el7.x86_64'
 # to build package for mulitple kernel versions in the same package
-# This only works for kernel 3.10.0 major revision 693
+# This only works for kernel 3.10.0 major revision 693 (RHEL 7.4)
+# and major revision 327 (RHEL 7.2)
 # By default, build against the latest installed kernel-devel
 %{!?kversion:%global kversion %(rpm -qa | egrep "^kernel(-rt|-aarch64)?-devel" 
| /usr/lib/rpm/redhat/rpmsort -r | head -n 1| sed "s/^kernel.*-devel-//")}
 
@@ -86,8 +87,8 @@ install -p -m 0755 
rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh \
 current_kernel=$(uname -r)
 IFS=. read installed_major installed_minor installed_micro installed_arch \
 installed_build <<<"${current_kernel##*-}"
-if [ "$installed_major" = "693" ]; then
-# Workaround for RHEL 7.4
+if [ "$installed_major" = "327" ] || [ "$installed_major" = "693" ]; then
+# Workaround for RHEL 7.2 and 7.4
 if [ -x "/usr/share/%{oname}/scripts/ovs-kmod-manage.sh" ]; then
 /usr/share/%{oname}/scripts/ovs-kmod-manage.sh
 fi
diff --git a/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh 
b/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh
index a6c738f..6beabeb 100644
--- a/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh
+++ b/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh
@@ -14,23 +14,39 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# This version of the script is intended to be used on kernel version
-# 3.10.0 major revision 693 only. It is packaged in the openvswitch kmod RPM
-# built using the rhel6 spec file, and run in the post-install for minor 
-# revision 693 kernels.
+# This version of the script is intended to be used on kernel version 3.10.0
+# major revision 327 and 693 only. It is packaged in the openvswitch kmod RPM
+# built using the rhel6 spec file, and run in the post-install for major
+# revision 327/693 kernels.
 #
-# Due to some backward incompatible changes introduced in minor revision 17.1,
+# For kernel 3.10.0-693,
+# due to some backward incompatible changes introduced in minor revision 17.1,
 # kernel modules built against kernels newer than 17.1 cannot be loaded on
 # system running kernels older than 17.1, vice versa.
 #
+# For kernel 3.10.0-327,
+# due to some backward incompatible changes introduced in minor revision 41.3,
+# kernel modules built against kernels newer than 41.3 cannot be loaded on
+# system running kernels older than 41.3, vice versa.
+#
 # This script checks the current running kernel version, and update symlinks
 # for the openvswitch kernel modules in the appropriate kernel directory,
 # provided the kmod RPM has installed kernel modules files built from both
-# 1.1 and 17.1 minor revisions.
+# minor revisions.
 # 
 # In case of a kernel minor revision change after the openvswitch kmod package
 # is installed, this script shall be run manually after system reboots and
 # switches to a different kernel
+if [ -n "$(rpm -qa kmod-openvswitch)" ]; then
+rpmname="kmod-openvswitch"
+elif [ -n "$(rpm -qa openvswitch-kmod)" ]; then
+rpmname="openvswitch-kmod"
+else
+echo "openvswitch kmod package not installed, existing"
+exit 1
+fi
+#echo $rpmname
+
 script_name=$(basename -- "$0")
 current_kernel=$(uname -r)
 echo current kernel is $current_kernel
@@ -42,7 +58,41 @@ IFS=. read installed_major installed_minor installed_micro \
 # installed_build=$installed_build
 
 expected_base_minor="el7"
-expected_minor=11
+if [ "$installed_major" = "327" ]; then
+expected_minor=36
+elif [ "$installed_major" = "693" ]; then
+expected_minor=11
+else
+echo "This script is not 

[ovs-dev] [PATCH 10/11] dpctl: Implement dpctl commands for conntrack per zone limit

2018-08-01 Thread Yi-Hung Wei
This patch implments the following three commands on dpctl so that
users can use ovs-dpctl or ovs-appctl to set, delete, and get the
per zone limit.

For example,

$ ovs-appctl dpctl/ct-set-limits default=10 zone=0,limit=5 zone=1,limit=3
$ ovs-appctl dpct/ct-del-limits zone=0
$ ovs-appctl dpct/ct-get-limits zone=1,2,3

Signed-off-by: Yi-Hung Wei 
---
 NEWS  |   2 +
 lib/ct-dpif.c |  67 +++
 lib/ct-dpif.h |   4 ++
 lib/dpctl.c   | 169 +-
 lib/dpctl.man |  18 +++
 5 files changed, 259 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 8270ef46ea34..31c5a1e400dc 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,8 @@ v2.10.0 - xx xxx 
default it always accepts names and in interactive use it displays them;
use --names or --no-names to override.  See ovs-ofctl(8) for details.
- ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface".
+   - ovs-dpctl:
+ * New commands "ct-set-limits", "ct-del-limits", and "ct-get-limits".
- OpenFlow:
  * OFPT_ROLE_STATUS is now available in OpenFlow 1.3.
  * OpenFlow 1.5 extensible statistics (OXS) now implemented.
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index a772799fe347..bb809d9920b5 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -629,3 +629,70 @@ ct_dpif_free_zone_limits(struct ovs_list *zone_limits)
 free(p);
 }
 }
+
+/* Parses a specification of a conntrack zone limit from 's' into '*pzone'
+ * and '*plimit'.  Returns true on success.  Otherwise, returns false and
+ * and puts the error message in 'ds'. */
+bool
+ct_dpif_parse_zone_limit_tuple(const char *s, uint16_t *pzone,
+   uint32_t *plimit, struct ds *ds)
+{
+char *pos, *key, *value, *copy, *err;
+bool parsed_limit = false, parsed_zone = false;
+
+pos = copy = xstrdup(s);
+while (ofputil_parse_key_value(&pos, &key, &value)) {
+if (!*value) {
+ds_put_format(ds, "field %s missing value", key);
+goto error;
+}
+
+if (!strcmp(key, "zone")) {
+err = str_to_u16(value, key, pzone);
+if (err) {
+free(err);
+goto error_with_msg;
+}
+parsed_zone = true;
+}  else if (!strcmp(key, "limit")) {
+err = str_to_u32(value, plimit);
+if (err) {
+free(err);
+goto error_with_msg;
+}
+parsed_limit = true;
+} else {
+ds_put_format(ds, "invalid zone limit field: %s", key);
+goto error;
+}
+}
+
+if (parsed_zone == false || parsed_limit == false) {
+ds_put_format(ds, "failed to parse zone limit");
+goto error;
+}
+
+free(copy);
+return true;
+
+error_with_msg:
+ds_put_format(ds, "failed to parse field %s", key);
+error:
+free(copy);
+return false;
+}
+
+void
+ct_dpif_format_zone_limits(uint32_t default_limit,
+   const struct ovs_list *zone_limits, struct ds *ds)
+{
+struct ct_dpif_zone_limit *zone_limit;
+
+ds_put_format(ds, "default_limit=%"PRIu32, default_limit);
+
+LIST_FOR_EACH (zone_limit, node, zone_limits) {
+ds_put_format(ds, " zone=%"PRIu16, zone_limit->zone);
+ds_put_format(ds, ",limit=%"PRIu32, zone_limit->limit);
+ds_put_format(ds, ",count=%"PRIu32, zone_limit->count);
+}
+}
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index c80e18b72b56..c9cfb258b133 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -223,5 +223,9 @@ void ct_dpif_push_zone_limit(struct ovs_list *, uint16_t 
zone, uint32_t limit,
  uint32_t count);
 struct ct_dpif_zone_limit * ct_dpif_pop_zone_limit(struct ovs_list *);
 void ct_dpif_free_zone_limits(struct ovs_list *);
+bool ct_dpif_parse_zone_limit_tuple(const char *s, uint16_t *pzone,
+uint32_t *plimit, struct ds *);
+void ct_dpif_format_zone_limits(uint32_t default_limit,
+const struct ovs_list *, struct ds *);
 
 #endif /* CT_DPIF_H */
diff --git a/lib/dpctl.c b/lib/dpctl.c
index 35733774b331..560f713cfd51 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -199,7 +199,7 @@ parsed_dpif_open(const char *arg_, bool create, struct dpif 
**dpifp)
  * to be parsed in '*indexp'.  */
 static int
 opt_dpif_open(int argc, const char *argv[], struct dpctl_params *dpctl_p,
-  uint8_t max_args, struct dpif **dpifp, bool multi_opt,
+  int max_args, struct dpif **dpifp, bool multi_opt,
   int *indexp)
 {
 char *dpname;
@@ -1683,6 +1683,167 @@ dpctl_ct_get_nconns(int argc, const char *argv[],
 return error;
 }
 
+static int
+dpctl_ct_set_limits(int argc, const char *argv[],
+struct dpctl_params *dpctl_p)
+{
+struct dpif *dpif;
+struct ds ds = DS_EMPTY_INITIALIZER;
+int error, i = 1;
+uint32_t default_limi

[ovs-dev] [PATCH 11/11] system-traffic: Add conntrack per zoen limit test case

2018-08-01 Thread Yi-Hung Wei
Signed-off-by: Yi-Hung Wei 
---
 tests/system-traffic.at | 75 +
 1 file changed, 75 insertions(+)

diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index cbd954257ae8..1e6bf1e75565 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -2918,6 +2918,81 @@ 
tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=
 OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
+AT_SETUP([conntrack - limit by zone])
+CHECK_CONNTRACK()
+CHECK_CT_DPIF_FLUSH_BY_CT_TUPLE()
+OVS_TRAFFIC_VSWITCHD_START()
+
+ADD_NAMESPACES(at_ns0, at_ns1)
+
+ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
+ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
+
+AT_DATA([flows.txt], [dnl
+priority=1,action=drop
+priority=10,arp,action=normal
+priority=100,in_port=1,udp,action=ct(commit),2
+priority=100,in_port=2,udp,action=ct(zone=3,commit),1
+])
+
+AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
+
+AT_CHECK([ovs-appctl dpctl/ct-set-limits default=10 zone=0,limit=5 
zone=1,limit=15 zone=2,limit=3 zone=3,limit=3])
+AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=1,2,4])
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3], [],[dnl
+default_limit=10 zone=0,limit=5,count=0 zone=1,limit=10,count=0 
zone=2,limit=10,count=0 zone=3,limit=3,count=0
+])
+
+dnl Test UDP from port 1
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100020008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100030008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100040008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100050008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100060008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100070008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100080008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a010102000100090008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 
packet=5054000a505400090800451c0011a4cd0a0101010a0101020001000a0008
 actions=resubmit(,0)"])
+
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3,4,5], [0], [dnl
+default_limit=10 zone=0,limit=5,count=5 zone=1,limit=10,count=0 
zone=2,limit=10,count=0 zone=3,limit=3,count=0 zone=4,limit=10,count=0 
zone=5,limit=10,count=0
+])
+
+dnl Test ct-get-limits for all zoens
+AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
+default_limit=10 zone=0,limit=5,count=5 zone=3,limit=3,count=0
+])
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1," | 
sort ], [0], [dnl
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=3),reply=(src=10.1.1.2,dst=10.1.1.1,sport=3,dport=1)
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=4),reply=(src=10.1.1.2,dst=10.1.1.1,sport=4,dport=1)
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=5),reply=(src=10.1.1.2,dst=10.1.1.1,sport=5,dport=1)
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=6),reply=(src=10.1.1.2,dst=10.1.1.1,sport=6,dport=1)
+])
+
+dnl Test UDP from port 2
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 
packet=5054000a505400090800451c0011a4cd0a0101030a010104000100020008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 
packet=5054000a505400090800451c0011a4cd0a0101030a010104000100030008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 
packet=5054000a505400090800451c0011a4cd0a0101030a010104000100040008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 
packet=5054000a505400090800451c0011a4cd0a0101030a010104000100050008
 actions=resubmit(,0)"])
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 
packet=5054000a505400090800451c0011a4cd0a0101030a010104000100060008
 actions=resubmit(,0)"])
+
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,3], [0], [dnl
+default_limit=10 zone=0,limit=5,count=5 zone=3,limit=3,count=3

[ovs-dev] [PATCH 08/11] dpif-netlink: Implement conntrack zone limiit

2018-08-01 Thread Yi-Hung Wei
This patch provides the implementation of conntrack zone limit
in dpif-netlink.  It basically utilizes the netlink API to
communicate with OVS kernel module to set, delete, and get conntrack
zone limit.

Signed-off-by: Yi-Hung Wei 
---
 lib/dpif-netlink.c | 201 -
 1 file changed, 198 insertions(+), 3 deletions(-)

diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c
index ee98a3b7d8b6..4af827b83aa9 100644
--- a/lib/dpif-netlink.c
+++ b/lib/dpif-netlink.c
@@ -213,6 +213,7 @@ static int ovs_vport_family;
 static int ovs_flow_family;
 static int ovs_packet_family;
 static int ovs_meter_family;
+static int ovs_ct_limit_family;
 
 /* Generic Netlink multicast groups for OVS.
  *
@@ -2919,6 +2920,195 @@ dpif_netlink_ct_flush(struct dpif *dpif OVS_UNUSED, 
const uint16_t *zone,
 }
 }
 
+static int
+dpif_netlink_set_limits(struct dpif *dpif OVS_UNUSED,
+const uint32_t *default_limits,
+const struct ovs_list *zone_limits)
+{
+struct ofpbuf *request;
+struct ovs_header *ovs_header;
+size_t opt_offset;
+int err;
+struct ovs_zone_limit req_zone_limit;
+
+if (ovs_ct_limit_family < 0) {
+return EOPNOTSUPP;
+}
+
+request = ofpbuf_new(NL_DUMP_BUFSIZE);
+nl_msg_put_genlmsghdr(request, 0, ovs_ct_limit_family,
+  NLM_F_REQUEST | NLM_F_ECHO, OVS_CT_LIMIT_CMD_SET,
+  OVS_CT_LIMIT_VERSION);
+
+ovs_header = ofpbuf_put_uninit(request, sizeof *ovs_header);
+ovs_header->dp_ifindex = 0;
+
+opt_offset = nl_msg_start_nested(request, OVS_CT_LIMIT_ATTR_ZONE_LIMIT);
+if (default_limits) {
+req_zone_limit.zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE;
+req_zone_limit.limit = *default_limits;
+nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit);
+}
+
+if (!ovs_list_is_empty(zone_limits)) {
+struct ct_dpif_zone_limit *zone_limit;
+
+LIST_FOR_EACH (zone_limit, node, zone_limits) {
+req_zone_limit.zone_id = zone_limit->zone;
+req_zone_limit.limit = zone_limit->limit;
+nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit);
+}
+}
+nl_msg_end_nested(request, opt_offset);
+
+err = nl_transact(NETLINK_GENERIC, request, NULL);
+ofpbuf_uninit(request);
+return err;
+}
+
+static int
+dpif_netlink_zone_limits_from_ofpbuf(const struct ofpbuf *buf,
+ uint32_t *default_limit,
+ struct ovs_list *zone_limits)
+{
+static const struct nl_policy ovs_ct_limit_policy[] = {
+[OVS_CT_LIMIT_ATTR_ZONE_LIMIT] = { .type = NL_A_NESTED,
+   .optional = true },
+};
+
+struct ofpbuf b = ofpbuf_const_initializer(buf->data, buf->size);
+struct nlmsghdr *nlmsg = ofpbuf_try_pull(&b, sizeof *nlmsg);
+struct genlmsghdr *genl = ofpbuf_try_pull(&b, sizeof *genl);
+struct ovs_header *ovs_header = ofpbuf_try_pull(&b, sizeof *ovs_header);
+
+struct nlattr *attr[ARRAY_SIZE(ovs_ct_limit_policy)];
+
+if (!nlmsg || !genl || !ovs_header
+|| nlmsg->nlmsg_type != ovs_ct_limit_family
+|| !nl_policy_parse(&b, 0, ovs_ct_limit_policy, attr,
+ARRAY_SIZE(ovs_ct_limit_policy))) {
+return EINVAL;
+}
+
+
+if (!attr[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]) {
+return EINVAL;
+}
+
+int rem = NLA_ALIGN(
+nl_attr_get_size(attr[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]));
+const struct ovs_zone_limit *zone_limit =
+nl_attr_get(attr[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]);
+
+while (rem >= sizeof *zone_limit) {
+if (zone_limit->zone_id == OVS_ZONE_LIMIT_DEFAULT_ZONE) {
+*default_limit = zone_limit->limit;
+} else if (zone_limit->zone_id < OVS_ZONE_LIMIT_DEFAULT_ZONE ||
+   zone_limit->zone_id > UINT16_MAX) {
+} else {
+ct_dpif_push_zone_limit(zone_limits, zone_limit->zone_id,
+zone_limit->limit, zone_limit->count);
+}
+rem -= NLA_ALIGN(sizeof *zone_limit);
+zone_limit = ALIGNED_CAST(struct ovs_zone_limit *,
+(unsigned char *) zone_limit  + NLA_ALIGN(sizeof *zone_limit));
+}
+return 0;
+}
+
+static int
+dpif_netlink_get_limits(struct dpif *dpif OVS_UNUSED, uint32_t *default_limit,
+const struct ovs_list *zone_limits_request,
+struct ovs_list *zone_limits_reply)
+{
+struct ofpbuf *request, *reply;
+struct ovs_header *ovs_header;
+struct ovs_zone_limit req_zone_limit;
+struct ct_dpif_zone_limit *zone_limit;
+size_t opt_offset;
+int err;
+
+if (ovs_ct_limit_family < 0) {
+return EOPNOTSUPP;
+}
+
+request = ofpbuf_new(NL_DUMP_BUFSIZE);
+nl_msg_put_genlmsghdr(request, 0, ovs_ct_limit_family,
+NLM_F_REQUEST 

[ovs-dev] [PATCH 09/11] dpctl: Refactor opt_dpif_open().

2018-08-01 Thread Yi-Hung Wei
Make opt_dpif_open() to support mulitple optional arguments.  It will
be useful for the following patches.

Signed-off-by: Yi-Hung Wei 
---
 lib/dpctl.c | 85 -
 1 file changed, 44 insertions(+), 41 deletions(-)

diff --git a/lib/dpctl.c b/lib/dpctl.c
index 4f1e443f2662..35733774b331 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -191,14 +191,40 @@ parsed_dpif_open(const char *arg_, bool create, struct 
dpif **dpifp)
  *
  * The datapath name is not a mandatory parameter for this command.  If
  * it is not specified -- so 'argc' < 'max_args' -- we retrieve it from
- * the current setup, assuming only one exists.  On success stores the
- * opened dpif in '*dpifp'. */
+ * the current setup, assuming only one exists.
+ * For commands with multiple optional arguments, we try to use the first
+ * argument as the dpif name. If it is failed, then we fallback to
+ * retrieve it form the current setup.
+ * On success stores the opened dpif in '*dpifp', and the next arugment
+ * to be parsed in '*indexp'.  */
 static int
 opt_dpif_open(int argc, const char *argv[], struct dpctl_params *dpctl_p,
-  uint8_t max_args, struct dpif **dpifp)
+  uint8_t max_args, struct dpif **dpifp, bool multi_opt,
+  int *indexp)
 {
+char *dpname;
 int error = 0;
-char *dpname = argc >= max_args ? xstrdup(argv[1]) : get_one_dp(dpctl_p);
+
+if (indexp) {
+*indexp = 1;
+}
+
+if (multi_opt && argc > 1) {
+error = parsed_dpif_open(argv[1], false, dpifp);
+if (!error) {
+if (indexp) {
+*indexp = 2;
+}
+return 0;
+} else if (argc == max_args) {
+dpctl_error(dpctl_p, error, "invalid datapath");
+return error;
+}
+dpname = get_one_dp(dpctl_p);
+} else {
+dpname = argc >= max_args ? xstrdup(argv[1]) : get_one_dp(dpctl_p);
+}
+
 if (!dpname) {
 error = EINVAL;
 dpctl_error(dpctl_p, error, "datapath not found");
@@ -863,7 +889,7 @@ dpctl_dump_flows(int argc, const char *argv[], struct 
dpctl_params *dpctl_p)
 }
 }
 
-error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif, false, NULL);
 if (error) {
 goto out_free;
 }
@@ -990,7 +1016,7 @@ dpctl_put_flow(int argc, const char *argv[], enum 
dpif_flow_put_flags flags,
 struct simap port_names;
 int n, error;
 
-error = opt_dpif_open(argc, argv, dpctl_p, 4, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 4, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1092,7 +1118,7 @@ dpctl_get_flow(int argc, const char *argv[], struct 
dpctl_params *dpctl_p)
 struct ds ds;
 int n, error;
 
-error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1141,7 +1167,7 @@ dpctl_del_flow(int argc, const char *argv[], struct 
dpctl_params *dpctl_p)
 struct simap port_names;
 int n, error;
 
-error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1210,7 +1236,7 @@ dpctl_del_flows(int argc, const char *argv[], struct 
dpctl_params *dpctl_p)
 {
 struct dpif *dpif;
 
-int error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif);
+int error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1271,7 +1297,7 @@ dpctl_dump_conntrack(int argc, const char *argv[],
 argc--;
 }
 
-error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif);
+error = opt_dpif_open(argc, argv, dpctl_p, 2, &dpif, false, NULL);
 if (error) {
 return error;
 }
@@ -1313,34 +1339,11 @@ dpctl_flush_conntrack(int argc, const char *argv[],
 struct ct_dpif_tuple tuple, *ptuple = NULL;
 struct ds ds = DS_EMPTY_INITIALIZER;
 uint16_t zone, *pzone = NULL;
-char *name;
 int error, i = 1;
-bool got_dpif = false;
 
-/* Parse datapath name. It is not a mandatory parameter for this command.
- * If it is not specified, we retrieve it from the current setup,
- * assuming only one exists. */
-if (argc >= 2) {
-error = parsed_dpif_open(argv[i], false, &dpif);
-if (!error) {
-got_dpif = true;
-i++;
-} else if (argc == 4) {
-dpctl_error(dpctl_p, error, "invalid datapath");
-return error;
-}
-}
-if (!got_dpif) {
-name = get_one_dp(dpctl_p);
-if (!name) {
-return EINVAL;
-}
-error = parsed_dpif_open(name, false, &dpif);
-free(name);
-if (error) {
-dpctl_error(dpctl_p, error, "opening datapath");
-return error

[ovs-dev] [PATCH 06/11] dpif: Support conntrack zone limit.

2018-08-01 Thread Yi-Hung Wei
This patch defines the dpif interface to support conntrack
per zone limit.  Basically, OVS users can use this interface
to set, delete, and get the conntrack per zone limit for various
dpif interfaces.  The following patch will make use of the proposed
interface to implement the feature.

Signed-off-by: Yi-Hung Wei 
---
 lib/ct-dpif.c   | 30 ++
 lib/ct-dpif.h   | 12 
 lib/dpif-netdev.c   |  3 +++
 lib/dpif-netlink.c  |  3 +++
 lib/dpif-provider.h | 26 ++
 5 files changed, 74 insertions(+)

diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index 5fa3a97727e1..d1e8a6b8b4a9 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -164,6 +164,36 @@ ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns)
 : EOPNOTSUPP);
 }
 
+int
+ct_dpif_set_limits(struct dpif *dpif, const uint32_t *default_limit,
+   const struct ovs_list *zone_limits)
+{
+return (dpif->dpif_class->ct_set_limits
+? dpif->dpif_class->ct_set_limits(dpif, default_limit,
+  zone_limits)
+: EOPNOTSUPP);
+}
+
+int
+ct_dpif_get_limits(struct dpif *dpif, uint32_t *default_limit,
+   const struct ovs_list *zone_limits_in,
+   struct ovs_list *zone_limits_out)
+{
+return (dpif->dpif_class->ct_get_limits
+? dpif->dpif_class->ct_get_limits(dpif, default_limit,
+  zone_limits_in,
+  zone_limits_out)
+: EOPNOTSUPP);
+}
+
+int
+ct_dpif_del_limits(struct dpif *dpif, const struct ovs_list *zone_limits)
+{
+return (dpif->dpif_class->ct_del_limits
+? dpif->dpif_class->ct_del_limits(dpif, zone_limits)
+: EOPNOTSUPP);
+}
+
 void
 ct_dpif_entry_uninit(struct ct_dpif_entry *entry)
 {
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index 09e7698cf2bc..4e83bc555e03 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -191,6 +191,13 @@ struct ct_dpif_dump_state {
 struct dpif *dpif;
 };
 
+struct ct_dpif_zone_limit {
+uint16_t zone;
+uint32_t limit;
+uint32_t count;
+struct ovs_list node; /* In ct_zone_limits */
+};
+
 int ct_dpif_dump_start(struct dpif *, struct ct_dpif_dump_state **,
const uint16_t *zone, int *);
 int ct_dpif_dump_next(struct ct_dpif_dump_state *, struct ct_dpif_entry *);
@@ -200,6 +207,11 @@ int ct_dpif_flush(struct dpif *, const uint16_t *zone,
 int ct_dpif_set_maxconns(struct dpif *dpif, uint32_t maxconns);
 int ct_dpif_get_maxconns(struct dpif *dpif, uint32_t *maxconns);
 int ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns);
+int ct_dpif_set_limits(struct dpif *dpif, const uint32_t *default_limit,
+   const struct ovs_list *);
+int ct_dpif_get_limits(struct dpif *dpif, uint32_t *default_limit,
+   const struct ovs_list *, struct ovs_list *);
+int ct_dpif_del_limits(struct dpif *dpif, const struct ovs_list *);
 void ct_dpif_entry_uninit(struct ct_dpif_entry *);
 void ct_dpif_format_entry(const struct ct_dpif_entry *, struct ds *,
   bool verbose, bool print_stats);
diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index 26d07b39c9af..63368e365da4 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -6825,6 +6825,9 @@ const struct dpif_class dpif_netdev_class = {
 dpif_netdev_ct_set_maxconns,
 dpif_netdev_ct_get_maxconns,
 dpif_netdev_ct_get_nconns,
+NULL,   /* ct_set_limits */
+NULL,   /* ct_get_limits */
+NULL,   /* ct_del_limits */
 dpif_netdev_meter_get_features,
 dpif_netdev_meter_set,
 dpif_netdev_meter_get,
diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c
index f669b1108d61..ee98a3b7d8b6 100644
--- a/lib/dpif-netlink.c
+++ b/lib/dpif-netlink.c
@@ -3252,6 +3252,9 @@ const struct dpif_class dpif_netlink_class = {
 NULL,   /* ct_set_maxconns */
 NULL,   /* ct_get_maxconns */
 NULL,   /* ct_get_nconns */
+NULL,   /* ct_set_limits */
+NULL,   /* ct_get_limits */
+NULL,   /* ct_del_limits */
 dpif_netlink_meter_get_features,
 dpif_netlink_meter_set,
 dpif_netlink_meter_get,
diff --git a/lib/dpif-provider.h b/lib/dpif-provider.h
index 62b3598acfc5..53a4fbdf7ae8 100644
--- a/lib/dpif-provider.h
+++ b/lib/dpif-provider.h
@@ -444,6 +444,32 @@ struct dpif_class {
 /* Get number of connections tracked. */
 int (*ct_get_nconns)(struct dpif *, uint32_t *nconns);
 
+/* Connection tracking per zone limit */
+
+/* Per zone conntrack limit sets the maximum allowed connections in zones
+ * to provide resource isolation.  If a per zone limit for a particular
+ * zone is not available in the datapath, it defaults to the default
+ * per zone lim

[ovs-dev] [PATCH 07/11] ct-dpif: Helper functions for conntrack zone limit

2018-08-01 Thread Yi-Hung Wei
This patch implments some helper function for conntrack zone limit.
It will be useful for the following patches.

Signed-off-by: Yi-Hung Wei 
---
 lib/ct-dpif.c | 32 
 lib/ct-dpif.h |  4 
 2 files changed, 36 insertions(+)

diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index d1e8a6b8b4a9..a772799fe347 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -597,3 +597,35 @@ error:
 free(copy);
 return false;
 }
+
+void
+ct_dpif_push_zone_limit(struct ovs_list *zone_limits, uint16_t zone,
+uint32_t limit, uint32_t count)
+{
+struct ct_dpif_zone_limit *zone_limit = xmalloc(sizeof *zone_limit);
+zone_limit->zone = zone;
+zone_limit->limit = limit;
+zone_limit->count = count;
+ovs_list_push_back(zone_limits, &zone_limit->node);
+}
+
+/* The caller takes ownership of 'struct ct_dpif_zone_limit *', and is
+ * responsible to free that struct. */
+struct ct_dpif_zone_limit *
+ct_dpif_pop_zone_limit(struct ovs_list *zone_limits)
+{
+struct ct_dpif_zone_limit *zone_limit;
+LIST_FOR_EACH_POP (zone_limit, node, zone_limits) {
+return zone_limit;
+}
+OVS_NOT_REACHED();
+}
+
+void
+ct_dpif_free_zone_limits(struct ovs_list *zone_limits)
+{
+while (!ovs_list_is_empty(zone_limits)) {
+struct ct_dpif_zone_limit *p = ct_dpif_pop_zone_limit(zone_limits);
+free(p);
+}
+}
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index 4e83bc555e03..c80e18b72b56 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -219,5 +219,9 @@ void ct_dpif_format_tuple(struct ds *, const struct 
ct_dpif_tuple *);
 uint8_t ct_dpif_coalesce_tcp_state(uint8_t state);
 void ct_dpif_format_tcp_stat(struct ds *, int, int);
 bool ct_dpif_parse_tuple(struct ct_dpif_tuple *, const char *s, struct ds *);
+void ct_dpif_push_zone_limit(struct ovs_list *, uint16_t zone, uint32_t limit,
+ uint32_t count);
+struct ct_dpif_zone_limit * ct_dpif_pop_zone_limit(struct ovs_list *);
+void ct_dpif_free_zone_limits(struct ovs_list *);
 
 #endif /* CT_DPIF_H */
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH 05/11] datapath: conntrack: Support conntrack zone limit

2018-08-01 Thread Yi-Hung Wei
Upstream commit:
commit 11efd5cb04a184eea4f57b68ea63463158d1
Author: Yi-Hung Wei 
Date:   Thu May 24 17:56:43 2018 -0700

openvswitch: Support conntrack zone limit

Currently, nf_conntrack_max is used to limit the maximum number of
conntrack entries in the conntrack table for every network namespace.
For the VMs and containers that reside in the same namespace,
they share the same conntrack table, and the total # of conntrack entries
for all the VMs and containers are limited by nf_conntrack_max.  In this
case, if one of the VM/container abuses the usage the conntrack entries,
it blocks the others from committing valid conntrack entries into the
conntrack table.  Even if we can possibly put the VM in different network
namespace, the current nf_conntrack_max configuration is kind of rigid
that we cannot limit different VM/container to have different # conntrack
entries.

To address the aforementioned issue, this patch proposes to have a
fine-grained mechanism that could further limit the # of conntrack entries
per-zone.  For example, we can designate different zone to different VM,
and set conntrack limit to each zone.  By providing this isolation, a
mis-behaved VM only consumes the conntrack entries in its own zone, and
it will not influence other well-behaved VMs.  Moreover, the users can
set various conntrack limit to different zone based on their preference.

The proposed implementation utilizes Netfilter's nf_conncount backend
to count the number of connections in a particular zone.  If the number of
connection is above a configured limitation, ovs will return ENOMEM to the
userspace.  If userspace does not configure the zone limit, the limit
defaults to zero that is no limitation, which is backward compatible to
the behavior without this patch.

The following high leve APIs are provided to the userspace:
  - OVS_CT_LIMIT_CMD_SET:
* set default connection limit for all zones
* set the connection limit for a particular zone
  - OVS_CT_LIMIT_CMD_DEL:
* remove the connection limit for a particular zone
  - OVS_CT_LIMIT_CMD_GET:
* get the default connection limit for all zones
* get the connection limit for a particular zone

Signed-off-by: Yi-Hung Wei 
Acked-by: Pravin B Shelar 
Signed-off-by: David S. Miller 

Signed-off-by: Yi-Hung Wei 
---
 NEWS |   1 +
 datapath/compat.h|   8 +
 datapath/conntrack.c | 551 ++-
 datapath/conntrack.h |   9 +-
 datapath/datapath.c  |   7 +-
 datapath/datapath.h  |   3 +
 6 files changed, 574 insertions(+), 5 deletions(-)

diff --git a/NEWS b/NEWS
index 27ef12d599d9..8270ef46ea34 100644
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,7 @@ v2.10.0 - xx xxx 
- Linux datapath
  * Add support for compiling OVS with the latest Linux 4.14 kernel.
  * Added support for meters.
+ * Add support for conntrack zone limit.
- ovn:
  * Implemented icmp4/icmp6/tcp_reset actions in order to drop the packet
and reply with a RST for TCP or ICMPv4/ICMPv6 unreachable message for
diff --git a/datapath/compat.h b/datapath/compat.h
index 816f754c64e2..98b68640a372 100644
--- a/datapath/compat.h
+++ b/datapath/compat.h
@@ -26,6 +26,7 @@
 #include 
 #include 
 #include 
+#include 
 
 /* Even though vanilla 3.10 kernel has grp->id, RHEL 7 kernel is missing
  * this field. */
@@ -59,8 +60,14 @@ static inline int __init compat_init(void)
if (err)
goto error_frag6_exit;
 
+   err = rpl_nf_conncount_modinit();
+   if (err)
+   goto error_nf_conncount_exit;
+
return 0;
 
+error_nf_conncount_exit:
+   rpl_nf_conncount_modexit();
 error_frag6_exit:
nf_ct_frag6_cleanup();
 error_ipfrag_exit:
@@ -69,6 +76,7 @@ error_ipfrag_exit:
 }
 static inline void compat_exit(void)
 {
+   rpl_nf_conncount_modexit();
ip6_output_exit();
nf_ct_frag6_cleanup();
rpl_ipfrag_fini();
diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index 42c7929055f0..c6e731bf5978 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -21,8 +21,11 @@
 #include 
 #include 
 #include 
+#include 
 #include 
+#include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -87,6 +90,31 @@ struct ovs_conntrack_info {
 #endif
 };
 
+#ifIS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
+#define OVS_CT_LIMIT_UNLIMITED 0
+#define OVS_CT_LIMIT_DEFAULT OVS_CT_LIMIT_UNLIMITED
+#define CT_LIMIT_HASH_BUCKETS 512
+static DEFINE_STATIC_KEY_FALSE(ovs_ct_limit_enabled);
+
+struct ovs_ct_limit {
+   /* Elements in ovs_ct_limit_info->limits hash table */
+   struct hlist_node hlist_node;
+   struct rcu_head rcu;
+   u16 zone;
+   u32 limit;
+};
+
+struct ovs_ct_limit_info {
+   u32 default_limit;
+   struct hlist_head *limits;
+   struct nf_conncount_data *dat

[ovs-dev] [PATCH 04/11] datapath: Add conntrack limit netlink definition

2018-08-01 Thread Yi-Hung Wei
Upstream commit:
commit 5972be6b2495c6bffbf97517fd1c070eef78
Author: Yi-Hung Wei 
Date:   Thu May 24 17:56:42 2018 -0700

openvswitch: Add conntrack limit netlink definition

Define netlink messages and attributes to support user kernel
communication that uses the conntrack limit feature.

Signed-off-by: Yi-Hung Wei 
Acked-by: Pravin B Shelar 
Signed-off-by: David S. Miller 

Signed-off-by: Yi-Hung Wei 
---
 datapath/linux/compat/include/linux/openvswitch.h | 28 +++
 1 file changed, 28 insertions(+)

diff --git a/datapath/linux/compat/include/linux/openvswitch.h 
b/datapath/linux/compat/include/linux/openvswitch.h
index 8e5f3b6fbfb1..aaeb0341ab51 100644
--- a/datapath/linux/compat/include/linux/openvswitch.h
+++ b/datapath/linux/compat/include/linux/openvswitch.h
@@ -1004,4 +1004,32 @@ enum ovs_meter_band_type {
 
 #define OVS_METER_BAND_TYPE_MAX (__OVS_METER_BAND_TYPE_MAX - 1)
 
+/* Conntrack limit */
+#define OVS_CT_LIMIT_FAMILY  "ovs_ct_limit"
+#define OVS_CT_LIMIT_MCGROUP "ovs_ct_limit"
+#define OVS_CT_LIMIT_VERSION 0x1
+
+enum ovs_ct_limit_cmd {
+   OVS_CT_LIMIT_CMD_UNSPEC,
+   OVS_CT_LIMIT_CMD_SET,   /* Add or modify ct limit. */
+   OVS_CT_LIMIT_CMD_DEL,   /* Delete ct limit. */
+   OVS_CT_LIMIT_CMD_GET/* Get ct limit. */
+};
+
+enum ovs_ct_limit_attr {
+   OVS_CT_LIMIT_ATTR_UNSPEC,
+   OVS_CT_LIMIT_ATTR_ZONE_LIMIT,   /* Nested struct ovs_zone_limit. */
+   __OVS_CT_LIMIT_ATTR_MAX
+};
+
+#define OVS_CT_LIMIT_ATTR_MAX (__OVS_CT_LIMIT_ATTR_MAX - 1)
+
+#define OVS_ZONE_LIMIT_DEFAULT_ZONE -1
+
+struct ovs_zone_limit {
+   int zone_id;
+   __u32 limit;
+   __u32 count;
+};
+
 #endif /* _LINUX_OPENVSWITCH_H */
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH 03/11] datapath: compat: Introduce static key support

2018-08-01 Thread Yi-Hung Wei
This is a feature that is needed for a follow up patch
in ovs kernel datapath.

Signed-off-by: Yi-Hung Wei 
---
 acinclude.m4 |  3 +
 datapath/linux/Modules.mk|  1 +
 datapath/linux/compat/include/linux/static_key.h | 70 
 3 files changed, 74 insertions(+)
 create mode 100644 datapath/linux/compat/include/linux/static_key.h

diff --git a/acinclude.m4 b/acinclude.m4
index 96fcad55a7cb..341edbbd70f1 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -467,6 +467,9 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   OVS_GREP_IFELSE([$KSRC/include/linux/err.h], [IS_ERR_OR_NULL])
   OVS_GREP_IFELSE([$KSRC/include/linux/err.h], [PTR_ERR_OR_ZERO])
 
+  OVS_GREP_IFELSE([$KSRC/include/linux/jump_label.h], 
[DEFINE_STATIC_KEY_FALSE],
+  [OVS_DEFINE([HAVE_UPSTREAM_STATIC_KEY])])
+
   OVS_GREP_IFELSE([$KSRC/include/linux/etherdevice.h], [eth_hw_addr_random])
   OVS_GREP_IFELSE([$KSRC/include/linux/etherdevice.h], [ether_addr_copy])
 
diff --git a/datapath/linux/Modules.mk b/datapath/linux/Modules.mk
index f5c3b6580ad7..2fec6500e7c8 100644
--- a/datapath/linux/Modules.mk
+++ b/datapath/linux/Modules.mk
@@ -63,6 +63,7 @@ openvswitch_headers += \
linux/compat/include/linux/reciprocal_div.h \
linux/compat/include/linux/rtnetlink.h \
linux/compat/include/linux/skbuff.h \
+   linux/compat/include/linux/static_key.h \
linux/compat/include/linux/stddef.h \
linux/compat/include/linux/types.h \
linux/compat/include/linux/u64_stats_sync.h \
diff --git a/datapath/linux/compat/include/linux/static_key.h 
b/datapath/linux/compat/include/linux/static_key.h
new file mode 100644
index ..ea59e3e285a1
--- /dev/null
+++ b/datapath/linux/compat/include/linux/static_key.h
@@ -0,0 +1,70 @@
+#ifndef _STATIC_KEY_WRAPPER_H
+#define _STATIC_KEY_WRAPPER_H
+
+#include_next 
+#ifndef HAVE_UPSTREAM_STATIC_KEY
+/*
+ * This backport is based on upstream net-next commit 11276d5306b8
+ * ("locking/static_keys: Add a new static_key interface").
+ *
+ * For kernel that does not support the new static key interface,
+ * we do not backport the jump label support but the fall back version
+ * of static key that is simply a conditional branch.
+ */
+
+struct static_key_true {
+   struct static_key key;
+};
+
+struct static_key_false {
+   struct static_key key;
+};
+
+#define rpl_STATIC_KEY_INIT_TRUE   { .enabled = ATOMIC_INIT(1) }
+#define rpl_STATIC_KEY_INIT_FALSE  { .enabled = ATOMIC_INIT(0) }
+
+#define STATIC_KEY_TRUE_INIT   \
+   (struct static_key_true) { .key = rpl_STATIC_KEY_INIT_TRUE,  }
+#define STATIC_KEY_FALSE_INIT  \
+   (struct static_key_false){ .key = rpl_STATIC_KEY_INIT_FALSE, }
+
+#define DEFINE_STATIC_KEY_TRUE(name)   \
+   struct static_key_true name = STATIC_KEY_TRUE_INIT
+
+#define DEFINE_STATIC_KEY_FALSE(name)  \
+   struct static_key_false name = STATIC_KEY_FALSE_INIT
+
+static inline int rpl_static_key_count(struct static_key *key)
+{
+   return atomic_read(&key->enabled);
+}
+
+static inline void rpl_static_key_enable(struct static_key *key)
+{
+   int count = rpl_static_key_count(key);
+
+   WARN_ON_ONCE(count < 0 || count > 1);
+
+   if (!count)
+   static_key_slow_inc(key);
+}
+
+static inline void rpl_static_key_disable(struct static_key *key)
+{
+   int count = rpl_static_key_count(key);
+
+   WARN_ON_ONCE(count < 0 || count > 1);
+
+   if (count)
+   static_key_slow_dec(key);
+}
+
+#define static_branch_likely(x)
likely(static_key_enabled(&(x)->key))
+#define static_branch_unlikely(x)  unlikely(static_key_enabled(&(x)->key))
+
+#define static_branch_enable(x)rpl_static_key_enable(&(x)->key)
+#define static_branch_disable(x)   rpl_static_key_disable(&(x)->key)
+
+#endif /* HAVE_UPSTREAM_STATIC_KEY */
+
+#endif /* _STATIC_KEY_WRAPPER_H */
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH 02/11] datapath: compat: Backports nf_conncount

2018-08-01 Thread Yi-Hung Wei
This patch backports the nf_conncount backend that counts the number
of connections matching an arbitrary key.  The following patch will
use the feature to support connection tracking zone limit in ovs
kernel datapath.

This backport is based on an upstream net-next commit 5c789e131cbb
("netfilter: nf_conncount: Add list lock and gc worker, and RCU for
init tree search") that applies a couple of techniques to optimize
nf_conncount performance.

The upstream nf_conncount has a couple of export functions while
this patch only export the ones that ovs kernel module needs.

Signed-off-by: Yi-Hung Wei 
---
 acinclude.m4   |   2 +
 datapath/linux/Modules.mk  |   2 +
 .../include/net/netfilter/nf_conntrack_count.h |  61 ++
 datapath/linux/compat/nf_conncount.c   | 637 +
 4 files changed, 702 insertions(+)
 create mode 100644 
datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
 create mode 100644 datapath/linux/compat/nf_conncount.c

diff --git a/acinclude.m4 b/acinclude.m4
index 731bc07be8fa..96fcad55a7cb 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -625,6 +625,8 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], 
[nf_nat_alloc_null_binding])
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_range2])
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_seqadj.h], 
[nf_ct_seq_adjust])
+  OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_count.h], 
[nf_conncount_gc_list],
+  [OVS_DEFINE([HAVE_UPSTREAM_NF_CONNCOUNT])])
 
   OVS_GREP_IFELSE([$KSRC/include/linux/random.h], [prandom_u32])
   OVS_GREP_IFELSE([$KSRC/include/linux/random.h], [prandom_u32_max])
diff --git a/datapath/linux/Modules.mk b/datapath/linux/Modules.mk
index 04ea5b756b6c..f5c3b6580ad7 100644
--- a/datapath/linux/Modules.mk
+++ b/datapath/linux/Modules.mk
@@ -17,6 +17,7 @@ openvswitch_sources += \
linux/compat/ip6_tunnel.c \
linux/compat/lisp.c \
linux/compat/netdevice.c \
+   linux/compat/nf_conncount.c \
linux/compat/nf_conntrack_core.c \
linux/compat/nf_conntrack_proto.c \
linux/compat/nf_conntrack_reasm.c \
@@ -100,6 +101,7 @@ openvswitch_headers += \
linux/compat/include/net/vxlan.h \
linux/compat/include/net/netfilter/nf_conntrack.h \
linux/compat/include/net/netfilter/nf_conntrack_core.h \
+   linux/compat/include/net/netfilter/nf_conntrack_count.h \
linux/compat/include/net/netfilter/nf_conntrack_expect.h \
linux/compat/include/net/netfilter/nf_conntrack_helper.h \
linux/compat/include/net/netfilter/nf_conntrack_labels.h \
diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h 
b/datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
new file mode 100644
index ..fd536f3e1854
--- /dev/null
+++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
@@ -0,0 +1,61 @@
+#ifndef _NF_CONNTRACK_COUNT_WRAPPER_H
+#define _NF_CONNTRACK_COUNT_WRAPPER_H
+
+#include 
+
+#ifdef HAVE_UPSTREAM_NF_CONNCOUNT
+#include_next 
+
+static inline int rpl_nf_conncount_modinit(void)
+{
+return 0;
+}
+
+static inline void rpl_nf_conncount_modexit(void)
+{
+}
+
+#else
+#include 
+#include 
+#define CONFIG_NETFILTER_CONNCOUNT 1
+struct nf_conncount_data;
+
+enum nf_conncount_list_add {
+   NF_CONNCOUNT_ADDED, /* list add was ok */
+   NF_CONNCOUNT_ERR,   /* -ENOMEM, must drop skb */
+   NF_CONNCOUNT_SKIP,  /* list is already reclaimed by gc */
+};
+
+struct nf_conncount_list {
+   spinlock_t list_lock;
+   struct list_head head;  /* connections with the same filtering key */
+   unsigned int count; /* length of list */
+   bool dead;
+};
+
+struct nf_conncount_data
+*rpl_nf_conncount_init(struct net *net, unsigned int family,
+  unsigned int keylen);
+
+void rpl_nf_conncount_destroy(struct net *net, unsigned int family,
+ struct nf_conncount_data *data);
+
+unsigned int rpl_nf_conncount_count(struct net *net,
+   struct nf_conncount_data *data,
+   const u32 *key,
+   const struct nf_conntrack_tuple *tuple,
+   const struct nf_conntrack_zone *zone);
+
+#define nf_conncount_init rpl_nf_conncount_init
+#define nf_conncount_destroy rpl_nf_conncount_destroy
+#define nf_conncount_count rpl_nf_conncount_count
+
+int rpl_nf_conncount_modinit(void);
+void rpl_nf_conncount_modexit(void);
+#endif /* HAVE_UPSTREAM_NF_CONNCOUNT */
+
+#define nf_conncount_mod_init rpl_nf_conncount_modinit
+#define nf_conncount_modexit rpl_nf_conncount_modexit
+
+#endif /* _NF_CONNTRACK_COUNT_WRAPPER_H */
diff --git a/datapath/linux/compat/nf_conncount.c 
b/datapath/linux/compat/nf_conncount.c
new file mode 100644
inde

[ovs-dev] [PATCH 01/11] compat: Backport nf_ct_netns_{get,put}()

2018-08-01 Thread Yi-Hung Wei
This patch backports nf_ct_netns_get/put() in order to support a feature
in the follow up patch.

nf_ct_netns_{get,put} were first introduced in upstream net-next commit
ecb2421b5ddf ("netfilter: add and use nf_ct_netns_get/put") in kernel
v4.10, and then updated in commmit 7e35ec0e8044 ("netfilter: conntrack:
move nf_ct_netns_{get,put}() to core") in kernel v4.15.  We need to
invoke nf_ct_netns_get/put() when the underlying nf_conntrack_l3proto
supports net_ns_{get,put}().

Therefore, there are 3 cases that we need to consider.
1) Before nf_ct_{get,put}() is introduced.
We just mock nf_ct_nets_{get,put}() and do nothing.

2) After 1) and before v4.15
Backports based on commit 7e35ec0e8044 .

3) Staring from v4.15
Use the upstream version.

Signed-off-by: Yi-Hung Wei 
---
 acinclude.m4   |   4 +
 datapath/linux/Modules.mk  |   4 +-
 .../compat/include/net/netfilter/nf_conntrack.h|   8 ++
 .../linux/compat/include/uapi/linux/netfilter.h|  14 +++
 datapath/linux/compat/nf_conntrack_proto.c | 112 +
 5 files changed, 141 insertions(+), 1 deletion(-)
 create mode 100644 datapath/linux/compat/include/uapi/linux/netfilter.h
 create mode 100644 datapath/linux/compat/nf_conntrack_proto.c

diff --git a/acinclude.m4 b/acinclude.m4
index ad6b5b5e067e..731bc07be8fa 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -588,6 +588,8 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   [OVS_DEFINE([HAVE_NF_HOOKFN_ARG_PRIV])])
   OVS_FIND_FIELD_IFELSE([$KSRC/include/linux/netfilter.h], [nf_hook_ops],
 [owner], [OVS_DEFINE([HAVE_NF_HOOKS_OPS_OWNER])])
+  OVS_GREP_IFELSE([$KSRC/include/linux/netfilter.h], [NFPROTO_INET])
+
 
   OVS_FIND_FIELD_IFELSE([$KSRC/include/linux/netfilter_ipv6.h], [nf_ipv6_ops],
 [fragment.*sock], 
[OVS_DEFINE([HAVE_NF_IPV6_OPS_FRAGMENT])])
@@ -610,6 +612,8 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
   [nf_ct_is_untracked])
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_zones.h],
   [nf_ct_zone_init])
+  OVS_FIND_FIELD_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_l3proto.h],
+[net_ns_get])
   OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_labels.h],
   [nf_connlabels_get])
   OVS_FIND_PARAM_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_labels.h],
diff --git a/datapath/linux/Modules.mk b/datapath/linux/Modules.mk
index 104c32fa16ea..04ea5b756b6c 100644
--- a/datapath/linux/Modules.mk
+++ b/datapath/linux/Modules.mk
@@ -18,6 +18,7 @@ openvswitch_sources += \
linux/compat/lisp.c \
linux/compat/netdevice.c \
linux/compat/nf_conntrack_core.c \
+   linux/compat/nf_conntrack_proto.c \
linux/compat/nf_conntrack_reasm.c \
linux/compat/reciprocal_div.c \
linux/compat/skbuff-openvswitch.c \
@@ -107,5 +108,6 @@ openvswitch_headers += \
linux/compat/include/net/netfilter/nf_nat.h \
linux/compat/include/net/netfilter/ipv6/nf_defrag_ipv6.h \
linux/compat/include/net/sctp/checksum.h \
-   linux/compat/include/net/erspan.h
+   linux/compat/include/net/erspan.h \
+   linux/compat/include/uapi/linux/netfilter.h
 EXTRA_DIST += linux/compat/build-aux/export-check-whitelist
diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack.h 
b/datapath/linux/compat/include/net/netfilter/nf_conntrack.h
index bb40b0f6da2a..50db914a39a1 100644
--- a/datapath/linux/compat/include/net/netfilter/nf_conntrack.h
+++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack.h
@@ -22,4 +22,12 @@ nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum 
ip_conntrack_info info)
skb->nfctinfo = info;
 }
 #endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4,15,0)
+int rpl_nf_ct_netns_get(struct net *net, u8 nfproto);
+void rpl_nf_ct_netns_put(struct net *net, u8 nfproto);
+#define nf_ct_netns_get rpl_nf_ct_netns_get
+#define nf_ct_netns_put rpl_nf_ct_netns_put
+#endif
+
 #endif /* _NF_CONNTRACK_WRAPPER_H */
diff --git a/datapath/linux/compat/include/uapi/linux/netfilter.h 
b/datapath/linux/compat/include/uapi/linux/netfilter.h
new file mode 100644
index ..56895b17b334
--- /dev/null
+++ b/datapath/linux/compat/include/uapi/linux/netfilter.h
@@ -0,0 +1,14 @@
+#ifndef _NETFILTER_WRAPPER_H
+#define _NETFILTER_WRAPPER_H
+
+#include_next 
+
+/*
+ * NFPROTO_INET was introduced in net-next commit 1d49144c0aaa
+ * ("netfilter: nf_tables: add "inet" table for IPv4/IPv6") in v3.14.
+ * Define this symbol to support back to v3.10 kernel. */
+#ifndef HAVE_NFPROTO_INET
+#define NFPROTO_INET 1
+#endif
+
+#endif /* _NETFILTER_WRAPPER_H */
diff --git a/datapath/linux/compat/nf_conntrack_proto.c 
b/datapath/linux/compat/nf_conntrack_proto.c
new file mode 100644
index ..e877d763892d
--- /dev/null
+++ b/datapath/linux/compat/nf_conntrack_proto.c
@@ -0,0 +1,112 @@
+#include 
+
+#inc

[ovs-dev] [PATCH 00/11] conntrack zone limitation

2018-08-01 Thread Yi-Hung Wei
This patch series implements connection tracking zone limitation to
limit the maximum number of conntrack entries in the conntrack table
for every zone.  This feature aims to resolve a problem that if one
of the VM/container under attack that abuses the usage the conntrack
entries, it may block the others from committing valid conntrack
entries into the conntrack table.  

To address this issue, this patch series proposes to have a
fine-grained mechanism that could limit the # of conntrack entries
per-zone.  For example, we can designate different zone to different VM,
and set conntrack limit to each zone.  By providing this isolation, a
mis-behaved VM only consumes the conntrack entries in its own zone, and
it will not influence other well-behaved VMs.  Moreover, the users can
set various conntrack limit to different zone based on their preference.

This patch series consist of dpif layer support, kernel backports to
support this features in dpif-netlinkt, dpif-netlink implementation,
dpctl commands, and a system traffic test to verify this feature.


Yi-Hung Wei (11):
  compat: Backport nf_ct_netns_{get,put}()
  datapath: compat: Backports nf_conncount
  datapath: compat: Introduce static key support
  datapath: Add conntrack limit netlink definition
  datapath: conntrack: Support conntrack zone limit
  dpif: Support conntrack zone limit.
  ct-dpif: Helper functions for conntrack zone limit
  dpif-netlink: Implement conntrack zone limiit
  dpctl: Refactor opt_dpif_open().
  dpctl: Implement dpctl commands for conntrack per zone limit
  system-traffic: Add conntrack per zoen limit test case

 NEWS   |   3 +
 acinclude.m4   |   9 +
 datapath/compat.h  |   8 +
 datapath/conntrack.c   | 551 +-
 datapath/conntrack.h   |   9 +-
 datapath/datapath.c|   7 +-
 datapath/datapath.h|   3 +
 datapath/linux/Modules.mk  |   7 +-
 datapath/linux/compat/include/linux/openvswitch.h  |  28 +
 datapath/linux/compat/include/linux/static_key.h   |  70 +++
 .../compat/include/net/netfilter/nf_conntrack.h|   8 +
 .../include/net/netfilter/nf_conntrack_count.h |  61 ++
 .../linux/compat/include/uapi/linux/netfilter.h|  14 +
 datapath/linux/compat/nf_conncount.c   | 637 +
 datapath/linux/compat/nf_conntrack_proto.c | 112 
 lib/ct-dpif.c  | 129 +
 lib/ct-dpif.h  |  20 +
 lib/dpctl.c| 252 ++--
 lib/dpctl.man  |  18 +
 lib/dpif-netdev.c  |   3 +
 lib/dpif-netlink.c | 198 +++
 lib/dpif-provider.h|  26 +
 tests/system-traffic.at|  75 +++
 23 files changed, 2201 insertions(+), 47 deletions(-)
 create mode 100644 datapath/linux/compat/include/linux/static_key.h
 create mode 100644 
datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
 create mode 100644 datapath/linux/compat/include/uapi/linux/netfilter.h
 create mode 100644 datapath/linux/compat/nf_conncount.c
 create mode 100644 datapath/linux/compat/nf_conntrack_proto.c

-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH v5] rhel: support kmod build against multiple 7.2 kernels, rhel6

2018-08-01 Thread Yi-Hung Wei
On Wed, Aug 1, 2018 at 2:26 PM, Martin Xu  wrote:
> This patch extends commit 89dd5819cf18 (rhel: support kmod-openvswitch
> build against multiple kernels, rhel6) to support building kmod RPMs
> with multiple minor revisions within 3.10.0-327 kernels. It was
> discovered for RHEL 7.2 that 41.3 minor revision introduced backward
> incompatible changes.
>
> Also fixes a scenario not working for RHEL7.3 in commit 89dd5819cf18.
> When multiple versions passed into the kversion for the spec file, the
> variable is used as is for the kernel module paths for command
> weak-modules --add-modules. Then the modules cannot be found.
>
> Fixes: 89dd5819cf18 (rhel: support kmod-openvswitch build against
> multiple kernels, rhel6)
>
> VMware-BZ: #2170334
>
> Signed-off-by: Martin Xu 
> CC: Greg Rose 
> CC: Ben Pfaff 
> CC: Flavio Leitner 
> CC: Yi-Hung Wei 
> ---
> v1->v2: added author sign-off signature
> v2->v3: instead of using hard coded versions for openvswitch kernel modules,
> retrieve the information from kmod package
> v3->v4: sent wrong v3 patch, some echo's for debugging not removed
> v4->v5: fix one line that exceeded 79 chars

Thanks for the patch. I think it is much robust than the previous
version.  I also did some tests on REHL 7.2 and it works great.

One minor comment is that we generally separate bug fix and new
feature into two patches. It usually makes the commit to be more
clear.

Acked-by: Yi-Hung Wei 
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [ovs-dev, v4] rhel: support kmod build against multiple 7.2 kernels, rhel6

2018-08-01 Thread 0-day Robot
Bleep bloop.  Greetings Martin Xu, I am a robot and I have tried out your patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.


checkpatch:
WARNING: Line is 80 characters long (recommended limit is 79)
#136 FILE: rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh:72:
   sed -n -e 's/^\/lib\/modules\/\(.*\)\/extra\/.*$/\1/p' | sort | uniq)

Lines checked: 182, Warnings: 1, Errors: 0


Please check this out.  If you feel there has been an error, please email 
acon...@bytheb.org

Thanks,
0-day Robot
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH] utilities: don't use a bashism to check that datapath exists

2018-08-01 Thread Martin Xu
Thanks for fixing this.

Martin

On Wed, Aug 1, 2018 at 8:48 AM, Timothy Redaelli 
wrote:

> [[ ]] syntax is not supported, at least, by dash that Debian, Ubuntu and
> other
> linux distributions may use instead of bash.
>
> This commit uses, instead, a POSIX way that is compatible with any POSIX
> shell (bash, dash, busybox sh, etc).
>
> CC: Martin Xu 
> Fixes: 9763d17fbd05 ("utilities: check datapath exists before conntrack
> flush")
>
> Signed-off-by: Timothy Redaelli 
> ---
>  utilities/ovs-lib.in | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in
> index d6ef77b6e..c3b76ec94 100644
> --- a/utilities/ovs-lib.in
> +++ b/utilities/ovs-lib.in
> @@ -605,7 +605,7 @@ force_reload_kmod () {
>  stop_ovsdb
>  start_ovsdb || return 1
>
> -if [[ $(ovs-dpctl show) ]]; then
> +if [ -n "$(ovs-dpctl show)" ]; then
>  action "Flush old conntrack entries" ovs-appctl
> dpctl/flush-conntrack
>  fi
>  stop_forwarding
> --
> 2.17.1
>
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v5] rhel: support kmod build against multiple 7.2 kernels, rhel6

2018-08-01 Thread Martin Xu
This patch extends commit 89dd5819cf18 (rhel: support kmod-openvswitch
build against multiple kernels, rhel6) to support building kmod RPMs
with multiple minor revisions within 3.10.0-327 kernels. It was
discovered for RHEL 7.2 that 41.3 minor revision introduced backward
incompatible changes.

Also fixes a scenario not working for RHEL7.3 in commit 89dd5819cf18.
When multiple versions passed into the kversion for the spec file, the
variable is used as is for the kernel module paths for command
weak-modules --add-modules. Then the modules cannot be found.

Fixes: 89dd5819cf18 (rhel: support kmod-openvswitch build against
multiple kernels, rhel6)

VMware-BZ: #2170334

Signed-off-by: Martin Xu 
CC: Greg Rose 
CC: Ben Pfaff 
CC: Flavio Leitner 
CC: Yi-Hung Wei 
---
v1->v2: added author sign-off signature
v2->v3: instead of using hard coded versions for openvswitch kernel modules,
retrieve the information from kmod package
v3->v4: sent wrong v3 patch, some echo's for debugging not removed
v4->v5: fix one line that exceeded 79 chars

 rhel/kmod-openvswitch-rhel6.spec.in| 13 ++---
 ...sr_share_openvswitch_scripts_ovs-kmod-manage.sh | 68 +++---
 2 files changed, 65 insertions(+), 16 deletions(-)

diff --git a/rhel/kmod-openvswitch-rhel6.spec.in 
b/rhel/kmod-openvswitch-rhel6.spec.in
index f18802d..afbad96 100644
--- a/rhel/kmod-openvswitch-rhel6.spec.in
+++ b/rhel/kmod-openvswitch-rhel6.spec.in
@@ -31,7 +31,8 @@ BuildRoot:  %(mktemp -ud 
%{_tmppath}/%{name}-%{version}-%{release}-XX)
 # for specified kernel version.
 # Use -D 'kversion 3.10.0-693.1.1.el7.x86_64 3.10.0-693.17.1.el7.x86_64'
 # to build package for mulitple kernel versions in the same package
-# This only works for kernel 3.10.0 major revision 693
+# This only works for kernel 3.10.0 major revision 693 (RHEL 7.4)
+# and major revision 327 (RHEL 7.2)
 # By default, build against the latest installed kernel-devel
 %{!?kversion:%global kversion %(rpm -qa | egrep "^kernel(-rt|-aarch64)?-devel" 
| /usr/lib/rpm/redhat/rpmsort -r | head -n 1| sed "s/^kernel.*-devel-//")}
 
@@ -86,8 +87,8 @@ install -p -m 0755 
rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh \
 current_kernel=$(uname -r)
 IFS=. read installed_major installed_minor installed_micro installed_arch \
 installed_build <<<"${current_kernel##*-}"
-if [ "$installed_major" = "693" ]; then
-# Workaround for RHEL 7.4
+if [ "$installed_major" = "327" ] || [ "$installed_major" = "693" ]; then
+# Workaround for RHEL 7.2 and 7.4
 if [ -x "/usr/share/%{oname}/scripts/ovs-kmod-manage.sh" ]; then
 /usr/share/%{oname}/scripts/ovs-kmod-manage.sh
 fi
@@ -97,10 +98,8 @@ else
 [ -d "/lib/modules/$k/kernel/" ] && depmod -a "$k"
 done
 if [ -x "/sbin/weak-modules" ]; then
-for m in openvswitch vport-gre vport-stt vport-geneve \
- vport-lisp vport-vxlan; do
-echo "/lib/modules/%{kversion}/extra/%{oname}/$m.ko"
-done | /sbin/weak-modules --add-modules
+rpm -ql kmod-%{oname} | grep '\.ko$' | \
+/sbin/weak-modules --add-modules
 fi
 fi
 
diff --git a/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh 
b/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh
index a6c738f..6beabeb 100644
--- a/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh
+++ b/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh
@@ -14,23 +14,39 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# This version of the script is intended to be used on kernel version
-# 3.10.0 major revision 693 only. It is packaged in the openvswitch kmod RPM
-# built using the rhel6 spec file, and run in the post-install for minor 
-# revision 693 kernels.
+# This version of the script is intended to be used on kernel version 3.10.0
+# major revision 327 and 693 only. It is packaged in the openvswitch kmod RPM
+# built using the rhel6 spec file, and run in the post-install for major
+# revision 327/693 kernels.
 #
-# Due to some backward incompatible changes introduced in minor revision 17.1,
+# For kernel 3.10.0-693,
+# due to some backward incompatible changes introduced in minor revision 17.1,
 # kernel modules built against kernels newer than 17.1 cannot be loaded on
 # system running kernels older than 17.1, vice versa.
 #
+# For kernel 3.10.0-327,
+# due to some backward incompatible changes introduced in minor revision 41.3,
+# kernel modules built against kernels newer than 41.3 cannot be loaded on
+# system running kernels older than 41.3, vice versa.
+#
 # This script checks the current running kernel version, and update symlinks
 # for the openvswitch kernel modules in the appropriate kernel directory,
 # provided the kmod RPM has installed kernel modules files built from both
-# 1.1 and 17.1 minor revisions.
+# minor revisions.
 # 
 # In case of a kernel minor revision change after the openvswitch kmod package
 # is installed,

Re: [ovs-dev] [ovs-dev, v3] rhel: support kmod build against multiple 7.2 kernels, rhel6

2018-08-01 Thread 0-day Robot
Bleep bloop.  Greetings Martin Xu, I am a robot and I have tried out your patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.


checkpatch:
WARNING: Line is 80 characters long (recommended limit is 79)
#136 FILE: rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh:72:
   sed -n -e 's/^\/lib\/modules\/\(.*\)\/extra\/.*$/\1/p' | sort | uniq)

Lines checked: 182, Warnings: 1, Errors: 0


Please check this out.  If you feel there has been an error, please email 
acon...@bytheb.org

Thanks,
0-day Robot
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v4] rhel: support kmod build against multiple 7.2 kernels, rhel6

2018-08-01 Thread Martin Xu
This patch extends commit 89dd5819cf18 (rhel: support kmod-openvswitch
build against multiple kernels, rhel6) to support building kmod RPMs
with multiple minor revisions within 3.10.0-327 kernels. It was
discovered for RHEL 7.2 that 41.3 minor revision introduced backward
incompatible changes.

Also fixes a scenario not working for RHEL7.3 in commit 89dd5819cf18.
When multiple versions passed into the kversion for the spec file, the
variable is used as is for the kernel module paths for command
weak-modules --add-modules. Then the modules cannot be found.

Fixes: 89dd5819cf18 (rhel: support kmod-openvswitch build against
multiple kernels, rhel6)

VMware-BZ: #2170334

Signed-off-by: Martin Xu 
CC: Greg Rose 
CC: Ben Pfaff 
CC: Flavio Leitner 
CC: Yi-Hung Wei 
---
v1->v2: added author sign-off signature
v2->v3: instead of using hard coded versions for openvswitch kernel modules,
retrieve the information from kmod package
v3->v4: sent wrong v3 patch, some echo's for debugging not removed

 rhel/kmod-openvswitch-rhel6.spec.in| 13 ++---
 ...sr_share_openvswitch_scripts_ovs-kmod-manage.sh | 67 +++---
 2 files changed, 64 insertions(+), 16 deletions(-)

diff --git a/rhel/kmod-openvswitch-rhel6.spec.in 
b/rhel/kmod-openvswitch-rhel6.spec.in
index f18802d..afbad96 100644
--- a/rhel/kmod-openvswitch-rhel6.spec.in
+++ b/rhel/kmod-openvswitch-rhel6.spec.in
@@ -31,7 +31,8 @@ BuildRoot:  %(mktemp -ud 
%{_tmppath}/%{name}-%{version}-%{release}-XX)
 # for specified kernel version.
 # Use -D 'kversion 3.10.0-693.1.1.el7.x86_64 3.10.0-693.17.1.el7.x86_64'
 # to build package for mulitple kernel versions in the same package
-# This only works for kernel 3.10.0 major revision 693
+# This only works for kernel 3.10.0 major revision 693 (RHEL 7.4)
+# and major revision 327 (RHEL 7.2)
 # By default, build against the latest installed kernel-devel
 %{!?kversion:%global kversion %(rpm -qa | egrep "^kernel(-rt|-aarch64)?-devel" 
| /usr/lib/rpm/redhat/rpmsort -r | head -n 1| sed "s/^kernel.*-devel-//")}
 
@@ -86,8 +87,8 @@ install -p -m 0755 
rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh \
 current_kernel=$(uname -r)
 IFS=. read installed_major installed_minor installed_micro installed_arch \
 installed_build <<<"${current_kernel##*-}"
-if [ "$installed_major" = "693" ]; then
-# Workaround for RHEL 7.4
+if [ "$installed_major" = "327" ] || [ "$installed_major" = "693" ]; then
+# Workaround for RHEL 7.2 and 7.4
 if [ -x "/usr/share/%{oname}/scripts/ovs-kmod-manage.sh" ]; then
 /usr/share/%{oname}/scripts/ovs-kmod-manage.sh
 fi
@@ -97,10 +98,8 @@ else
 [ -d "/lib/modules/$k/kernel/" ] && depmod -a "$k"
 done
 if [ -x "/sbin/weak-modules" ]; then
-for m in openvswitch vport-gre vport-stt vport-geneve \
- vport-lisp vport-vxlan; do
-echo "/lib/modules/%{kversion}/extra/%{oname}/$m.ko"
-done | /sbin/weak-modules --add-modules
+rpm -ql kmod-%{oname} | grep '\.ko$' | \
+/sbin/weak-modules --add-modules
 fi
 fi
 
diff --git a/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh 
b/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh
index a6c738f..656488a 100644
--- a/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh
+++ b/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh
@@ -14,23 +14,39 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# This version of the script is intended to be used on kernel version
-# 3.10.0 major revision 693 only. It is packaged in the openvswitch kmod RPM
-# built using the rhel6 spec file, and run in the post-install for minor 
-# revision 693 kernels.
+# This version of the script is intended to be used on kernel version 3.10.0
+# major revision 327 and 693 only. It is packaged in the openvswitch kmod RPM
+# built using the rhel6 spec file, and run in the post-install for major
+# revision 327/693 kernels.
 #
-# Due to some backward incompatible changes introduced in minor revision 17.1,
+# For kernel 3.10.0-693,
+# due to some backward incompatible changes introduced in minor revision 17.1,
 # kernel modules built against kernels newer than 17.1 cannot be loaded on
 # system running kernels older than 17.1, vice versa.
 #
+# For kernel 3.10.0-327,
+# due to some backward incompatible changes introduced in minor revision 41.3,
+# kernel modules built against kernels newer than 41.3 cannot be loaded on
+# system running kernels older than 41.3, vice versa.
+#
 # This script checks the current running kernel version, and update symlinks
 # for the openvswitch kernel modules in the appropriate kernel directory,
 # provided the kmod RPM has installed kernel modules files built from both
-# 1.1 and 17.1 minor revisions.
+# minor revisions.
 # 
 # In case of a kernel minor revision change after the openvswitch kmod package
 # is installed, this script shall be run manually after sys

[ovs-dev] [PATCH v3] rhel: support kmod build against multiple 7.2 kernels, rhel6

2018-08-01 Thread Martin Xu
This patch extends commit 89dd5819cf18 (rhel: support kmod-openvswitch
build against multiple kernels, rhel6) to support building kmod RPMs
with multiple minor revisions within 3.10.0-327 kernels. It was
discovered for RHEL 7.2 that 41.3 minor revision introduced backward
incompatible changes.

Also fixes a scenario not working for RHEL7.3 in commit 89dd5819cf18.
When multiple versions passed into the kversion for the spec file, the
variable is used as is for the kernel module paths for command
weak-modules --add-modules. Then the modules cannot be found.

Fixes: 89dd5819cf18 (rhel: support kmod-openvswitch build against
multiple kernels, rhel6)

VMware-BZ: #2170334

Signed-off-by: Martin Xu 
CC: Greg Rose 
CC: Ben Pfaff 
CC: Flavio Leitner 
CC: Yi-Hung Wei 
---
 rhel/kmod-openvswitch-rhel6.spec.in| 13 ++---
 ...sr_share_openvswitch_scripts_ovs-kmod-manage.sh | 67 +++---
 2 files changed, 64 insertions(+), 16 deletions(-)

diff --git a/rhel/kmod-openvswitch-rhel6.spec.in 
b/rhel/kmod-openvswitch-rhel6.spec.in
index f18802d..afbad96 100644
--- a/rhel/kmod-openvswitch-rhel6.spec.in
+++ b/rhel/kmod-openvswitch-rhel6.spec.in
@@ -31,7 +31,8 @@ BuildRoot:  %(mktemp -ud 
%{_tmppath}/%{name}-%{version}-%{release}-XX)
 # for specified kernel version.
 # Use -D 'kversion 3.10.0-693.1.1.el7.x86_64 3.10.0-693.17.1.el7.x86_64'
 # to build package for mulitple kernel versions in the same package
-# This only works for kernel 3.10.0 major revision 693
+# This only works for kernel 3.10.0 major revision 693 (RHEL 7.4)
+# and major revision 327 (RHEL 7.2)
 # By default, build against the latest installed kernel-devel
 %{!?kversion:%global kversion %(rpm -qa | egrep "^kernel(-rt|-aarch64)?-devel" 
| /usr/lib/rpm/redhat/rpmsort -r | head -n 1| sed "s/^kernel.*-devel-//")}
 
@@ -86,8 +87,8 @@ install -p -m 0755 
rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh \
 current_kernel=$(uname -r)
 IFS=. read installed_major installed_minor installed_micro installed_arch \
 installed_build <<<"${current_kernel##*-}"
-if [ "$installed_major" = "693" ]; then
-# Workaround for RHEL 7.4
+if [ "$installed_major" = "327" ] || [ "$installed_major" = "693" ]; then
+# Workaround for RHEL 7.2 and 7.4
 if [ -x "/usr/share/%{oname}/scripts/ovs-kmod-manage.sh" ]; then
 /usr/share/%{oname}/scripts/ovs-kmod-manage.sh
 fi
@@ -97,10 +98,8 @@ else
 [ -d "/lib/modules/$k/kernel/" ] && depmod -a "$k"
 done
 if [ -x "/sbin/weak-modules" ]; then
-for m in openvswitch vport-gre vport-stt vport-geneve \
- vport-lisp vport-vxlan; do
-echo "/lib/modules/%{kversion}/extra/%{oname}/$m.ko"
-done | /sbin/weak-modules --add-modules
+rpm -ql kmod-%{oname} | grep '\.ko$' | \
+/sbin/weak-modules --add-modules
 fi
 fi
 
diff --git a/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh 
b/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh
index a6c738f..254fad6 100644
--- a/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh
+++ b/rhel/usr_share_openvswitch_scripts_ovs-kmod-manage.sh
@@ -14,23 +14,39 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# This version of the script is intended to be used on kernel version
-# 3.10.0 major revision 693 only. It is packaged in the openvswitch kmod RPM
-# built using the rhel6 spec file, and run in the post-install for minor 
-# revision 693 kernels.
+# This version of the script is intended to be used on kernel version 3.10.0
+# major revision 327 and 693 only. It is packaged in the openvswitch kmod RPM
+# built using the rhel6 spec file, and run in the post-install for major
+# revision 327/693 kernels.
 #
-# Due to some backward incompatible changes introduced in minor revision 17.1,
+# For kernel 3.10.0-693,
+# due to some backward incompatible changes introduced in minor revision 17.1,
 # kernel modules built against kernels newer than 17.1 cannot be loaded on
 # system running kernels older than 17.1, vice versa.
 #
+# For kernel 3.10.0-327,
+# due to some backward incompatible changes introduced in minor revision 41.3,
+# kernel modules built against kernels newer than 41.3 cannot be loaded on
+# system running kernels older than 41.3, vice versa.
+#
 # This script checks the current running kernel version, and update symlinks
 # for the openvswitch kernel modules in the appropriate kernel directory,
 # provided the kmod RPM has installed kernel modules files built from both
-# 1.1 and 17.1 minor revisions.
+# minor revisions.
 # 
 # In case of a kernel minor revision change after the openvswitch kmod package
 # is installed, this script shall be run manually after system reboots and
 # switches to a different kernel
+if [ -n "$(rpm -qa kmod-openvswitch)" ]; then
+rpmname="kmod-openvswitch"
+elif [ -n "$(rpm -qa openvswitch-kmod)" ]; then
+rpmname="openvswitch-kmod"
+else
+echo "openvswit

[ovs-dev] [PATCH 3/6] system-dpdk: Allow running the dpdk tests from a VM

2018-08-01 Thread Aaron Conole
Some VM configurations result in CPU flags that cause warnings to be issued by
the DPDK libraries.  When these warnings are issued, the tests will fail.

This commit adds the unreliable tsc warning to the list of ignored warnings.

Signed-off-by: Aaron Conole 
---
 tests/system-dpdk.at | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/system-dpdk.at b/tests/system-dpdk.at
index c1c908411..723ba794f 100644
--- a/tests/system-dpdk.at
+++ b/tests/system-dpdk.at
@@ -11,6 +11,7 @@ AT_CHECK([grep "EAL" ovs-vswitchd.log], [], [stdout])
 AT_CHECK([grep "DPDK Enabled - initialized" ovs-vswitchd.log], [], [stdout])
 OVS_VSWITCHD_STOP(["/Global register is changed during/d
 /EAL:   Invalid NUMA socket, default to 0/d
+/EAL: WARNING: cpu flags constant_tsc=yes nonstop_tsc=no -> using unreliable 
clock cycles !/d
 /EAL: No free hugepages reported in hugepages-1048576kB/d"])
 AT_CLEANUP
 dnl --
@@ -36,6 +37,7 @@ AT_CHECK([ovs-vsctl del-port br10 phy0], [], [stdout], 
[stderr])
 OVS_VSWITCHD_STOP("/does not exist. The Open vSwitch kernel module is probably 
not loaded./d
 /Failed to enable flow control/d
 /Global register is changed during/d
+/EAL: WARNING: cpu flags constant_tsc=yes nonstop_tsc=no -> using unreliable 
clock cycles !/d
 /EAL: No free hugepages reported in hugepages-1048576kB/d
 ")
 AT_CLEANUP
@@ -68,6 +70,7 @@ OVS_VSWITCHD_STOP(["/does not exist. The Open vSwitch kernel 
module is probably
 /failed to connect to \/tmp\/dpdkvhostclient0: No such file or directory/d
 /Global register is changed during/d
 /EAL:   Invalid NUMA socket, default to 0/d
+/EAL: WARNING: cpu flags constant_tsc=yes nonstop_tsc=no -> using unreliable 
clock cycles !/d
 /EAL: No free hugepages reported in hugepages-1048576kB/d"])
 AT_CLEANUP
 dnl --
-- 
2.14.3

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH 2/6] system-dpdk: skip all tests if there are no hugepages

2018-08-01 Thread Aaron Conole
From: Bala Sankaran 

A failure is quite harsh in this scenario.  It's better to
simply skip all the tests and let the user look at the logs
to understand the missing hugepages.

Signed-off-by: Bala Sankaran 
Co-authored-by: Aaron Conole 
Signed-off-by: Aaron Conole 
---
 tests/system-dpdk-macros.at | 2 +-
 tests/system-dpdk.at| 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/system-dpdk-macros.at b/tests/system-dpdk-macros.at
index 2e5571fc4..f772a1945 100644
--- a/tests/system-dpdk-macros.at
+++ b/tests/system-dpdk-macros.at
@@ -6,7 +6,7 @@
 m4_define([OVS_DPDK_PRE_CHECK],
   [dnl Check Hugepages
AT_CHECK([cat /proc/meminfo], [], [stdout])
-   AT_CHECK([grep HugePages_ stdout], [], [stdout])
+   AT_SKIP_IF([egrep 'HugePages_Free: *0' stdout], [], [stdout])
AT_CHECK([mount], [], [stdout])
AT_CHECK([grep 'hugetlbfs' stdout], [], [stdout], [])
 
diff --git a/tests/system-dpdk.at b/tests/system-dpdk.at
index 6901d19e6..c1c908411 100644
--- a/tests/system-dpdk.at
+++ b/tests/system-dpdk.at
@@ -47,7 +47,7 @@ dnl 
--
 dnl Add vhost-user-client port
 AT_SETUP([OVS-DPDK datapath - add vhost-user-client port])
 AT_KEYWORDS([dpdk])
-
+OVS_DPDK_PRE_CHECK()
 OVS_DPDK_START()
 
 dnl Add userspace bridge and attach it to OVS
-- 
2.14.3

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH 1/6] system-dpdk: update test suite for non-phy testing

2018-08-01 Thread Aaron Conole
This allows a system that doesn't have a dedicated DPDK nic to
execute some DPDK tests.  In this fashion, tests that operate on
virtual ports (such as dpdkvhostuserclient) can be executed in
a wider set of environments.

Signed-off-by: Aaron Conole 
---
 tests/system-dpdk-macros.at | 18 +++---
 tests/system-dpdk.at| 16 
 2 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/tests/system-dpdk-macros.at b/tests/system-dpdk-macros.at
index 0762ee055..2e5571fc4 100644
--- a/tests/system-dpdk-macros.at
+++ b/tests/system-dpdk-macros.at
@@ -2,7 +2,6 @@
 #
 # Check prerequisites for DPDK tests. Following settings are checked:
 #  - Hugepages
-#  - UIO driver
 #
 m4_define([OVS_DPDK_PRE_CHECK],
   [dnl Check Hugepages
@@ -11,13 +10,26 @@ m4_define([OVS_DPDK_PRE_CHECK],
AT_CHECK([mount], [], [stdout])
AT_CHECK([grep 'hugetlbfs' stdout], [], [stdout], [])
 
+])
+
+
+# OVS_DPDK_PRE_PHY_SKIP()
+#
+# Skip any phy related tests if the PHY variable is not set.
+# This is done by checking for a bound driver.
+#
+m4_define([OVS_DPDK_PRE_PHY_SKIP],
+  [dnl Perform the precheck
+   OVS_DPDK_PRE_CHECK()
+
dnl Check if VFIO or UIO driver is loaded
-   AT_CHECK([lsmod | grep -E "igb_uio|vfio"], [], [stdout])
+   AT_SKIP_IF([ ! (lsmod | grep -E "igb_uio|vfio") ], [], [stdout])
 
dnl Find PCI address candidate, skip if there is no DPDK-compatible NIC
AT_CHECK([$DPDK_DIR/usertools/dpdk-devbind.py -s | head -n +4 | tail -1], 
[], [stdout])
AT_CHECK([cat stdout | cut -d" " -s -f1 > PCI_ADDR])
-   AT_CHECK([test -s PCI_ADDR || exit 77])
+   AT_SKIP_IF([ ! test -s PCI_ADDR ])
+
 ])
 
 
diff --git a/tests/system-dpdk.at b/tests/system-dpdk.at
index 3d21b0136..6901d19e6 100644
--- a/tests/system-dpdk.at
+++ b/tests/system-dpdk.at
@@ -4,14 +4,14 @@ dnl 
--
 dnl Check if EAL init is successfull
 AT_SETUP([OVS-DPDK datapath - EAL init])
 AT_KEYWORDS([dpdk])
-dnl OVS_DPDK_PRE_CHECK()
+OVS_DPDK_PRE_CHECK()
 OVS_DPDK_START()
 AT_CHECK([grep "DPDK Enabled - initializing..." ovs-vswitchd.log], [], 
[stdout])
 AT_CHECK([grep "EAL" ovs-vswitchd.log], [], [stdout])
 AT_CHECK([grep "DPDK Enabled - initialized" ovs-vswitchd.log], [], [stdout])
-OVS_VSWITCHD_STOP("/Global register is changed during/d
-/EAL: No free hugepages reported in hugepages-1048576kB/d
-")
+OVS_VSWITCHD_STOP(["/Global register is changed during/d
+/EAL:   Invalid NUMA socket, default to 0/d
+/EAL: No free hugepages reported in hugepages-1048576kB/d"])
 AT_CLEANUP
 dnl --
 
@@ -22,7 +22,7 @@ dnl Add standard DPDK PHY port
 AT_SETUP([OVS-DPDK datapath - add standard DPDK port])
 AT_KEYWORDS([dpdk])
 
-OVS_DPDK_PRE_CHECK()
+OVS_DPDK_PRE_PHY_SKIP()
 OVS_DPDK_START()
 
 dnl Add userspace bridge and attach it to OVS
@@ -63,11 +63,11 @@ AT_CHECK([grep "VHOST_CONFIG: /tmp/dpdkvhostclient0: 
reconnecting..." ovs-vswitc
 
 dnl Clean up
 AT_CHECK([ovs-vsctl del-port br10 dpdkvhostuserclient0], [], [stdout], 
[stderr])
-OVS_VSWITCHD_STOP("/does not exist. The Open vSwitch kernel module is probably 
not loaded./d
+OVS_VSWITCHD_STOP(["/does not exist. The Open vSwitch kernel module is 
probably not loaded./d
 /Failed to enable flow control/d
 /failed to connect to \/tmp\/dpdkvhostclient0: No such file or directory/d
 /Global register is changed during/d
-/EAL: No free hugepages reported in hugepages-1048576kB/d
-")
+/EAL:   Invalid NUMA socket, default to 0/d
+/EAL: No free hugepages reported in hugepages-1048576kB/d"])
 AT_CLEANUP
 dnl --
-- 
2.14.3

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [RFC 6/6] system-dpdk: Connect two namespaces via virtio

2018-08-01 Thread Aaron Conole
From: Bala Sankaran 

This adds a new test to the 'check-dpdk' subsystem that will exercise
allocations, PMDs, and the vhost-user code path.

Signed-off-by: Bala Sankaran 
Co-authored-by: Aaron Conole 
Signed-off-by: Aaron Conole 
---
NOTE: This currently is broken, and needs some help to fix.  The
biggest issue we currently see is that the ovs-vswitchd does not
successfully configure memory regions, failing with the generic:
"Cannot allocate memory" from the mmap() call in
vhost_user_set_mem_table.

We have used dpdk 17.11 for ovs-vswitchd, and 18.05+ for the
testpmd version.

 tests/system-dpdk.at | 75 
 1 file changed, 75 insertions(+)

diff --git a/tests/system-dpdk.at b/tests/system-dpdk.at
index 58dc8aaae..14ea2edce 100644
--- a/tests/system-dpdk.at
+++ b/tests/system-dpdk.at
@@ -74,3 +74,78 @@ OVS_VSWITCHD_STOP(["\@does not exist. The Open vSwitch 
kernel module is probably
 \@EAL: No free hugepages reported in hugepages-1048576kB@d"])
 AT_CLEANUP
 dnl --
+
+
+
+dnl --
+dnl Add vhost-user-client port
+AT_SETUP([OVS-DPDK datapath - ping vhost-user-client ports])
+AT_KEYWORDS([dpdk])
+OVS_DPDK_PRE_CHECK()
+OVS_DPDK_START()
+
+dnl Add userspace bridge and attach it to OVS
+AT_CHECK([ovs-vsctl add-br br10 -- set bridge br10 datapath_type=netdev])
+AT_CHECK([ovs-vsctl add-port br10 dpdkvhostuserclient0 -- set Interface 
dpdkvhostuserclient0 type=dpdkvhostuserclient 
options:vhost-server-path=$OVS_RUNDIR/vhu0], [], [stdout], [stderr])
+AT_CHECK([ovs-vsctl add-port br10 dpdkvhostuserclient1 -- set Interface 
dpdkvhostuserclient1 type=dpdkvhostuserclient 
options:vhost-server-path=$OVS_RUNDIR/vhu1], [], [stdout], [stderr])
+AT_CHECK([ovs-vsctl show], [], [stdout])
+sleep 2
+
+dnl Parse log file
+AT_CHECK([grep "VHOST_CONFIG: vhost-user client: socket created" 
ovs-vswitchd.log], [], [stdout])
+AT_CHECK([grep "vHost User device 'dpdkvhostuserclient0' created in 'client' 
mode, using client socket" ovs-vswitchd.log], [], [stdout])
+AT_CHECK([grep "vHost User device 'dpdkvhostuserclient1' created in 'client' 
mode, using client socket" ovs-vswitchd.log], [], [stdout])
+AT_CHECK([grep "VHOST_CONFIG: $OVS_RUNDIR/vhu0: reconnecting..." 
ovs-vswitchd.log], [], [stdout])
+AT_CHECK([grep "VHOST_CONFIG: $OVS_RUNDIR/vhu1: reconnecting..." 
ovs-vswitchd.log], [], [stdout])
+
+dnl Set up namespaces
+ADD_NAMESPACES(ns1, ns2)
+
+dnl execute testpmd in background
+on_exit "pkill -f -x -9 'tail -f /dev/null'"
+(echo start && tail -f /dev/null) | /usr/local/bin/testpmd --socket-mem=512 \
+   --vdev="net_virtio_user,path=$OVS_RUNDIR/vhu0,server=1" \
+   --vdev="net_tap0,iface=tap0" --file-prefix page0 \
+   --single-file-segments -- -a >$OVS_RUNDIR/testpmd-vhu0.log 2>&1 &
+(echo start && tail -f /dev/null) | /usr/local/bin/testpmd --socket-mem=512 \
+   --vdev="net_virtio_user,path=$OVS_RUNDIR/vhu1,server=1" \
+   --vdev=net_tap1,iface=tap1 --file-prefix page1 \
+   --single-file-segments -- -a >$OVS_RUNDIR/testpmd-vhu1.log 2>&1 &
+
+dnl give settling time to the testpmd processes
+sleep 2
+
+dnl move the tap devices to the namespaces
+AT_CHECK([ip link set tap0 netns ns1], [], [stdout], [stderr])
+AT_CHECK([ip link set tap1 netns ns2], [], [stdout], [stderr])
+
+AT_CHECK([ip netns exec ns1 ip link show], [], [stdout], [stderr])
+AT_CHECK([ip netns exec ns1 ip link show | grep tap0], [], [stdout], [stderr])
+AT_CHECK([ip netns exec ns1 ip link set tap0 up], [], [stdout], [stderr])
+AT_CHECK([ip netns exec ns1 ip addr add 172.31.110.11/24 dev tap0], [], 
[stdout], [stderr])
+
+AT_CHECK([ip netns exec ns2 ip link show], [], [stdout], [stderr])
+AT_CHECK([ip netns exec ns2 ip link show | grep tap1], [], [stdout], [stderr])
+AT_CHECK([ip netns exec ns2 ip link set tap1 up], [], [stdout], [stderr])
+AT_CHECK([ip netns exec ns2 ip addr add 172.31.110.12/24 dev tap1], [], 
[stdout], [stderr])
+
+ip netns exec ns1 arping -c 4 -I tap0 172.31.110.12
+
+ovs-vsctl show
+ovs-appctl dpctl/dump-dps
+ovs-appctl dpctl/show netdev@ovs-netdev
+ps aux | grep testpmd
+
+dnl Clean up
+AT_CHECK([ovs-vsctl del-port br10 dpdkvhostuserclient0], [], [stdout], 
[stderr])
+AT_CHECK([ovs-vsctl del-port br10 dpdkvhostuserclient1], [], [stdout], 
[stderr])
+OVS_VSWITCHD_STOP(["\@does not exist. The Open vSwitch kernel module is 
probably not loaded.@d
+\@Failed to enable flow control@d
+\@VHOST_CONFIG: failed to connect to $OVS_RUNDIR/hu0: No such file or 
directory@d
+\@VHOST_CONFIG: failed to connect to $OVS_RUNDIR/vhu1: No such file or 
directory@d
+\@Global register is changed during@d
+\@EAL:   Invalid NUMA socket, default to 0@d
+\@EAL: WARNING: cpu flags constant_tsc=yes nonstop_tsc=no -> using unreliable 
clock cycles !@d
+\@EAL: No free hugepages reported in hugepages-1048576kB@d"])
+AT_CLEANUP
+dnl -

[ovs-dev] [PATCH 5/6] system-dpdk: Convert /tmp to use OVS_RUNDIR

2018-08-01 Thread Aaron Conole
From: Bala Sankaran 

When multiple users run the DPDK testsuite ther dependence on /tmp
will cause conflicts. Use the RUNDIR as a dynamic path to overcome
this.

NOTE: This still doesn't solve the dependency on /var/run that
DPDK requires.

Signed-off-by: Bala Sankaran 
Co-authored-by: Aaron Conole 
Signed-off-by: Aaron Conole 
---
 tests/system-dpdk.at | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/system-dpdk.at b/tests/system-dpdk.at
index 834ba06fb..58dc8aaae 100644
--- a/tests/system-dpdk.at
+++ b/tests/system-dpdk.at
@@ -54,20 +54,20 @@ OVS_DPDK_START()
 
 dnl Add userspace bridge and attach it to OVS
 AT_CHECK([ovs-vsctl add-br br10 -- set bridge br10 datapath_type=netdev])
-AT_CHECK([ovs-vsctl add-port br10 dpdkvhostuserclient0 -- set Interface 
dpdkvhostuserclient0 type=dpdkvhostuserclient 
options:vhost-server-path=/tmp/dpdkvhostclient0], [], [stdout], [stderr])
+AT_CHECK([ovs-vsctl add-port br10 dpdkvhostuserclient0 -- set Interface 
dpdkvhostuserclient0 type=dpdkvhostuserclient 
options:vhost-server-path=$OVS_RUNDIR/dpdkvhostclient0], [], [stdout], [stderr])
 AT_CHECK([ovs-vsctl show], [], [stdout])
 sleep 2
 
 dnl Parse log file
 AT_CHECK([grep "VHOST_CONFIG: vhost-user client: socket created" 
ovs-vswitchd.log], [], [stdout])
 AT_CHECK([grep "vHost User device 'dpdkvhostuserclient0' created in 'client' 
mode, using client socket" ovs-vswitchd.log], [], [stdout])
-AT_CHECK([grep "VHOST_CONFIG: /tmp/dpdkvhostclient0: reconnecting..." 
ovs-vswitchd.log], [], [stdout])
+AT_CHECK([grep "VHOST_CONFIG: $OVS_RUNDIR/dpdkvhostclient0: reconnecting..." 
ovs-vswitchd.log], [], [stdout])
 
 dnl Clean up
 AT_CHECK([ovs-vsctl del-port br10 dpdkvhostuserclient0], [], [stdout], 
[stderr])
 OVS_VSWITCHD_STOP(["\@does not exist. The Open vSwitch kernel module is 
probably not loaded.@d
 \@Failed to enable flow control@d
-\@VHOST_CONFIG: failed to connect to /tmp/dpdkvhostclient0: No such file or 
directory@d
+\@VHOST_CONFIG: failed to connect to $OVS_RUNDIR/dpdkvhostclient0: No such 
file or directory@d
 \@Global register is changed during@d
 \@EAL:   Invalid NUMA socket, default to 0@d
 \@EAL: WARNING: cpu flags constant_tsc=yes nonstop_tsc=no -> using unreliable 
clock cycles !@d
-- 
2.14.3

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH 4/6] system-dpdk: Use a different character marker for sed commands

2018-08-01 Thread Aaron Conole
The default marker for sed commands according to the manual is /, but this
is inconvenient when working with paths.  The solution is either to escape
all instances of / or use sed's \cREGEXc feature.

Signed-off-by: Aaron Conole 
---
 tests/system-dpdk.at | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/tests/system-dpdk.at b/tests/system-dpdk.at
index 723ba794f..834ba06fb 100644
--- a/tests/system-dpdk.at
+++ b/tests/system-dpdk.at
@@ -65,12 +65,12 @@ AT_CHECK([grep "VHOST_CONFIG: /tmp/dpdkvhostclient0: 
reconnecting..." ovs-vswitc
 
 dnl Clean up
 AT_CHECK([ovs-vsctl del-port br10 dpdkvhostuserclient0], [], [stdout], 
[stderr])
-OVS_VSWITCHD_STOP(["/does not exist. The Open vSwitch kernel module is 
probably not loaded./d
-/Failed to enable flow control/d
-/failed to connect to \/tmp\/dpdkvhostclient0: No such file or directory/d
-/Global register is changed during/d
-/EAL:   Invalid NUMA socket, default to 0/d
-/EAL: WARNING: cpu flags constant_tsc=yes nonstop_tsc=no -> using unreliable 
clock cycles !/d
-/EAL: No free hugepages reported in hugepages-1048576kB/d"])
+OVS_VSWITCHD_STOP(["\@does not exist. The Open vSwitch kernel module is 
probably not loaded.@d
+\@Failed to enable flow control@d
+\@VHOST_CONFIG: failed to connect to /tmp/dpdkvhostclient0: No such file or 
directory@d
+\@Global register is changed during@d
+\@EAL:   Invalid NUMA socket, default to 0@d
+\@EAL: WARNING: cpu flags constant_tsc=yes nonstop_tsc=no -> using unreliable 
clock cycles !@d
+\@EAL: No free hugepages reported in hugepages-1048576kB@d"])
 AT_CLEANUP
 dnl --
-- 
2.14.3

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH 0/6] system-dpdk: add support to ping two namespaces

2018-08-01 Thread Aaron Conole
This allows system-dpdk test suite to ping two namespaces via a pair
of dpdkvhostuserclient ports, using testpmd as a forwarding agent.

Currently, the final patch in the series (which adds the test) isn't
reliable enough yet, so it is still RFC.  Submitted for early feedback.

Aaron Conole (3):
  system-dpdk: update test suite for non-phy testing
  system-dpdk: Allow running the dpdk tests from a VM
  system-dpdk: Use a different character marker for sed commands

Bala Sankaran (3):
  system-dpdk: skip all tests if there are no hugepages
  system-dpdk: Convert /tmp to use OVS_RUNDIR
  system-dpdk: Connect two namespaces via virtio

 tests/system-dpdk-macros.at |  20 +++--
 tests/system-dpdk.at| 104 ++--
 2 files changed, 107 insertions(+), 17 deletions(-)

-- 
2.14.3

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH] ofproto-dpif: Fix typo in registered command

2018-08-01 Thread Alin Gabriel Serdean



> On 25 Jul 2018, at 00:31, Ben Pfaff  wrote:
> 
> On Mon, Jul 23, 2018 at 05:45:30PM +0300, Alin Gabriel Serdean wrote:
>> Also split line at 79 characters.
>> 
>> Found by inspection.
>> 
>> Signed-off-by: Alin Gabriel Serdean 
> 
> Acked-by: Ben Pfaff 


Applied on master and branch-2.10
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH] Add opterr and optopt to Windows headers

2018-08-01 Thread Alin Gabriel Serdean


> On 1 Aug 2018, at 20:17, Ben Pfaff  wrote:
> 
> On Wed, Aug 01, 2018 at 04:01:36PM +0300, aserd...@ovn.org 
>  wrote:
>>> -Mesaj original-
>>> De la: ovs-dev-boun...@openvswitch.org >> boun...@openvswitch.org> În numele Ben Pfaff
>>> Trimis: Tuesday, July 31, 2018 7:37 PM
>>> Către: Alin Gabriel Serdean 
>>> Cc: d...@openvswitch.org
>>> Subiect: Re: [ovs-dev] [PATCH] Add opterr and optopt to Windows headers
>>> 
>>> On Tue, Jul 31, 2018 at 03:08:13PM +0300, Alin Gabriel Serdean wrote:
 Until now we only had optind defined in the header.
 
 Since we are using the BSD getopt variant add opterr and optopt.
 
 Fixes: current Windows build failures.
>>> 
>>> Usually Fixes is used like this:
>>> 
>>>CC: Jakub Sitnicki 
>>>Fixes: 3ec06ea9c668 ("ovn-nbctl: Initial support for daemon mode.")
>>> 
>>> I use the following script, installed under the name git-fixes, to
>> generate it:
>>> 
>>> #! /bin/sh
>>> git --no-pager log -1 --pretty=format:"CC: %an <%ae>%nFixes: %h
>>> (\"%s\")%n" --abbrev=12 "$@"
>>> 
>> Thanks or the script Ben. I updated the commit message and sent out a v2.
> 
> Acked-by: Ben Pfaff mailto:b...@ovn.org>>

Thanks! Applied on master and branch-2.10
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH] tests: Test for ovs-ofctl snoop command

2018-08-01 Thread Ashish Varma
Added test for snoop command to check for the initial handshake messages
when a bridge connects to a controller via 'unix' connection method.

Signed-off-by: Ashish Varma 
---
 tests/ovs-ofctl.at | 28 
 1 file changed, 28 insertions(+)

diff --git a/tests/ovs-ofctl.at b/tests/ovs-ofctl.at
index 06597d7..794277b 100644
--- a/tests/ovs-ofctl.at
+++ b/tests/ovs-ofctl.at
@@ -3184,3 +3184,31 @@ AT_CHECK([grep -q "ct_dpif|DBG|.*ct_flush: zone 123" 
ovs-vswitchd.log])
 
 OVS_VSWITCHD_STOP
 AT_CLEANUP
+
+
+AT_SETUP([ovs-ofctl snoop-unix-connection])
+OVS_VSWITCHD_START
+
+dnl setup controller for br0 before starting the controller
+AT_CHECK([ovs-vsctl set-controller br0 unix:testcontroller])
+
+dnl then start listening on the '.snoop' connection
+AT_CHECK([ovs-ofctl --detach --pidfile=ovsofctl_snoop.pid snoop br0 1> 
snoopbr0.txt 2>&1])
+on_exit 'kill `cat ovsofctl_snoop.pid`'
+on_exit 'unlink snoopbr0.txt'
+
+dnl finally start the controller
+AT_CHECK([ovs-testcontroller --detach --pidfile punix:testcontroller], [0], 
[ignore])
+on_exit 'kill `cat ovs-testcontroller.pid`'
+OVS_WAIT_UNTIL([test -e testcontroller])
+
+dnl wait for 2 seconds for snoop to collect the messages from the bridge
+sleep 2
+
+dnl check some of the initial openflow setup messages
+AT_CHECK([egrep "OFPT_FEATURES_REQUEST" snoopbr0.txt 1> /dev/null 2>&1])
+AT_CHECK([egrep "OFPT_FEATURES_REPLY" snoopbr0.txt 1> /dev/null 2>&1])
+AT_CHECK([egrep "OFPT_SET_CONFIG" snoopbr0.txt 1> /dev/null 2>&1])
+
+OVS_VSWITCHD_STOP(["/connection failed (No such file or directory)/d"])
+AT_CLEANUP
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] Elementos de Puntuación y Ortografía.

2018-08-01 Thread Redacción de documentos ejecutivos
 Nuevas Disposiciones RAE (Real Academia Española)  

Redacción de documentos ejecutivos y técnicos para profesionales
Agosto 21 
   

Introducción: 

Su desarrollo brinda herramientas para la comprensión de aspectos gramaticales 
del español necesarios para la redacción de textos coherentes, contribuyendo a 
fortalecer las habilidades comunicativas para un desempeño exitoso en contextos 
cotidianos, organizacionales, académicos y profesionales. 
  
Objetivos: 

Atendiendo a las necesidades comunicativas de profesionales y demás personas, 
este seminario desarrolla en los participantes habilidades lingüísticas de 
redacción, ortografía y puntuación, necesarias para la adecuada producción de 
textos. 

  TEMARIO: 

1. Factores de Coherencia y Conexión. 
2. Errores frecuentes de Construcción y Régimen. 
3. Nociones Básicas de Gramática Funcional. 
4. Elementos de Puntuación y Ortografía. 
5. Construcciones que causan Dificultad en Español.
6. Redacción de Textos Oficiales Profesionales (Revisión de Plantillas).  
 
 

Al solicitar información, recibirá de manera gratuita y sin compromiso: 
Temario, costos, reseña del instructor y otros datos de interés. 

Responda por este medio con la frase: "Redacción" + Empresa + Nombre + Número 
de Teléfono. 

o marcando al: 045 + 5515546630 
 


___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [ovs-discuss] ovsdb-server core dump and ovsdb corruption using raft cluster

2018-08-01 Thread Guru Shetty
I was able to reproduce it. I will work with Ben to get this fixed.

On 26 July 2018 at 23:14, Girish Moodalbail  wrote:

> Hello Ben,
>
> Sorry, got distracted with something else at work. I am still able to
> reproduce the issue, and this is what I have and what I did
> (if you need the core, let me know and I can share it with you)
>
> - 3-cluster RAFT setup in Ubuntu VM (2 VCPUs with 8GB RAM)
>   $ uname -r
>   Linux u1804-HVM-domU 4.15.0-23-generic #25-Ubuntu SMP Wed May 23
> 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>
> - On all of the VMs, I have installed openvswitch-switch=2.9.2,
> openvswitch-dbg=2.9.2, and ovn-central=2.9.2
>   (all of these packages are from http://packages.wand.net.nz/)
>
> - I bring up the node in the cluster one after the other -- leader 1st and
> followed by two followers
> - I check for cluster status and everything is healthy
> - ovn-nbctl show and ovn-sbctl show is all empty
>
> - on the leader with OVN_NB_DB set to comma-separated-NB connection
> strings I did
>for i in `seq 1 50`; do ovn-nbclt ls-add ls$i; ovn-nbctl lsp-add ls$i
> port0_$i; done
>
> - Check for the presence of 50 logical switches and 50 logical ports (one
> on each switch). Compact the database on all the nodes.
>
> - Next I try to delete the ports and whilst the deletion is happening I
> run compact on one of the followers
>
>   leader_node# for i in `seq  1 50`; do ovn-nbctl lsp-del port0_$i;done
>   follower_node# ovs-appctl -t /var/run/openvswitch/ovnnb_db.ctl
> ovsdb-server/compact OVN_Northbound
>
> - On the follower node I see the crash:
>
> ● ovn-central.service - LSB: OVN central components
>Loaded: loaded (/etc/init.d/ovn-central; generated)
>Active: active (running) since Thu 2018-07-26 22:48:53 PDT; 19min ago
>  Docs: man:systemd-sysv-generator(8)
>   Process: 21883 ExecStop=/etc/init.d/ovn-central stop (code=exited,
> status=0/SUCCESS)
>   Process: 21934 ExecStart=/etc/init.d/ovn-central start (code=exited,
> status=0/SUCCESS)
> Tasks: 10 (limit: 4915)
>CGroup: /system.slice/ovn-central.service
>├─22047 ovsdb-server: monitoring pid 22134 (*1 crashes: pid
> 22048 died, killed (Aborted), core dumped*
>├─22059 ovsdb-server: monitoring pid 22060 (healthy)
>├─22060 ovsdb-server -vconsole:off -vfile:info
> --log-file=/var/log/openvswitch/ovsdb-server-sb.log -
>├─22072 ovn-northd: monitoring pid 22073 (healthy)
>├─22073 ovn-northd -vconsole:emer -vsyslog:err -vfile:info
> --ovnnb-db=tcp:10.0.7.33:6641,tcp:10.0.7.
>└─22134 ovsdb-server -vconsole:off -vfile:info
> --log-file=/var/log/openvswitch/ovsdb-server-nb.log
>
>
> Same call trace and reason:
>
> #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
> #1  0x7f79599a1801 in __GI_abort () at abort.c:79
> #2  0x5596879c017c in json_serialize (json=,
> s=) at ../lib/json.c:1554
> #3  0x5596879c01eb in json_serialize_object_member (i=,
> s=, node=, node=) at
> ../lib/json.c:1583
> #4  0x5596879c0132 in json_serialize_object (s=0x7ffc17013bf0,
> object=0x55968993dcb0) at ../lib/json.c:1612
> #5  json_serialize (json=, s=0x7ffc17013bf0) at
> ../lib/json.c:1533
> #6  0x5596879c249c in json_to_ds (json=json@entry=0x559689950670,
> flags=flags@entry=0, ds=ds@entry=0x7ffc17013c80) at ../lib/json.c:1511
> #7  0x5596879ae8df in ovsdb_log_compose_record 
> (json=json@entry=0x559689950670,
> magic=0x55968993dc60 "CLUSTER", header=header@entry=0x7ffc17013c60,
> data=data@entry=0x7ffc17013c80) at ../ovsdb/log.c:570
> #8  0x5596879aebbf in ovsdb_log_write (file=0x5596899b5df0,
> json=0x559689950670) at ../ovsdb/log.c:618
> #9  0x5596879aed3e in ovsdb_log_write_and_free 
> (log=log@entry=0x5596899b5df0,
> json=0x559689950670) at ../ovsdb/log.c:651
> #10 0x5596879b0954 in raft_write_snapshot (raft=raft@entry=0x5596899151a0,
> log=0x5596899b5df0, new_log_start=new_log_start@entry=166,
> new_snapshot=new_snapshot@entry=0x7ffc17013e30) at
> ../ovsdb/raft.c:3588
> #11 0x5596879b0ec3 in raft_save_snapshot (raft=raft@entry=0x5596899151a0,
> new_start=new_start@entry=166, new_snapshot=new_snapshot@
> entry=0x7ffc17013e30)
> at ../ovsdb/raft.c:3647
> #12 0x5596879b8aed in raft_store_snapshot (raft=0x5596899151a0,
> new_snapshot_data=new_snapshot_data@entry=0x5596899505f0) at
> ../ovsdb/raft.c:3849
> #13 0x5596879a579e in ovsdb_storage_store_snapshot__
> (storage=0x5596899137a0, schema=0x559689938ca0, data=0x559689946ea0) at
> ../ovsdb/storage.c:541
> #14 0x5596879a625e in ovsdb_storage_store_snapshot
> (storage=0x5596899137a0, schema=schema@entry=0x559689938ca0,
> data=data@entry=0x559689946ea0) at ../ovsdb/storage.c:568
> #15 0x55968799f5ab in ovsdb_snapshot (db=0x5596899137e0) at
> ../ovsdb/ovsdb.c:519
> #16 0x559687999f23 in ovsdb_server_compact (conn=0x559689938440,
> argc=, argv=, dbs_=0x7ffc170141c0) at
> ../ovsdb/ovsdb-server.c:1443
> #17 0x5596879d9cc0 in process_com

Re: [ovs-dev] [PATCH v4 5/9] debian and rhel: Create IPsec package.

2018-08-01 Thread Ben Pfaff
Those sound to me like reasonable ways to test.  Thank you.

On Tue, Jul 31, 2018 at 04:13:44PM -0700, Qiuyu Xiao wrote:
> The debian packaging is the same as the packaging we previously had.
> For debian package, I tested it by installing it in ubuntu 16.04 with
> 'dpkg -i'. For rpm package, I tested it by installing it in Fedora 27
> with 'rpm -i'. Is there any standard method to test packaging?
> 
> Thanks,
> Qiuyu
> 
> On Tue, Jul 31, 2018 at 3:33 PM, Ben Pfaff  wrote:
> > On Tue, Jul 31, 2018 at 02:08:50PM -0700, Qiuyu Xiao wrote:
> >> Added rules and files to create debian and rpm ovs-ipsec packages.
> >>
> >> Signed-off-by: Qiuyu Xiao 
> >> Signed-off-by: Ansis Atteka 
> >> Co-authored-by: Ansis Atteka 
> >
> > Do you or Ansis test the packaging?  (Or, for the Debian packaging, is
> > it similar enough to the packaging we previously had that it is
> > "probably" correct?)
> >
> > Thanks,
> >
> > Ben.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH v4 7/9] ovs-pki: generate x.509 v3 certificate

2018-08-01 Thread Ben Pfaff
On Tue, Jul 31, 2018 at 02:08:52PM -0700, Qiuyu Xiao wrote:
> This patch modifies ovs-pki to generate x.509 version 3 certificate.
> Compared with the x.509 v1 certificate generated by ovs-pki, version 3
> certificate adds subjectAltName field and sets its value the same as
> common name (CN). The main reason for this change is to enable
> strongSwan IKE daemon to extract certificate identity string from the
> subjectAltName field, which makes OVN IPsec implementation easier.
> 
> Signed-off-by: Qiuyu Xiao 

Applied to master, thanks!
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH] Add opterr and optopt to Windows headers

2018-08-01 Thread Ben Pfaff
On Wed, Aug 01, 2018 at 04:01:36PM +0300, aserd...@ovn.org wrote:
> > -Mesaj original-
> > De la: ovs-dev-boun...@openvswitch.org  > boun...@openvswitch.org> În numele Ben Pfaff
> > Trimis: Tuesday, July 31, 2018 7:37 PM
> > Către: Alin Gabriel Serdean 
> > Cc: d...@openvswitch.org
> > Subiect: Re: [ovs-dev] [PATCH] Add opterr and optopt to Windows headers
> > 
> > On Tue, Jul 31, 2018 at 03:08:13PM +0300, Alin Gabriel Serdean wrote:
> > > Until now we only had optind defined in the header.
> > >
> > > Since we are using the BSD getopt variant add opterr and optopt.
> > >
> > > Fixes: current Windows build failures.
> > 
> > Usually Fixes is used like this:
> > 
> > CC: Jakub Sitnicki 
> > Fixes: 3ec06ea9c668 ("ovn-nbctl: Initial support for daemon mode.")
> > 
> > I use the following script, installed under the name git-fixes, to
> generate it:
> > 
> > #! /bin/sh
> > git --no-pager log -1 --pretty=format:"CC: %an <%ae>%nFixes: %h
> > (\"%s\")%n" --abbrev=12 "$@"
> > 
> Thanks or the script Ben. I updated the commit message and sent out a v2.

Acked-by: Ben Pfaff 
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [ACL Meters 4/7] ovn: Add Meter and Meter_Band tables to the NB and SB databases.

2018-08-01 Thread Ben Pfaff
On Wed, Aug 01, 2018 at 02:21:51PM +0200, Simon Horman wrote:
> On Sun, Jul 29, 2018 at 11:46:35PM -0700, Justin Pettit wrote:
> > Add support for configuring meters through the Meter and Meter_Band
> > tables in the Northbound database.  This commit also has ovn-northd
> > sync those tables between the Northbound and Southbound databases.
> > 
> > Add support for configuring meters with ovn-nbctl.
> > 
> > Signed-off-by: Justin Pettit 
> 
> Hi Justin,
> 
> it seems that this patch broke building with older GCC:
> 
>   https://travis-ci.org/openvswitch/ovs/jobs/410404752:
> 
> Ben applied a fix for that to master.
> 
>   04a12e42e089 ("ofctrl: Placate GCC.")
> 
> I believe that change is also needed in branch-2.10.

Thanks for the report, I've now cherry-picked it.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH v4 9/9] Documentation: OVN RBAC and IPsec tutorial

2018-08-01 Thread Ben Pfaff
On Wed, Aug 01, 2018 at 10:03:38AM -0700, Ben Pfaff wrote:
> On Tue, Jul 31, 2018 at 02:08:54PM -0700, Qiuyu Xiao wrote:
> > This patch adds step-by-step guide for configuring OVN Role-Based Access
> > Control and IPsec.
> > 
> > Signed-off-by: Qiuyu Xiao 
> 
> You wrote a lot of documentation, and it's really good!  Thank you.
> 
> I spent some time working to make it even better.  I'm appending an
> incremental that I'd suggest folding in.  Does it make sense to you?

Oops, this was supposed to be for the patch "Documentation: IPsec tunnel
tutorial and documentation."
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH v4 9/9] Documentation: OVN RBAC and IPsec tutorial

2018-08-01 Thread Ben Pfaff
On Tue, Jul 31, 2018 at 02:08:54PM -0700, Qiuyu Xiao wrote:
> This patch adds step-by-step guide for configuring OVN Role-Based Access
> Control and IPsec.
> 
> Signed-off-by: Qiuyu Xiao 

You wrote a lot of documentation, and it's really good!  Thank you.

I spent some time working to make it even better.  I'm appending an
incremental that I'd suggest folding in.  Does it make sense to you?

Thanks,

Ben.

--8<--cut here-->8--

diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst
index 17dead5010cf..32e55b5acd0d 100644
--- a/Documentation/howto/ipsec.rst
+++ b/Documentation/howto/ipsec.rst
@@ -48,7 +48,10 @@ OVS IPsec aims to provide a simple interface for user to add 
encryption on OVS
 tunnels. It supports GRE, GENEVE, VXLAN, and STT tunnel. The IPsec
 configuration is done by setting options of the tunnel interface and
 other_config of Open_vSwitch. You can choose different authentication methods
-and fowarding modes based on your system requirement.
+and forwarding modes based on your requirements.
+
+OVS does not currently provide any support for IPsec encryption for traffic not
+encapsulated in a tunnel.
 
 Configuration
 -
@@ -59,7 +62,7 @@ Authentication Methods
 Hosts of the IPsec tunnel need to authenticate each other to build a secure
 channel. There are three authentication methods:
 
-1) You can use pre-shared key (PSK) to do authentication. In both hosts, set
+1) You can use a pre-shared key (PSK) to do authentication. In both hosts, set
the same PSK value. This PSK is like your password. You should never reveal
it to untrusted parties. This method is easier to use but less secure than
the certificate-based methods::
@@ -72,9 +75,9 @@ channel. There are three authentication methods:
 
.. note::
 
-  The local_ip field is required for the IPsec tunnel.
+  The ``local_ip`` field is required for the IPsec tunnel.
 
-2) You can use self-signed certificate to do authentication. In each host,
+2) You can use a self-signed certificate to do authentication. In each host,
generate a certificate and the paired private key. Copy the certificate of
the remote host to the local host and configure the OVS as following::
 
@@ -98,6 +101,10 @@ channel. There are three authentication methods:
   follow the tutorial in :doc:`/tutorials/ipsec` and use ovs-pki(8) to
   generate compatible certificate and key.
 
+  (Before OVS version 2.10.90, ovs-pki(8) did not generate x.509 v3
+  certificates, so if your existing PKI was generated by an older version,
+  it is not suitable for this purpose.)
+
 3) You can also use CA-signed certificate to do authentication. First, you need
to create a CA certificate and sign each host certificate with the CA key
(please see :doc:`/tutorials/ipsec`). Copy the CA certificate to each
@@ -133,8 +140,8 @@ actually taking affect to encrypt packets. To offset the 
risk of unencrypted
 packets leaking out during this period, you can choose a more secure forwarding
 mode.  There are three forwarding modes:
 
-1) The default mode allows unencrypted packets being sent out before IPsec
-   taking effect::
+1) The default mode allows unencrypted packets to be sent before IPsec
+   completes negotiation::
 
  $ ovs-vsctl add-port br0 ipsec_gre0 -- \
   set interface ipsec_gre0 type=gre \
@@ -146,7 +153,7 @@ mode.  There are three forwarding modes:
and/or if there is firewall that can drop the plain packets that
occasionally leak the tunnel unencrypted on OVSDB (re)configuration events.
 
-2) The ipsec_skb_mark mode filters unencrypted packets by using skb mark of
+2) The ipsec_skb_mark mode drops unencrypted packets by using skb_mark of
tunnel packets::
 
  $ ovs-vsctl set Open_vSwitch . other_config:ipsec_skb_mark=0/1
@@ -156,15 +163,15 @@ mode.  There are three forwarding modes:
 options:remote_ip=2.2.2.2 \
 options:psk=swordfish
 
-   OVS IPsec filters unencrypted packets which carry the same skb mark as
+   OVS IPsec drops unencrypted packets which carry the same skb_mark as
`ipsec_skb_mark`. By setting the ipsec_skb_mark as 0/1, OVS IPsec prevents
-   all unencrypted tunnel packets leaving the host since the default skb mark
+   all unencrypted tunnel packets leaving the host since the default skb_mark
value for tunnel packets are 0. This affects all OVS tunnels including those
without IPsec being set up. You can install OpenFlow rules to whitelist
-   those non-IPsec tunnels by setting the skb mark of the tunnel traffic as
+   those non-IPsec tunnels by setting the skb_mark of the tunnel traffic as
non-zero value.
 
-3) Setting `ipsec_skb_mark` as 1/1 only filters tunnel packets with skb mark
+3) Setting `ipsec_skb_mark` as 1/1 only drops tunnel packets with skb_mark
value being 1::
 
  $ ovs-vsctl set Open_vSwitch

Re: [ovs-dev] [PATCH v2] rhel: support kmod build against multiple 7.2 kernels, rhel6

2018-08-01 Thread Yi-Hung Wei
On Tue, Jul 31, 2018 at 11:59 PM, Martin Xu  wrote:
> This patch extends commit 89dd5819cf18 (rhel: support kmod-openvswitch
> build against multiple kernels, rhel6) to support building kmod RPMs
> with multiple minor revisions within 3.10.0-327 kernels. It was
> discovered for RHEL 7.2 that 41.3 minor revision introduced backward
> incompatible changes.
>
> VMware-BZ: #2170334
>
> Signed-off-by: Martin Xu 
> CC: Greg Rose 
> CC: Ben Pfaff 
> CC: Flavio Leitner 
> CC: Yi-Hung Wei 
> ---
Thanks for the patch.

>  expected_base_minor="el7"
> -expected_minor=11
> +if [ "$installed_major" = "327" ]; then
> +expected_minor=36
> +kmod_minor_low_ver=22
> +kmod_minor_high_ver=62
> +elif [ "$installed_major" = "693" ]; then
> +expected_minor=11
> +kmod_minor_low_ver=1
> +kmod_minor_high_ver=17

I am wondering if we shall have fixed kmod_minor_low_ver and
kmod_minor_high_ver?

Is it possible to derive these two numbers from kversion for
kmod-openvswitch-rhel6.spec file?

For example, we can assume the following format of kversion

-D 'kversion 3.10.0-327.{kmod_minor_low}.x.el7.x86_64
3.10.0-327.{kmod_minor_high_ver}.x.el7.x86_64"

and we expect kmod_minor_low_ver <= expected_minor and
kmod_minor_high_ver > expected_minor.

Thanks,

-Yi-Hung
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH] ovs-vtep: Pass log level arguments to underlying utils.

2018-08-01 Thread Ilya Maximets
On 01.08.2018 18:54, Ilya Maximets wrote:
> Control utils should be called with the same verbose level
> at least to manage output to system logs. For example, to
> disable unwanted syslog messages in unit tests or to enable
> higher debug levels if needed.
> New arguments added before '-vconsole:off' because it's
> still incovinient to have console output.

s/incovinient/inconvenient/

> 
> Signed-off-by: Ilya Maximets 
> ---
> 
> This could be a part of syslog clean up patch-set [1], but it looks
> more like a separate independent feature.
> 
> [1] https://mail.openvswitch.org/pipermail/ovs-dev/2018-August/350425.html
> 
>  vtep/ovs-vtep.in | 7 ++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/vtep/ovs-vtep.in b/vtep/ovs-vtep.in
> index 98748e4..3383870 100755
> --- a/vtep/ovs-vtep.in
> +++ b/vtep/ovs-vtep.in
> @@ -39,6 +39,7 @@ root_prefix = ""
>  
>  __pychecker__ = 'no-reuseattr'  # Remove in pychecker >= 0.8.19.
>  vlog = ovs.vlog.Vlog("ovs-vtep")
> +verbose_args = []
>  exiting = False
>  
>  ps_name = ""
> @@ -53,7 +54,7 @@ bfd_ref = {}
>  
>  
>  def call_prog(prog, args_list):
> -cmd = [prog, "-vconsole:off"] + args_list
> +cmd = [prog] + verbose_args + ["-vconsole:off"] + args_list
>  creationFlags = 0
>  if sys.platform == 'win32':
>  creationFlags = 0x0800  # CREATE_NO_WINDOW
> @@ -728,6 +729,10 @@ def main():
>  global ps_name
>  ps_name = args.ps_name
>  
> +global verbose_args
> +if args.verbose:
> +verbose_args = ['-v' + arg for arg in args.verbose]
> +
>  ovs.daemon.daemonize()
>  
>  ovs.unixctl.command_register("exit", "", 0, 0, unixctl_exit, None)
> 
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH] ovs-vtep: Pass log level arguments to underlying utils.

2018-08-01 Thread Ilya Maximets
Control utils should be called with the same verbose level
at least to manage output to system logs. For example, to
disable unwanted syslog messages in unit tests or to enable
higher debug levels if needed.
New arguments added before '-vconsole:off' because it's
still incovinient to have console output.

Signed-off-by: Ilya Maximets 
---

This could be a part of syslog clean up patch-set [1], but it looks
more like a separate independent feature.

[1] https://mail.openvswitch.org/pipermail/ovs-dev/2018-August/350425.html

 vtep/ovs-vtep.in | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/vtep/ovs-vtep.in b/vtep/ovs-vtep.in
index 98748e4..3383870 100755
--- a/vtep/ovs-vtep.in
+++ b/vtep/ovs-vtep.in
@@ -39,6 +39,7 @@ root_prefix = ""
 
 __pychecker__ = 'no-reuseattr'  # Remove in pychecker >= 0.8.19.
 vlog = ovs.vlog.Vlog("ovs-vtep")
+verbose_args = []
 exiting = False
 
 ps_name = ""
@@ -53,7 +54,7 @@ bfd_ref = {}
 
 
 def call_prog(prog, args_list):
-cmd = [prog, "-vconsole:off"] + args_list
+cmd = [prog] + verbose_args + ["-vconsole:off"] + args_list
 creationFlags = 0
 if sys.platform == 'win32':
 creationFlags = 0x0800  # CREATE_NO_WINDOW
@@ -728,6 +729,10 @@ def main():
 global ps_name
 ps_name = args.ps_name
 
+global verbose_args
+if args.verbose:
+verbose_args = ['-v' + arg for arg in args.verbose]
+
 ovs.daemon.daemonize()
 
 ovs.unixctl.command_register("exit", "", 0, 0, unixctl_exit, None)
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH] utilities: don't use a bashism to check that datapath exists

2018-08-01 Thread Timothy Redaelli
[[ ]] syntax is not supported, at least, by dash that Debian, Ubuntu and other
linux distributions may use instead of bash.

This commit uses, instead, a POSIX way that is compatible with any POSIX
shell (bash, dash, busybox sh, etc).

CC: Martin Xu 
Fixes: 9763d17fbd05 ("utilities: check datapath exists before conntrack flush")

Signed-off-by: Timothy Redaelli 
---
 utilities/ovs-lib.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in
index d6ef77b6e..c3b76ec94 100644
--- a/utilities/ovs-lib.in
+++ b/utilities/ovs-lib.in
@@ -605,7 +605,7 @@ force_reload_kmod () {
 stop_ovsdb
 start_ovsdb || return 1
 
-if [[ $(ovs-dpctl show) ]]; then
+if [ -n "$(ovs-dpctl show)" ]; then
 action "Flush old conntrack entries" ovs-appctl dpctl/flush-conntrack
 fi
 stop_forwarding
-- 
2.17.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] The “overlay” mode issue while setting up OVS with DPDK

2018-08-01 Thread Sandeep Adapala
Hello Guru,

After much trouble I was finally able to finish the task. Thanks for all
the help.

Here is what I did.


Regards,
Sandeep

On Thu, Jul 26, 2018 at 2:14 PM, Sandeep Adapala  wrote:

> thanks a lot Guru you have been great help let me try this.
>
> On Thu, Jul 26, 2018 at 2:03 PM, Guru Shetty  wrote:
>
>> I have a 2 node vagrant scripts in a private repo that I use to test the
>> Docker integration with OVN here: https://github.com/shett
>> yg/ovn-docker/tree/master/vagrant_overlay
>>
>> I tested this again today with OVS 2.9.2 and the latest docker and it
>> passes my sanity tests. If you have a mac and virtualbox, it should
>> probably be as simple as "vagrant up". Otherwise, you can look
>> at consul-server.sh, consul-client.sh, install-docker.sh
>> and install-ovn.sh on a ubuntu to reproduce the environment.
>>
>> On 26 July 2018 at 10:45, Sandeep Adapala 
>> wrote:
>>
>>> After building the ovs also I get the same error Guru.
>>>
>>>
>>>
>>> On Wed, Jul 25, 2018 at 4:15 PM, Sandeep Adapala <
>>> sandeepadapal...@gmail.com> wrote:
>>>
 After installing openvswitch-switch-dpdk I am getting this error.

 WARN[0041] Unable to locate plugin: openvswitch, retrying in 1s
 WARN[0042] Unable to locate plugin: openvswitch, retrying in 2s
 WARN[0044] Unable to locate plugin: openvswitch, retrying in 4s
 WARN[0048] Unable to locate plugin: openvswitch, retrying in 8s
 ERRO[0056] Handler for POST /v1.27/networks/create returned error: legacy 
 plugin: plugin not found


 On Wed, Jul 25, 2018 at 4:13 PM, Sandeep Adapala <
 sandeepadapal...@gmail.com> wrote:

> Hello Guru,
>
> I am using sudo apt install openvswitch-switch-dpdk as suggested by
> the website. So it installed 2.5.4 by default. Do you want me to build and
> install OVS?
>
> https://software.intel.com/en-us/articles/using-docker-conta
> iners-with-open-vswitch-and-dpdk-on-ubuntu-1710
>
> Regards,
> Sandeep
>
> On Wed, Jul 25, 2018 at 1:28 PM, Guru Shetty  wrote:
>
>> We had talked about using OVS 2.9, right? Are you using that?
>>
>> On 25 July 2018 at 08:51, Sandeep Adapala > > wrote:
>>
>>> Hello Guru,
>>>
>>> I think OVS doesn't like me at all :) every step I am facing a issue.
>>>
>>> this time when I tried to create a docker network on OVS (*sudo
>>> docker network create -d openvswitch --subnet=192.168.22.0/24
>>>  ovs*) it failed and I got this error in
>>> Docker log
>>>
>>> *ERRO[2717] Handler for POST /v1.27/networks/create returned error: 
>>> remote: create_network: lswitch-add Fatal error executing ['ovn-nbctl', 
>>> '--timeout=5', '-vconsole:off', '--db=tcp:192.168.14.33:6642 
>>> ', 'lswitch-add', 
>>> u'6eccad3be08421bb50e97a620c0ffa80e28e9676e8ad18881aeb1a640d7cdd55', 
>>> '--', 'set', 'Logical_Switch', 
>>> u'6eccad3be08421bb50e97a620c0ffa80e28e9676e8ad18881aeb1a640d7cdd55', 
>>> u'external_ids:subnet=192.168.22.0/24 ', 
>>> u'external_ids:gateway_ip=192.168.22.1'] *
>>>
>>>
>>>
>>> Regards,
>>> Sandeep
>>>
>>> On Mon, Jul 23, 2018 at 5:01 PM, Guru Shetty  wrote:
>>>
 Yes.

 On 23 July 2018 at 13:43, Sandeep Adapala <
 sandeepadapal...@gmail.com> wrote:

> So you are saying just do the overlay part in this doc ?
> http://docs.openvswitch.org/en/latest/howto/docker/#the-over
> lay-mode
>
> On Mon, Jul 23, 2018 at 4:35 PM, Guru Shetty  wrote:
>
>> May I suggest that you get OVN working with containers without
>> DPDK first? Once you are confident about what needs to be done for 
>> OVN, you
>> can concentrate more on DPDK.
>>
>> On 23 July 2018 at 13:15, Sandeep Adapala <
>> sandeepadapal...@gmail.com> wrote:
>>
>>> I have configured the grub as
>>>
>>> GRUB_CMDLINE_LINUX_DEFAULT="default_hugepagesz=1G hugepagesz=1G 
>>> hugepages=16 hugepagesz=2M hugepages=2048 iommu=pt intel_iommu=on"
>>>
>>>
>>> I didn't isolate any cores so if I want to use core 2 or 3 what 
>>> will be the dpdk-lcore-mask and pod-cpu-mask?
>>>
>>>
>>> On Mon, Jul 23, 2018 at 4:11 PM, Sandeep Adapala <
>>> sandeepadapal...@gmail.com> wrote:
>>>
 I have tried that already Guru but I got the same error always.
 Let me ask one more question.

 What do I need to configure here?

 sudo ovs-vsctl -no-wait set Open_vSwitch .
 other_config:dpdk-lcore-mask=0xfbe.
 sudo ovs-vsctl -no-wait set Open_vSwitch .
 other_config:dpdk-socket-mem="1024,1024"
 sudo ovs-vsctl set Open_vSwitch . othe

Re: [ovs-dev] [PATCH 5/5] netdev: Clean up class initialization.

2018-08-01 Thread Ian Stokes

On 7/12/2018 10:55 PM, Ben Pfaff wrote:

The macros are hard to read.  This makes it a little more readable.



Thanks for this Ben, one minor comment below.


Signed-off-by: Ben Pfaff 
---
  configure.ac  |   1 +
  lib/netdev-dpdk.c | 235 --
  lib/netdev-dummy.c| 134 
  lib/netdev-linux.c| 340 +++---
  lib/netdev-linux.h|  18 +--
  lib/netdev-provider.h |   2 -
  lib/netdev-vport.c| 223 +++--
  7 files changed, 369 insertions(+), 584 deletions(-)

diff --git a/configure.ac b/configure.ac
index c89c607c7124..66281c4d6811 100644
--- a/configure.ac
+++ b/configure.ac
@@ -172,6 +172,7 @@ OVS_ENABLE_OPTION([-Wduplicated-cond])
  OVS_ENABLE_OPTION([-Qunused-arguments])
  OVS_ENABLE_OPTION([-Wshadow])
  OVS_ENABLE_OPTION([-Wno-null-pointer-arithmetic])
+OVS_ENABLE_OPTION([-Warray-bounds-pointer-arithmetic])
  OVS_CONDITIONAL_CC_OPTION([-Wno-unused], [HAVE_WNO_UNUSED])
  OVS_CONDITIONAL_CC_OPTION([-Wno-unused-parameter], 
[HAVE_WNO_UNUSED_PARAMETER])
  OVS_ENABLE_WERROR
diff --git a/lib/netdev-dpdk.c b/lib/netdev-dpdk.c
index 9bf21856075b..4de4cf116e92 100644
--- a/lib/netdev-dpdk.c
+++ b/lib/netdev-dpdk.c
@@ -4695,161 +4695,86 @@ netdev_dpdk_flow_del(struct netdev *netdev, const 
ovs_u128 *ufid,
  ufid, rte_flow);
  }
  
-#define DPDK_FLOW_OFFLOAD_API \

-NULL,   /* flow_flush */  \
-NULL,   /* flow_dump_create */\
-NULL,   /* flow_dump_destroy */   \
-NULL,   /* flow_dump_next */  \
-netdev_dpdk_flow_put, \
-NULL,   /* flow_get */\
-netdev_dpdk_flow_del, \
-NULL/* init_flow_api */


Not sure if DPDK_FLOW_OFFLOAD_API should be completely removed, as I 
understand it the remaining offload functionality is currently being 
worked on with a view to enable full HW offload so they will be 
re-introduced in the future.


The macro could be moved from here to netdev-dpdk.h and then added to 
the NETDEV_DPDK_CLASS_BASE macro you introduce below (this would be 
similar to what is implemented for netdev-linux, and a more uniform 
approach across the netdevs).


Sugesh, you've been involved in the HW full offload work, do you have an 
opinion on this?


Ian

-
-
-#define NETDEV_DPDK_CLASS(NAME, INIT, CONSTRUCT, DESTRUCT,\
-  SET_CONFIG, SET_TX_MULTIQ, SEND,\
-  GET_CARRIER, GET_STATS,\
-  GET_CUSTOM_STATS,
  \
-  GET_FEATURES, GET_STATUS,   \
-  RECONFIGURE, RXQ_RECV)  \
-{ \
-NAME, \
-true,   /* is_pmd */  \
-INIT,   /* init */\
-NULL,   /* netdev_dpdk_run */ \
-NULL,   /* netdev_dpdk_wait */\
-  \
-netdev_dpdk_alloc,\
-CONSTRUCT,\
-DESTRUCT, \
-netdev_dpdk_dealloc,  \
-netdev_dpdk_get_config,   \
-SET_CONFIG,   \
-NULL,   /* get_tunnel_config */   \
-NULL,   /* build header */\
-NULL,   /* push header */ \
-NULL,   /* pop header */  \
-netdev_dpdk_get_numa_id,/* get_numa_id */ \
-SET_TX_MULTIQ,\
-  \
-SEND,   /* send */\
-NULL,   /* send_wait */   \
-  \
-netdev_dpdk_set_etheraddr,\
-netdev_dpdk_get_etheraddr,\
-netdev_dpdk_get_mtu,  \
-netdev_dpdk_set_mtu,  \
-netdev_dpdk_get_ifindex,  \
-GET_CARRIER,  \
-netdev_dpdk_get_carrier_resets,   \
-netdev_dpdk_set_miimon, 

[ovs-dev] [PATCH v2 9/9] tests: Disable syslog for ovsdb-tool.

2018-08-01 Thread Ilya Maximets
This is the only place where ovsdb-tool produces some logs.
Also, it does not support '--timeout' option thus we can't
just add it to the utils list. Let's add syslog option inplace.

Signed-off-by: Ilya Maximets 
---
 tests/ovsdb-cluster.at | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/ovsdb-cluster.at b/tests/ovsdb-cluster.at
index c0bf53b..b2c8b6d 100644
--- a/tests/ovsdb-cluster.at
+++ b/tests/ovsdb-cluster.at
@@ -72,7 +72,7 @@ ovsdb_torture_test () {
 local variant=$3# 'kill' and restart or 'remove' and add
 cp $top_srcdir/ovn/ovn-sb.ovsschema schema
 schema=`ovsdb-tool schema-name schema`
-AT_CHECK([ovsdb-tool '-vPATTERN:console:%c|%p|%m' create-cluster s1.db 
schema unix:s1.raft], [0], [], [dnl
+AT_CHECK([ovsdb-tool '-vPATTERN:console:%c|%p|%m' -vsyslog:off 
create-cluster s1.db schema unix:s1.raft], [0], [], [dnl
 ovsdb|WARN|schema: changed 2 columns in 'OVN_Southbound' database from 
ephemeral to persistent, including 'status' column in 'Connection' table, 
because clusters do not support ephemeral columns
 ])
 
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v2 8/9] tests: Reorder logging args for ovn-sbctl in a subshell.

2018-08-01 Thread Ilya Maximets
'--log-file' should go after '-v' arguments to avoid unwanted
'opened log file' messages.
Execution is in a subshell and not covered by aliases.

Signed-off-by: Ilya Maximets 
---
 tests/ovsdb-cluster.at | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tests/ovsdb-cluster.at b/tests/ovsdb-cluster.at
index 1c41491..c0bf53b 100644
--- a/tests/ovsdb-cluster.at
+++ b/tests/ovsdb-cluster.at
@@ -136,7 +136,11 @@ ovsdb|WARN|schema: changed 2 columns in 'OVN_Southbound' 
database from ephemeral
 for i in $(seq 0 $(expr $n1 - 1) ); do
 (for j in $(seq $n2); do
  : > $i-$j.running
- run_as "ovn-sbctl($i-$j)" ovn-sbctl 
"-vPATTERN:console:ovn-sbctl($i-$j)|%D{%H:%M:%S}|%05N|%c|%p|%m" 
--log-file=$i-$j.log -vfile -vsyslog:off -vtimeval:off --timeout=120 
--no-leader-only add SB_Global . external_ids $i-$j=$i-$j
+ run_as "ovn-sbctl($i-$j)" \
+ovn-sbctl 
"-vPATTERN:console:ovn-sbctl($i-$j)|%D{%H:%M:%S}|%05N|%c|%p|%m" \
+-vfile -vsyslog:off -vtimeval:off --log-file=$i-$j.log \
+--timeout=120 --no-leader-only \
+add SB_Global . external_ids $i-$j=$i-$j
  status=$?
  if test $status != 0; then
  echo "$i-$j exited with status $status" > $i-$j:$status
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v2 7/9] tests: Disable syslog for test utils.

2018-08-01 Thread Ilya Maximets
This disables syslog logging for:
* ovs-testcontroller
* test-netflow
* test-ovsdb
* test-sflow
* test-unixctl (for cases where it's not needed)

Signed-off-by: Ilya Maximets 
---
 tests/bridge.at   |  3 ++-
 tests/ofproto-dpif.at | 32 
 tests/ovsdb-idl.at| 29 +
 tests/ovsdb.at|  2 +-
 tests/vlog.at | 11 +++
 5 files changed, 55 insertions(+), 22 deletions(-)

diff --git a/tests/bridge.at b/tests/bridge.at
index 1c36185..35fed02 100644
--- a/tests/bridge.at
+++ b/tests/bridge.at
@@ -48,7 +48,8 @@ OVS_VSWITCHD_START(
 set bridge br1 datapath-type=dummy other-config:datapath-id=1234 ])
 
 dnl Start ovs-testcontroller
-AT_CHECK([ovs-testcontroller --detach punix:controller --pidfile], [0], 
[ignore])
+AT_CHECK([ovs-testcontroller -vsyslog:off --detach punix:controller --pidfile],
+ [0], [ignore])
 on_exit 'kill `cat ovs-testcontroller.pid`'
 OVS_WAIT_UNTIL([test -e controller])
 
diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
index f0fca22..dd38d24 100644
--- a/tests/ofproto-dpif.at
+++ b/tests/ofproto-dpif.at
@@ -5991,7 +5991,9 @@ m4_define([CHECK_SFLOW_SAMPLING_PACKET],
   OVS_VSWITCHD_START([set Bridge br0 fail-mode=standalone])
 
   on_exit 'kill `cat test-sflow.pid`'
-  AT_CHECK([ovstest test-sflow --log-file --detach --no-chdir --pidfile 0:$1 > 
sflow.log], [0], [], [ignore])
+  AT_CHECK([ovstest test-sflow -vsyslog:off --log-file \
+   --detach --no-chdir --pidfile 0:$1 > sflow.log],
+   [0], [], [ignore])
   AT_CAPTURE_FILE([sflow.log])
   PARSE_LISTENING_PORT([test-sflow.log], [SFLOW_PORT])
   ovs-appctl time/stop
@@ -6542,7 +6544,9 @@ OVS_VSWITCHD_START([dnl
 other_config:lacp-aggregation-key= ])
 
 on_exit 'kill `cat test-sflow.pid`'
-AT_CHECK([ovstest test-sflow --log-file --detach --no-chdir --pidfile 
0:127.0.0.1 > sflow.log], [0], [], [ignore])
+AT_CHECK([ovstest test-sflow -vsyslog:off --log-file --detach --no-chdir \
+ --pidfile 0:127.0.0.1 > sflow.log],
+ [0], [], [ignore])
 AT_CAPTURE_FILE([sflow.log])
 PARSE_LISTENING_PORT([test-sflow.log], [SFLOW_PORT])
 
@@ -6586,7 +6590,9 @@ AT_XFAIL_IF([test "$IS_WIN32" = "yes"])
 OVS_VSWITCHD_START([set Bridge br0 fail-mode=standalone])
 
 dnl set up sFlow logging
-AT_CHECK([ovstest test-sflow --log-file --detach --no-chdir --pidfile 
0:127.0.0.1 > sflow.log], [0], [], [ignore])
+AT_CHECK([ovstest test-sflow -vsyslog:off --log-file --detach --no-chdir \
+ --pidfile 0:127.0.0.1 > sflow.log],
+ [0], [], [ignore])
 AT_CAPTURE_FILE([sflow.log])
 PARSE_LISTENING_PORT([test-sflow.log], [SFLOW_PORT])
 ovs-appctl time/stop
@@ -6656,7 +6662,9 @@ AT_XFAIL_IF([test "$IS_WIN32" = "yes"])
 OVS_VSWITCHD_START([add-port br0 p0 -- set Interface p0 type=dummy 
ofport_request=1 options:ifindex=1010])
 
 dnl set up sFlow logging
-AT_CHECK([ovstest test-sflow --log-file --detach --no-chdir --pidfile 
0:127.0.0.1 > sflow.log], [0], [], [ignore])
+AT_CHECK([ovstest test-sflow -vsyslog:off --log-file --detach --no-chdir \
+ --pidfile 0:127.0.0.1 > sflow.log],
+ [0], [], [ignore])
 AT_CAPTURE_FILE([sflow.log])
 PARSE_LISTENING_PORT([test-sflow.log], [SFLOW_PORT])
 ovs-appctl time/stop
@@ -6764,7 +6772,9 @@ table=0 dl_src=50:54:00:00:00:0b actions=pop_mpls:0x0800,2
 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
 
 dnl set up sFlow logging
-AT_CHECK([ovstest test-sflow --log-file --detach --no-chdir --pidfile 
0:127.0.0.1 > sflow.log], [0], [], [ignore])
+AT_CHECK([ovstest test-sflow -vsyslog:off --log-file --detach --no-chdir \
+ --pidfile 0:127.0.0.1 > sflow.log],
+ [0], [], [ignore])
 AT_CAPTURE_FILE([sflow.log])
 PARSE_LISTENING_PORT([test-sflow.log], [SFLOW_PORT])
 ovs-appctl time/stop
@@ -6858,7 +6868,9 @@ m4_define([CHECK_NETFLOW_EXPIRATION],
 
   ovs-appctl time/stop
   on_exit 'kill `cat test-netflow.pid`'
-  AT_CHECK([ovstest test-netflow --log-file --detach --no-chdir --pidfile 0:$1 
> netflow.log], [0], [], [ignore])
+  AT_CHECK([ovstest test-netflow -vsyslog:off --log-file --detach --no-chdir \
+ --pidfile 0:$1 > netflow.log],
+   [0], [], [ignore])
   AT_CAPTURE_FILE([netflow.log])
   PARSE_LISTENING_PORT([test-netflow.log], [NETFLOW_PORT])
 
@@ -6905,7 +6917,9 @@ m4_define([CHECK_NETFLOW_ACTIVE_EXPIRATION],
   add_of_ports br0 1 2
 
   on_exit 'kill `cat test-netflow.pid`'
-  AT_CHECK([ovstest test-netflow --log-file --detach --no-chdir --pidfile 0:$1 
> netflow.log], [0], [], [ignore])
+  AT_CHECK([ovstest test-netflow -vsyslog:off --log-file --detach --no-chdir \
+ --pidfile 0:$1 > netflow.log],
+   [0], [], [ignore])
   AT_CAPTURE_FILE([netflow.log])
   PARSE_LISTENING_PORT([test-netflow.log], [NETFLOW_PORT])
 
@@ -8195,7 +8209

[ovs-dev] [PATCH v2 6/9] tests: Drop full logging for ovs-ofctl.

2018-08-01 Thread Ilya Maximets
'-v' option removed. Found no reason to have fully verbose
output from these ovs-ofctl calls.

Signed-off-by: Ilya Maximets 
---
 tests/ofproto.at | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/tests/ofproto.at b/tests/ofproto.at
index d6c6e9a..f57c15b 100644
--- a/tests/ofproto.at
+++ b/tests/ofproto.at
@@ -3291,14 +3291,14 @@ check_async () {
 : > expout
 
 # OFPT_PACKET_IN, OFPR_ACTION (controller_id=0)
-ovs-ofctl -v packet-out br0 controller controller 
'0001020304050010203040501234'
+ovs-ofctl packet-out br0 controller controller 
'0001020304050010203040501234'
 if test X"$1" = X"OFPR_ACTION"; then shift;
 echo >>expout "OFPT_PACKET_IN: total_len=14 in_port=CONTROLLER (via 
action) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
 fi
 
 # OFPT_PACKET_IN, OFPR_NO_MATCH (controller_id=123)
-ovs-ofctl -v packet-out br0 controller 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
+ovs-ofctl packet-out br0 controller 'controller(reason=no_match,id=123)' 
'0001020304050010203040501234'
 if test X"$1" = X"OFPR_NO_MATCH"; then shift;
 echo >>expout "OFPT_PACKET_IN: total_len=14 in_port=CONTROLLER (via 
no_match) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
@@ -3394,14 +3394,14 @@ check_async () {
 : > expout
 
 # OFPT_PACKET_IN, OFPR_ACTION (controller_id=0)
-ovs-ofctl -O OpenFlow12 -v packet-out br0 none controller 
'0001020304050010203040501234'
+ovs-ofctl -O OpenFlow12 packet-out br0 none controller 
'0001020304050010203040501234'
 if test X"$1" = X"OFPR_ACTION"; then shift;
 echo >>expout "OFPT_PACKET_IN (OF1.2): total_len=14 in_port=ANY (via 
action) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
 fi
 
 # OFPT_PACKET_IN, OFPR_NO_MATCH (controller_id=123)
-ovs-ofctl -O OpenFlow12 -v packet-out br0 none 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
+ovs-ofctl -O OpenFlow12 packet-out br0 none 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
 if test X"$1" = X"OFPR_NO_MATCH"; then shift;
 echo >>expout "OFPT_PACKET_IN (OF1.2): total_len=14 in_port=ANY (via 
no_match) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
@@ -3500,7 +3500,7 @@ check_async () {
 
 # OFPT_PACKET_IN, OFPR_ACTION (controller_id=0)
 # OFPR_ACTION_SET is treated as OFPR_ACTION in OpenFlow 1.3
-ovs-ofctl -O OpenFlow13 -v packet-out br0 none controller 
'0001020304050010203040501234'
+ovs-ofctl -O OpenFlow13 packet-out br0 none controller 
'0001020304050010203040501234'
 ovs-ofctl -O OpenFlow13 add-flow br0 'in_port=10 
actions=write_actions(output(CONTROLLER))'
 ovs-appctl netdev-dummy/receive p1 
'in_port(10),eth(src=00:10:20:30:40:50,dst=00:01:02:03:04:05),eth_type(0x1234)'
 if test X"$1" = X"OFPR_ACTION"; then shift;
@@ -3511,7 +3511,7 @@ 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234
 fi
 
 # OFPT_PACKET_IN, OFPR_NO_MATCH (controller_id=123)
-ovs-ofctl -O OpenFlow13 -v packet-out br0 none 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
+ovs-ofctl -O OpenFlow13 packet-out br0 none 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
 if test X"$1" = X"OFPR_NO_MATCH"; then shift;
 echo >>expout "OFPT_PACKET_IN (OF1.3): total_len=14 in_port=ANY (via 
no_match) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
@@ -3614,7 +3614,7 @@ check_async () {
 : > expout
 
 # OFPT_PACKET_IN, OFPR_PACKET_OUT (controller_id=0)
-ovs-ofctl -O OpenFlow14 -v packet-out br0 none controller 
'0001020304050010203040501234'
+ovs-ofctl -O OpenFlow14 packet-out br0 none controller 
'0001020304050010203040501234'
 if test X"$1" = X"OFPR_PACKET_OUT"; then shift;
 echo >>expout "OFPT_PACKET_IN (OF1.4): total_len=14 in_port=ANY (via 
packet_out) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
@@ -3629,7 +3629,7 @@ 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234
 fi
 
 # OFPT_PACKET_IN, OFPR_NO_MATCH (controller_id=123)
-ovs-ofctl -O OpenFlow14 -v packet-out br0 none 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
+ovs-ofctl -O OpenFlow14 packet-out br0 none 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
 if test X"$1" = X"OFPR_NO_MATCH"; then shift;
 echo >>expout "OFPT_PACKET_IN (OF1.4): total_len=14 in_port=ANY (via 
no_match) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
-- 
2

[ovs-dev] [PATCH v2 5/9] tests: Enable only file logging by vlog/set appctl.

2018-08-01 Thread Ilya Maximets
Logs enabled by 'appctl vlog/set' are commonly only used for
'check_logs' at the end of the test. No need to enable any
other logs except for file.

Patch made automatically by sed replace.

Signed-off-by: Ilya Maximets 
---
 tests/dpif-netdev.at  |  10 ++--
 tests/learn.at|   6 +--
 tests/mpls-xlate.at   |   4 +-
 tests/ofproto-dpif.at | 106 +-
 tests/ofproto.at  |   4 +-
 tests/ovs-ofctl.at|   4 +-
 tests/pmd.at  |  20 
 tests/stp.at  |   6 +--
 tests/system-traffic.at   |   4 +-
 tests/tunnel-push-pop-ipv6.at |   2 +-
 tests/tunnel-push-pop.at  |   2 +-
 11 files changed, 84 insertions(+), 84 deletions(-)

diff --git a/tests/dpif-netdev.at b/tests/dpif-netdev.at
index fff395d..d850350 100644
--- a/tests/dpif-netdev.at
+++ b/tests/dpif-netdev.at
@@ -50,7 +50,7 @@ m4_divert_pop([PREPARE_TESTS])
 AT_SETUP([dpif-netdev - netdev-dummy/receive])
 # Create br0 with interfaces p0
 OVS_VSWITCHD_START([add-port br0 p1 -- set interface p1 type=dummy 
ofport_request=1 -- ])
-AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 
 AT_CHECK([ovs-ofctl add-flow br0 action=normal])
 ovs-appctl time/stop
@@ -83,7 +83,7 @@ m4_define([DPIF_NETDEV_DUMMY_IFACE],
   add-port br1 p2 -- set interface p2 type=$1 
options:stream=unix:$OVS_RUNDIR/p0.sock ofport_request=2 -- \
   add-port br1 p8 -- set interface p8 ofport_request=8 type=$1 --], [], [],
   [m4_if([$1], [dummy-pmd], [--dummy-numa="0,0,0,0,1,1,1,1"], [])])
-   AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+   AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 
AT_CHECK([ovs-ofctl add-flow br0 action=normal])
AT_CHECK([ovs-ofctl add-flow br1 action=normal])
@@ -113,7 +113,7 @@ m4_define([DPIF_NETDEV_MISS_FLOW_INSTALL],
  [add-port br0 p1 -- set interface p1 type=$1 
options:pstream=punix:$OVS_RUNDIR/p0.sock
   set bridge br0 datapath-type=dummy other-config:datapath-id=1234 
fail-mode=secure], [], [],
   [m4_if([$1], [dummy-pmd], [--dummy-numa="0,0,0,0,1,1,1,1"], [])])
-   AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+   AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 
AT_CHECK([ovs-ofctl add-flow br0 action=normal])
AT_CHECK([ovs-appctl netdev-dummy/receive p1 
'in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.0.0.2,dst=10.0.0.1,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)'])
@@ -155,7 +155,7 @@ m4_define([DPIF_NETDEV_MISS_FLOW_DUMP],
   [m4_if([$1], [dummy-pmd], [--dummy-numa="0,0,0,0,1,1,1,1"], [])])
AT_CHECK([ovs-appctl upcall/disable-ufid], [0], [Datapath dumping tersely 
using UFID disabled
 ], [])
-   AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+   AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 
AT_CHECK([ovs-ofctl add-flow br0 action=normal])
AT_CHECK([ovs-appctl netdev-dummy/receive p1 
'in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.0.0.2,dst=10.0.0.1,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)'])
@@ -203,7 +203,7 @@ OVS_VSWITCHD_START(
   fail-mode=secure -- \
add-port br1 p2 -- set interface p2 type=dummy 
options:stream=unix:$OVS_RUNDIR/p0.sock ofport_request=2 -- \
add-port br1 p8 -- set interface p8 ofport_request=8 type=dummy --])
-AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 
 AT_CHECK([ovs-ofctl -O OpenFlow13 add-meter br0 'meter=1 pktps burst stats 
bands=type=drop rate=1 burst_size=1'])
 AT_CHECK([ovs-ofctl -O OpenFlow13 add-meter br0 'meter=2 kbps burst stats 
bands=type=drop rate=1 burst_size=2'])
diff --git a/tests/learn.at b/tests/learn.at
index 5f1d6df..ab38d8a 100644
--- a/tests/learn.at
+++ b/tests/learn.at
@@ -665,7 +665,7 @@ AT_CLEANUP
 
 AT_SETUP([learning action - limit])
 OVS_VSWITCHD_START
-AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 add_of_ports br0 1 2
 AT_DATA([flows.txt], [dnl
 table=0 in_port=1 actions=learn(table=1,dl_dst=dl_src,cookie=0x1,limit=1),2
@@ -704,7 +704,7 @@ AT_CLEANUP
 
 AT_SETUP([learning action - limit result_dst])
 OVS_VSWITCHD_START
-AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 add_of_ports br0 1
 AT_DATA([flows.txt], [dnl
 table=0 in_port=1 
actions=learn(table=1,dl_dst=dl_src,cookie=0x1,limit=1,result_dst=reg0[[0]]),controller
@@ -737,7 +737,7 @@ AT_CLEANUP
 
 AT_SETUP([learning action - different limits])
 OVS_VSWITCHD_START
-AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:d

[ovs-dev] [PATCH v2 4/9] tests: Disable syslog for daemons.

2018-08-01 Thread Ilya Maximets
We can not just make an alias for deamons because many of them
has logging options in their command lines.
Let's handle them one by one. Additionally, it's a good chance
to wrap all the very long lines for better readability.

Signed-off-by: Ilya Maximets 
---
 tests/ofproto-macros.at  |  10 +-
 tests/ovn-controller-vtep.at |  35 +--
 tests/ovn-nbctl.at   |   4 +-
 tests/ovn-sbctl.at   |  19 +++-
 tests/ovs-vsctl.at   |  21 +++-
 tests/ovs-vswitchd.at|  17 +++-
 tests/ovsdb-idl.at   |   8 +-
 tests/ovsdb-lock.at  |   6 +-
 tests/ovsdb-monitor.at   |  23 -
 tests/ovsdb-rbac.at  |   3 +-
 tests/ovsdb-server.at| 227 ---
 tests/vlog.at|   4 +-
 tests/vtep-ctl.at|   4 +-
 13 files changed, 291 insertions(+), 90 deletions(-)

diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
index a4bcc41..b95b7d2 100644
--- a/tests/ofproto-macros.at
+++ b/tests/ofproto-macros.at
@@ -54,7 +54,7 @@ m4_define([PARSE_LISTENING_PORT],
 [OVS_WAIT_UNTIL([$2=`sed -n 's/.*0:.*: listening on port 
\([[0-9]]*\)$/\1/p' "$1"` && test X != X"[$]$2"])])
 
 start_daemon () {
-"$@" -vconsole:off --detach --no-chdir --pidfile --log-file
+"$@" -vconsole:off -vsyslog:off --detach --no-chdir --pidfile --log-file
 pidfile="$OVS_RUNDIR"/$1.pid
 on_exit "test -e \"$pidfile\" && kill \`cat \"$pidfile\"\`"
 }
@@ -335,7 +335,9 @@ m4_define([_OVS_VSWITCHD_START],
AT_CHECK([ovsdb-tool create conf.db 
$abs_top_srcdir/vswitchd/vswitch.ovsschema])
 
dnl Start ovsdb-server.
-   AT_CHECK([ovsdb-server --detach --no-chdir --pidfile --log-file 
--remote=punix:$OVS_RUNDIR/db.sock], [0], [], [stderr])
+   AT_CHECK([ovsdb-server -vsyslog:off --detach --no-chdir --pidfile \
+  --log-file --remote=punix:$OVS_RUNDIR/db.sock],
+[0], [], [stderr])
on_exit "kill `cat ovsdb-server.pid`"
AT_CHECK([[sed < stderr '
 /vlog|INFO|opened log file/d
@@ -346,7 +348,9 @@ m4_define([_OVS_VSWITCHD_START],
AT_CHECK([ovs-vsctl --no-wait init $2])
 
dnl Start ovs-vswitchd.
-   AT_CHECK([ovs-vswitchd $1 --detach --no-chdir --pidfile --log-file -vvconn 
-vofproto_dpif -vunixctl], [0], [], [stderr])
+   AT_CHECK([ovs-vswitchd $1 -vvconn -vofproto_dpif -vunixctl -vsyslog:off \
+ --detach --no-chdir --pidfile --log-file],
+[0], [], [stderr])
AT_CAPTURE_FILE([ovs-vswitchd.log])
on_exit "kill_ovs_vswitchd `cat ovs-vswitchd.pid`"
AT_CHECK([[sed < stderr '
diff --git a/tests/ovn-controller-vtep.at b/tests/ovn-controller-vtep.at
index 416e954..e4f93a8 100644
--- a/tests/ovn-controller-vtep.at
+++ b/tests/ovn-controller-vtep.at
@@ -24,9 +24,21 @@ m4_define([OVN_CONTROLLER_VTEP_START],
done
 
dnl Start ovsdb-server.
-   AT_CHECK([ovsdb-server --detach --no-chdir --pidfile --log-file 
--remote=punix:$OVS_RUNDIR/db.sock vswitchd.db vtep.db], [0], [], [stderr])
-   AT_CHECK([ovsdb-server --detach --no-chdir --pidfile=ovsdb-nb-server.pid 
--log-file=ovsdb-nb-server.log --remote=punix:$OVS_RUNDIR/ovnnb_db.sock 
ovn-nb.db], [0], [], [stderr])
-   AT_CHECK([ovsdb-server --detach --no-chdir --pidfile=ovsdb-sb-server.pid 
--log-file=ovsdb-sb-server.log --remote=punix:$OVS_RUNDIR/ovnsb_db.sock 
ovn-sb.db ovn-sb.db], [0], [], [stderr])
+   AT_CHECK([ovsdb-server -vsyslog:off --detach --no-chdir \
+  --pidfile --log-file \
+  --remote=punix:$OVS_RUNDIR/db.sock vswitchd.db 
vtep.db],
+[0], [], [stderr])
+   AT_CHECK([ovsdb-server -vsyslog:off --detach --no-chdir \
+  --pidfile=ovsdb-nb-server.pid\
+  --log-file=ovsdb-nb-server.log   \
+  --remote=punix:$OVS_RUNDIR/ovnnb_db.sock ovn-nb.db],
+[0], [], [stderr])
+   AT_CHECK([ovsdb-server -vsyslog:off --detach --no-chdir \
+  --pidfile=ovsdb-sb-server.pid\
+  --log-file=ovsdb-sb-server.log   \
+  --remote=punix:$OVS_RUNDIR/ovnsb_db.sock \
+  ovn-sb.db ovn-sb.db],
+[0], [], [stderr])
on_exit "kill `cat ovsdb-server.pid` `cat ovsdb-nb-server.pid` `cat 
ovsdb-sb-server.pid`"
AT_CHECK([[sed < stderr '
 /vlog|INFO|opened log file/d
@@ -34,7 +46,10 @@ m4_define([OVN_CONTROLLER_VTEP_START],
AT_CAPTURE_FILE([ovsdb-server.log])
 
dnl Start ovs-vswitchd.
-   AT_CHECK([ovs-vswitchd --enable-dummy=system --disable-system --detach 
--no-chdir --pidfile --log-file -vvconn -vofproto_dpif], [0], [], [stderr])
+   AT_CHECK([ovs-vswitchd -vvconn -vofproto_dpif -vsyslog:off   \
+  --enable-dummy=system --disable-system\
+  --detach --no-chdir --pidfile --log-file],
+[0], [], [

[ovs-dev] [PATCH v2 3/9] tests: Disable syslog by default for control utils.

2018-08-01 Thread Ilya Maximets
syslog messages from unit tests are not useful and only litter the
system logs on build / test machines.

Signed-off-by: Ilya Maximets 
---
 tests/ofproto-macros.at | 2 +-
 tests/ovs-macros.at | 6 --
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
index 96219cd..a4bcc41 100644
--- a/tests/ofproto-macros.at
+++ b/tests/ofproto-macros.at
@@ -112,7 +112,7 @@ as() {
  cmd=$1; shift;
  for util in $OVS_UTILS_LIST; do
  if test "X$util" == "X$cmd"; then
- $cmd --timeout=$OVS_TIMEOUT "$@"
+ $cmd $OVS_UTILS_DEFAULT_OPTIONS "$@"
  exit "$?"
  fi
  done
diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at
index e3365b6..e654259 100644
--- a/tests/ovs-macros.at
+++ b/tests/ovs-macros.at
@@ -114,7 +114,7 @@ if test "$IS_WIN32" = "yes"; then
 }
 fi
 
-# Try to add a default timeout for the following control utilities:
+# Try to add a default options for the following control utilities:
 # - ovs-vsctl
 # - ovs-ofctl
 # - ovs-appctl
@@ -123,11 +123,13 @@ fi
 # - vtep-ctl
 # Set default timeout for 30 seconds.
 # This should be sufficient on all platforms.
+# Disable unwanted logging to syslog.
 OVS_TIMEOUT=30
+OVS_UTILS_DEFAULT_OPTIONS="-vsyslog:off --timeout=$OVS_TIMEOUT"
 OVS_UTILS_LIST="ovs-vsctl ovs-ofctl ovs-appctl ovn-sbctl ovn-nbctl
 vtep-ctl ovsdb-client"
 for util in $OVS_UTILS_LIST; do
-alias $util="$util --timeout=$OVS_TIMEOUT" >/dev/null 2>&1
+alias $util="$util $OVS_UTILS_DEFAULT_OPTIONS" >/dev/null 2>&1
 done
 
 # parent_pid PID
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v2 2/9] tests: Set default timeout for utils in subshell.

2018-08-01 Thread Ilya Maximets
Aliases are not inheritable. To add a default options for utils
executed in subshell we may try to catch them here and append
options explicitly.

There are still few cases with utils invocation in subshell inside
the functions that we can not track this way, but they are not
very frequent.

Signed-off-by: Ilya Maximets 
---
 tests/ofproto-macros.at | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
index 2a56ae6..96219cd 100644
--- a/tests/ofproto-macros.at
+++ b/tests/ofproto-macros.at
@@ -107,7 +107,17 @@ sim_add () {
 # there.
 as() {
 if test "X$2" != X; then
-(ovs_setenv $1; shift; "$@")
+(
+ ovs_setenv $1; shift;
+ cmd=$1; shift;
+ for util in $OVS_UTILS_LIST; do
+ if test "X$util" == "X$cmd"; then
+ $cmd --timeout=$OVS_TIMEOUT "$@"
+ exit "$?"
+ fi
+ done
+ $cmd "$@"
+)
 else
 ovs_setenv $1
 fi
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v2 1/9] tests: Simplify the setting of aliases.

2018-08-01 Thread Ilya Maximets
There is no need to create a separate function for each alias.
This will simplify adding new default options and utils.

Signed-off-by: Ilya Maximets 
---
 tests/ovs-macros.at | 35 +--
 1 file changed, 5 insertions(+), 30 deletions(-)

diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at
index 677eea7..e3365b6 100644
--- a/tests/ovs-macros.at
+++ b/tests/ovs-macros.at
@@ -124,36 +124,11 @@ fi
 # Set default timeout for 30 seconds.
 # This should be sufficient on all platforms.
 OVS_TIMEOUT=30
-alias ovs-vsctl='OVS_VSCTL_TIMEOUT' >/dev/null 2>&1
-if [ $? -eq 0 ]; then
-OVS_VSCTL_TIMEOUT () {
-command ovs-vsctl --timeout=$OVS_TIMEOUT "$@"
-}
-alias ovs-ofctl='OVS_OFCTL_TIMEOUT'
-alias ovs-appctl='OVS_APPCTL_TIMEOUT'
-alias ovn-sbctl='OVS_SBCTL_TIMEOUT'
-alias ovn-nbctl='OVN_NBCTL_TIMEOUT'
-alias vtep-ctl='VTEP_CTL_TIMEOUT'
-alias ovsdb-client='OVSDB_CLIENT_TIMEOUT'
-OVS_OFCTL_TIMEOUT () {
-command ovs-ofctl --timeout=$OVS_TIMEOUT "$@"
-}
-OVS_APPCTL_TIMEOUT () {
-command ovs-appctl --timeout=$OVS_TIMEOUT "$@"
-}
-OVS_SBCTL_TIMEOUT () {
-command ovn-sbctl --timeout=$OVS_TIMEOUT "$@"
-}
-OVN_NBCTL_TIMEOUT () {
-command ovn-nbctl --timeout=$OVS_TIMEOUT "$@"
-}
-VTEP_CTL_TIMEOUT () {
-command vtep-ctl --timeout=$OVS_TIMEOUT "$@"
-}
-OVSDB_CLIENT_TIMEOUT () {
-command ovsdb-client --timeout=$OVS_TIMEOUT "$@"
-}
-fi
+OVS_UTILS_LIST="ovs-vsctl ovs-ofctl ovs-appctl ovn-sbctl ovn-nbctl
+vtep-ctl ovsdb-client"
+for util in $OVS_UTILS_LIST; do
+alias $util="$util --timeout=$OVS_TIMEOUT" >/dev/null 2>&1
+done
 
 # parent_pid PID
 #
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v2 0/9] tests: Clean up syslog.

2018-08-01 Thread Ilya Maximets
Each run of the testsuite produces millions lines in a system
log. This is completely unnecessary and makes it difficult to
use system logs on test / build servers.

This series is aimed to disable most of the syslog messages.
There are still few logs that requires significant changes in
tests or code to disable. They will be removed separately if
needed.

Some testing results:
  OS : RHEL 7.5
  CPU: Xeon E5 v4 2.6GHz
  Cmd: make check TESTSUITEFLAGS='-j20'

  Without patches:
  * 3.350.097 Lines of logs in journalctl
  * Execution time: 11 minutes
  * jourlald eats 100% of one cpu core.

  With patch-set applied:
  * 226 Lines of logs in journalctl
  * Execution time: 2.5 minutes

So, in addition to clean logs, this patch-set significantly
speeds up the testsuite execution in parralel builds (more
than 4 times! in my case).

Side effects:
  * default timeout applied to control utils in a subshell.
  * tests refactored to be more readable.
  * testsuite execution speed up.

Version 2:
  * Fixed accidentially missed '--timeout' in patches 1 and 2. [Aaron]

Ilya Maximets (9):
  tests: Simplify the setting of aliases.
  tests: Set default timeout for utils in subshell.
  tests: Disable syslog by default for control utils.
  tests: Disable syslog for daemons.
  tests: Enable only file logging by vlog/set appctl.
  tests: Drop full logging for ovs-ofctl.
  tests: Disable syslog for test utils.
  tests: Reorder logging args for ovn-sbctl in a subshell.
  tests: Disable syslog for ovsdb-tool.

 tests/bridge.at   |   3 +-
 tests/dpif-netdev.at  |  10 +-
 tests/learn.at|   6 +-
 tests/mpls-xlate.at   |   4 +-
 tests/ofproto-dpif.at | 138 +
 tests/ofproto-macros.at   |  22 +++-
 tests/ofproto.at  |  20 ++--
 tests/ovn-controller-vtep.at  |  35 +--
 tests/ovn-nbctl.at|   4 +-
 tests/ovn-sbctl.at|  19 +++-
 tests/ovs-macros.at   |  39 ++--
 tests/ovs-ofctl.at|   4 +-
 tests/ovs-vsctl.at|  21 +++-
 tests/ovs-vswitchd.at |  17 +++-
 tests/ovsdb-cluster.at|   8 +-
 tests/ovsdb-idl.at|  37 +--
 tests/ovsdb-lock.at   |   6 +-
 tests/ovsdb-monitor.at|  23 -
 tests/ovsdb-rbac.at   |   3 +-
 tests/ovsdb-server.at | 227 --
 tests/ovsdb.at|   2 +-
 tests/pmd.at  |  20 ++--
 tests/stp.at  |   6 +-
 tests/system-traffic.at   |   4 +-
 tests/tunnel-push-pop-ipv6.at |   2 +-
 tests/tunnel-push-pop.at  |   2 +-
 tests/vlog.at |  15 +--
 tests/vtep-ctl.at |   4 +-
 28 files changed, 463 insertions(+), 238 deletions(-)

-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH 1/9] tests: Simplify the setting of aliases.

2018-08-01 Thread Ilya Maximets
On 01.08.2018 16:34, Aaron Conole wrote:
> Hi Ilya,
> 
> Ilya Maximets  writes:
> 
>> There is no need to create a separate function for each alias.
>> This will simplify adding new default options and utils.
>>
>> Signed-off-by: Ilya Maximets 
>> ---
>>  tests/ovs-macros.at | 35 +--
>>  1 file changed, 5 insertions(+), 30 deletions(-)
>>
>> diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at
>> index 677eea7..e3365b6 100644
>> --- a/tests/ovs-macros.at
>> +++ b/tests/ovs-macros.at
>> @@ -124,36 +124,11 @@ fi
>>  # Set default timeout for 30 seconds.
>>  # This should be sufficient on all platforms.
>>  OVS_TIMEOUT=30
>> -alias ovs-vsctl='OVS_VSCTL_TIMEOUT' >/dev/null 2>&1
>> -if [ $? -eq 0 ]; then
>> -OVS_VSCTL_TIMEOUT () {
>> -command ovs-vsctl --timeout=$OVS_TIMEOUT "$@"
>> -}
>> -alias ovs-ofctl='OVS_OFCTL_TIMEOUT'
>> -alias ovs-appctl='OVS_APPCTL_TIMEOUT'
>> -alias ovn-sbctl='OVS_SBCTL_TIMEOUT'
>> -alias ovn-nbctl='OVN_NBCTL_TIMEOUT'
>> -alias vtep-ctl='VTEP_CTL_TIMEOUT'
>> -alias ovsdb-client='OVSDB_CLIENT_TIMEOUT'
>> -OVS_OFCTL_TIMEOUT () {
>> -command ovs-ofctl --timeout=$OVS_TIMEOUT "$@"
>> -}
>> -OVS_APPCTL_TIMEOUT () {
>> -command ovs-appctl --timeout=$OVS_TIMEOUT "$@"
>> -}
>> -OVS_SBCTL_TIMEOUT () {
>> -command ovn-sbctl --timeout=$OVS_TIMEOUT "$@"
>> -}
>> -OVN_NBCTL_TIMEOUT () {
>> -command ovn-nbctl --timeout=$OVS_TIMEOUT "$@"
>> -}
>> -VTEP_CTL_TIMEOUT () {
>> -command vtep-ctl --timeout=$OVS_TIMEOUT "$@"
>> -}
>> -OVSDB_CLIENT_TIMEOUT () {
>> -command ovsdb-client --timeout=$OVS_TIMEOUT "$@"
>> -}
>> -fi
>> +OVS_UTILS_LIST="ovs-vsctl ovs-ofctl ovs-appctl ovn-sbctl ovn-nbctl
>> +vtep-ctl ovsdb-client"
>> +for util in $OVS_UTILS_LIST; do
>> +alias $util="$util $OVS_TIMEOUT" >/dev/null 2>&1
> 
> Maybe I misunderstood something - should this be?

Oh. Thanks.
Sorry. That's a typo that fixed by patch #3. That's why I missed it.

I'll respin soon fixing patches #1 and #2.

> 
> +alias $util="$util --timeout=$OVS_TIMEOUT" >/dev/null 2>&1
> 
>> +done
>>  
>>  # parent_pid PID
>>  #
> 
> 
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH] utilities: Run ovsdb-server pre-startup DB steps as root

2018-08-01 Thread Aaron Conole
Ben Pfaff  writes:

> I don't understand the conclusion in this thread.  Does anyone want me
> to apply some patch?  Or should I stay tuned for further discussion?

Stay tuned for the exciting conclusion, please :)

> Thanks,
>
> Ben.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH 1/9] tests: Simplify the setting of aliases.

2018-08-01 Thread Aaron Conole
Hi Ilya,

Ilya Maximets  writes:

> There is no need to create a separate function for each alias.
> This will simplify adding new default options and utils.
>
> Signed-off-by: Ilya Maximets 
> ---
>  tests/ovs-macros.at | 35 +--
>  1 file changed, 5 insertions(+), 30 deletions(-)
>
> diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at
> index 677eea7..e3365b6 100644
> --- a/tests/ovs-macros.at
> +++ b/tests/ovs-macros.at
> @@ -124,36 +124,11 @@ fi
>  # Set default timeout for 30 seconds.
>  # This should be sufficient on all platforms.
>  OVS_TIMEOUT=30
> -alias ovs-vsctl='OVS_VSCTL_TIMEOUT' >/dev/null 2>&1
> -if [ $? -eq 0 ]; then
> -OVS_VSCTL_TIMEOUT () {
> -command ovs-vsctl --timeout=$OVS_TIMEOUT "$@"
> -}
> -alias ovs-ofctl='OVS_OFCTL_TIMEOUT'
> -alias ovs-appctl='OVS_APPCTL_TIMEOUT'
> -alias ovn-sbctl='OVS_SBCTL_TIMEOUT'
> -alias ovn-nbctl='OVN_NBCTL_TIMEOUT'
> -alias vtep-ctl='VTEP_CTL_TIMEOUT'
> -alias ovsdb-client='OVSDB_CLIENT_TIMEOUT'
> -OVS_OFCTL_TIMEOUT () {
> -command ovs-ofctl --timeout=$OVS_TIMEOUT "$@"
> -}
> -OVS_APPCTL_TIMEOUT () {
> -command ovs-appctl --timeout=$OVS_TIMEOUT "$@"
> -}
> -OVS_SBCTL_TIMEOUT () {
> -command ovn-sbctl --timeout=$OVS_TIMEOUT "$@"
> -}
> -OVN_NBCTL_TIMEOUT () {
> -command ovn-nbctl --timeout=$OVS_TIMEOUT "$@"
> -}
> -VTEP_CTL_TIMEOUT () {
> -command vtep-ctl --timeout=$OVS_TIMEOUT "$@"
> -}
> -OVSDB_CLIENT_TIMEOUT () {
> -command ovsdb-client --timeout=$OVS_TIMEOUT "$@"
> -}
> -fi
> +OVS_UTILS_LIST="ovs-vsctl ovs-ofctl ovs-appctl ovn-sbctl ovn-nbctl
> +vtep-ctl ovsdb-client"
> +for util in $OVS_UTILS_LIST; do
> +alias $util="$util $OVS_TIMEOUT" >/dev/null 2>&1

Maybe I misunderstood something - should this be?

+alias $util="$util --timeout=$OVS_TIMEOUT" >/dev/null 2>&1

> +done
>  
>  # parent_pid PID
>  #
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH 9/9] tests: Disable syslog for ovsdb-tool.

2018-08-01 Thread Ilya Maximets
This is the only place where ovsdb-tool produces some logs.
Also, it does not support '--timeout' option thus we can't
just add it to the utils list. Let's add syslog option inplace.

Signed-off-by: Ilya Maximets 
---
 tests/ovsdb-cluster.at | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/ovsdb-cluster.at b/tests/ovsdb-cluster.at
index c0bf53b..b2c8b6d 100644
--- a/tests/ovsdb-cluster.at
+++ b/tests/ovsdb-cluster.at
@@ -72,7 +72,7 @@ ovsdb_torture_test () {
 local variant=$3# 'kill' and restart or 'remove' and add
 cp $top_srcdir/ovn/ovn-sb.ovsschema schema
 schema=`ovsdb-tool schema-name schema`
-AT_CHECK([ovsdb-tool '-vPATTERN:console:%c|%p|%m' create-cluster s1.db 
schema unix:s1.raft], [0], [], [dnl
+AT_CHECK([ovsdb-tool '-vPATTERN:console:%c|%p|%m' -vsyslog:off 
create-cluster s1.db schema unix:s1.raft], [0], [], [dnl
 ovsdb|WARN|schema: changed 2 columns in 'OVN_Southbound' database from 
ephemeral to persistent, including 'status' column in 'Connection' table, 
because clusters do not support ephemeral columns
 ])
 
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH 8/9] tests: Reorder logging args for ovn-sbctl in a subshell.

2018-08-01 Thread Ilya Maximets
'--log-file' should go after '-v' arguments to avoid unwanted
'opened log file' messages.
Execution is in a subshell and not covered by aliases.

Signed-off-by: Ilya Maximets 
---
 tests/ovsdb-cluster.at | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tests/ovsdb-cluster.at b/tests/ovsdb-cluster.at
index 1c41491..c0bf53b 100644
--- a/tests/ovsdb-cluster.at
+++ b/tests/ovsdb-cluster.at
@@ -136,7 +136,11 @@ ovsdb|WARN|schema: changed 2 columns in 'OVN_Southbound' 
database from ephemeral
 for i in $(seq 0 $(expr $n1 - 1) ); do
 (for j in $(seq $n2); do
  : > $i-$j.running
- run_as "ovn-sbctl($i-$j)" ovn-sbctl 
"-vPATTERN:console:ovn-sbctl($i-$j)|%D{%H:%M:%S}|%05N|%c|%p|%m" 
--log-file=$i-$j.log -vfile -vsyslog:off -vtimeval:off --timeout=120 
--no-leader-only add SB_Global . external_ids $i-$j=$i-$j
+ run_as "ovn-sbctl($i-$j)" \
+ovn-sbctl 
"-vPATTERN:console:ovn-sbctl($i-$j)|%D{%H:%M:%S}|%05N|%c|%p|%m" \
+-vfile -vsyslog:off -vtimeval:off --log-file=$i-$j.log \
+--timeout=120 --no-leader-only \
+add SB_Global . external_ids $i-$j=$i-$j
  status=$?
  if test $status != 0; then
  echo "$i-$j exited with status $status" > $i-$j:$status
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH 7/9] tests: Disable syslog for test utils.

2018-08-01 Thread Ilya Maximets
This disables syslog logging for:
* ovs-testcontroller
* test-netflow
* test-ovsdb
* test-sflow
* test-unixctl (for cases where it's not needed)

Signed-off-by: Ilya Maximets 
---
 tests/bridge.at   |  3 ++-
 tests/ofproto-dpif.at | 32 
 tests/ovsdb-idl.at| 29 +
 tests/ovsdb.at|  2 +-
 tests/vlog.at | 11 +++
 5 files changed, 55 insertions(+), 22 deletions(-)

diff --git a/tests/bridge.at b/tests/bridge.at
index 1c36185..35fed02 100644
--- a/tests/bridge.at
+++ b/tests/bridge.at
@@ -48,7 +48,8 @@ OVS_VSWITCHD_START(
 set bridge br1 datapath-type=dummy other-config:datapath-id=1234 ])
 
 dnl Start ovs-testcontroller
-AT_CHECK([ovs-testcontroller --detach punix:controller --pidfile], [0], 
[ignore])
+AT_CHECK([ovs-testcontroller -vsyslog:off --detach punix:controller --pidfile],
+ [0], [ignore])
 on_exit 'kill `cat ovs-testcontroller.pid`'
 OVS_WAIT_UNTIL([test -e controller])
 
diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
index f0fca22..dd38d24 100644
--- a/tests/ofproto-dpif.at
+++ b/tests/ofproto-dpif.at
@@ -5991,7 +5991,9 @@ m4_define([CHECK_SFLOW_SAMPLING_PACKET],
   OVS_VSWITCHD_START([set Bridge br0 fail-mode=standalone])
 
   on_exit 'kill `cat test-sflow.pid`'
-  AT_CHECK([ovstest test-sflow --log-file --detach --no-chdir --pidfile 0:$1 > 
sflow.log], [0], [], [ignore])
+  AT_CHECK([ovstest test-sflow -vsyslog:off --log-file \
+   --detach --no-chdir --pidfile 0:$1 > sflow.log],
+   [0], [], [ignore])
   AT_CAPTURE_FILE([sflow.log])
   PARSE_LISTENING_PORT([test-sflow.log], [SFLOW_PORT])
   ovs-appctl time/stop
@@ -6542,7 +6544,9 @@ OVS_VSWITCHD_START([dnl
 other_config:lacp-aggregation-key= ])
 
 on_exit 'kill `cat test-sflow.pid`'
-AT_CHECK([ovstest test-sflow --log-file --detach --no-chdir --pidfile 
0:127.0.0.1 > sflow.log], [0], [], [ignore])
+AT_CHECK([ovstest test-sflow -vsyslog:off --log-file --detach --no-chdir \
+ --pidfile 0:127.0.0.1 > sflow.log],
+ [0], [], [ignore])
 AT_CAPTURE_FILE([sflow.log])
 PARSE_LISTENING_PORT([test-sflow.log], [SFLOW_PORT])
 
@@ -6586,7 +6590,9 @@ AT_XFAIL_IF([test "$IS_WIN32" = "yes"])
 OVS_VSWITCHD_START([set Bridge br0 fail-mode=standalone])
 
 dnl set up sFlow logging
-AT_CHECK([ovstest test-sflow --log-file --detach --no-chdir --pidfile 
0:127.0.0.1 > sflow.log], [0], [], [ignore])
+AT_CHECK([ovstest test-sflow -vsyslog:off --log-file --detach --no-chdir \
+ --pidfile 0:127.0.0.1 > sflow.log],
+ [0], [], [ignore])
 AT_CAPTURE_FILE([sflow.log])
 PARSE_LISTENING_PORT([test-sflow.log], [SFLOW_PORT])
 ovs-appctl time/stop
@@ -6656,7 +6662,9 @@ AT_XFAIL_IF([test "$IS_WIN32" = "yes"])
 OVS_VSWITCHD_START([add-port br0 p0 -- set Interface p0 type=dummy 
ofport_request=1 options:ifindex=1010])
 
 dnl set up sFlow logging
-AT_CHECK([ovstest test-sflow --log-file --detach --no-chdir --pidfile 
0:127.0.0.1 > sflow.log], [0], [], [ignore])
+AT_CHECK([ovstest test-sflow -vsyslog:off --log-file --detach --no-chdir \
+ --pidfile 0:127.0.0.1 > sflow.log],
+ [0], [], [ignore])
 AT_CAPTURE_FILE([sflow.log])
 PARSE_LISTENING_PORT([test-sflow.log], [SFLOW_PORT])
 ovs-appctl time/stop
@@ -6764,7 +6772,9 @@ table=0 dl_src=50:54:00:00:00:0b actions=pop_mpls:0x0800,2
 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
 
 dnl set up sFlow logging
-AT_CHECK([ovstest test-sflow --log-file --detach --no-chdir --pidfile 
0:127.0.0.1 > sflow.log], [0], [], [ignore])
+AT_CHECK([ovstest test-sflow -vsyslog:off --log-file --detach --no-chdir \
+ --pidfile 0:127.0.0.1 > sflow.log],
+ [0], [], [ignore])
 AT_CAPTURE_FILE([sflow.log])
 PARSE_LISTENING_PORT([test-sflow.log], [SFLOW_PORT])
 ovs-appctl time/stop
@@ -6858,7 +6868,9 @@ m4_define([CHECK_NETFLOW_EXPIRATION],
 
   ovs-appctl time/stop
   on_exit 'kill `cat test-netflow.pid`'
-  AT_CHECK([ovstest test-netflow --log-file --detach --no-chdir --pidfile 0:$1 
> netflow.log], [0], [], [ignore])
+  AT_CHECK([ovstest test-netflow -vsyslog:off --log-file --detach --no-chdir \
+ --pidfile 0:$1 > netflow.log],
+   [0], [], [ignore])
   AT_CAPTURE_FILE([netflow.log])
   PARSE_LISTENING_PORT([test-netflow.log], [NETFLOW_PORT])
 
@@ -6905,7 +6917,9 @@ m4_define([CHECK_NETFLOW_ACTIVE_EXPIRATION],
   add_of_ports br0 1 2
 
   on_exit 'kill `cat test-netflow.pid`'
-  AT_CHECK([ovstest test-netflow --log-file --detach --no-chdir --pidfile 0:$1 
> netflow.log], [0], [], [ignore])
+  AT_CHECK([ovstest test-netflow -vsyslog:off --log-file --detach --no-chdir \
+ --pidfile 0:$1 > netflow.log],
+   [0], [], [ignore])
   AT_CAPTURE_FILE([netflow.log])
   PARSE_LISTENING_PORT([test-netflow.log], [NETFLOW_PORT])
 
@@ -8195,7 +8209

[ovs-dev] [PATCH 5/9] tests: Enable only file logging by vlog/set appctl.

2018-08-01 Thread Ilya Maximets
Logs enabled by 'appctl vlog/set' are commonly only used for
'check_logs' at the end of the test. No need to enable any
other logs except for file.

Patch made automatically by sed replace.

Signed-off-by: Ilya Maximets 
---
 tests/dpif-netdev.at  |  10 ++--
 tests/learn.at|   6 +--
 tests/mpls-xlate.at   |   4 +-
 tests/ofproto-dpif.at | 106 +-
 tests/ofproto.at  |   4 +-
 tests/ovs-ofctl.at|   4 +-
 tests/pmd.at  |  20 
 tests/stp.at  |   6 +--
 tests/system-traffic.at   |   4 +-
 tests/tunnel-push-pop-ipv6.at |   2 +-
 tests/tunnel-push-pop.at  |   2 +-
 11 files changed, 84 insertions(+), 84 deletions(-)

diff --git a/tests/dpif-netdev.at b/tests/dpif-netdev.at
index fff395d..d850350 100644
--- a/tests/dpif-netdev.at
+++ b/tests/dpif-netdev.at
@@ -50,7 +50,7 @@ m4_divert_pop([PREPARE_TESTS])
 AT_SETUP([dpif-netdev - netdev-dummy/receive])
 # Create br0 with interfaces p0
 OVS_VSWITCHD_START([add-port br0 p1 -- set interface p1 type=dummy 
ofport_request=1 -- ])
-AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 
 AT_CHECK([ovs-ofctl add-flow br0 action=normal])
 ovs-appctl time/stop
@@ -83,7 +83,7 @@ m4_define([DPIF_NETDEV_DUMMY_IFACE],
   add-port br1 p2 -- set interface p2 type=$1 
options:stream=unix:$OVS_RUNDIR/p0.sock ofport_request=2 -- \
   add-port br1 p8 -- set interface p8 ofport_request=8 type=$1 --], [], [],
   [m4_if([$1], [dummy-pmd], [--dummy-numa="0,0,0,0,1,1,1,1"], [])])
-   AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+   AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 
AT_CHECK([ovs-ofctl add-flow br0 action=normal])
AT_CHECK([ovs-ofctl add-flow br1 action=normal])
@@ -113,7 +113,7 @@ m4_define([DPIF_NETDEV_MISS_FLOW_INSTALL],
  [add-port br0 p1 -- set interface p1 type=$1 
options:pstream=punix:$OVS_RUNDIR/p0.sock
   set bridge br0 datapath-type=dummy other-config:datapath-id=1234 
fail-mode=secure], [], [],
   [m4_if([$1], [dummy-pmd], [--dummy-numa="0,0,0,0,1,1,1,1"], [])])
-   AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+   AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 
AT_CHECK([ovs-ofctl add-flow br0 action=normal])
AT_CHECK([ovs-appctl netdev-dummy/receive p1 
'in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.0.0.2,dst=10.0.0.1,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)'])
@@ -155,7 +155,7 @@ m4_define([DPIF_NETDEV_MISS_FLOW_DUMP],
   [m4_if([$1], [dummy-pmd], [--dummy-numa="0,0,0,0,1,1,1,1"], [])])
AT_CHECK([ovs-appctl upcall/disable-ufid], [0], [Datapath dumping tersely 
using UFID disabled
 ], [])
-   AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+   AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 
AT_CHECK([ovs-ofctl add-flow br0 action=normal])
AT_CHECK([ovs-appctl netdev-dummy/receive p1 
'in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.0.0.2,dst=10.0.0.1,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)'])
@@ -203,7 +203,7 @@ OVS_VSWITCHD_START(
   fail-mode=secure -- \
add-port br1 p2 -- set interface p2 type=dummy 
options:stream=unix:$OVS_RUNDIR/p0.sock ofport_request=2 -- \
add-port br1 p8 -- set interface p8 ofport_request=8 type=dummy --])
-AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 
 AT_CHECK([ovs-ofctl -O OpenFlow13 add-meter br0 'meter=1 pktps burst stats 
bands=type=drop rate=1 burst_size=1'])
 AT_CHECK([ovs-ofctl -O OpenFlow13 add-meter br0 'meter=2 kbps burst stats 
bands=type=drop rate=1 burst_size=2'])
diff --git a/tests/learn.at b/tests/learn.at
index 5f1d6df..ab38d8a 100644
--- a/tests/learn.at
+++ b/tests/learn.at
@@ -665,7 +665,7 @@ AT_CLEANUP
 
 AT_SETUP([learning action - limit])
 OVS_VSWITCHD_START
-AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 add_of_ports br0 1 2
 AT_DATA([flows.txt], [dnl
 table=0 in_port=1 actions=learn(table=1,dl_dst=dl_src,cookie=0x1,limit=1),2
@@ -704,7 +704,7 @@ AT_CLEANUP
 
 AT_SETUP([learning action - limit result_dst])
 OVS_VSWITCHD_START
-AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:dbg])
 add_of_ports br0 1
 AT_DATA([flows.txt], [dnl
 table=0 in_port=1 
actions=learn(table=1,dl_dst=dl_src,cookie=0x1,limit=1,result_dst=reg0[[0]]),controller
@@ -737,7 +737,7 @@ AT_CLEANUP
 
 AT_SETUP([learning action - different limits])
 OVS_VSWITCHD_START
-AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg])
+AT_CHECK([ovs-appctl vlog/set dpif:file:dbg dpif_netdev:file:d

[ovs-dev] [PATCH 6/9] tests: Drop full logging for ovs-ofctl.

2018-08-01 Thread Ilya Maximets
'-v' option removed. Found no reason to have fully verbose
output from these ovs-ofctl calls.

Signed-off-by: Ilya Maximets 
---
 tests/ofproto.at | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/tests/ofproto.at b/tests/ofproto.at
index d6c6e9a..f57c15b 100644
--- a/tests/ofproto.at
+++ b/tests/ofproto.at
@@ -3291,14 +3291,14 @@ check_async () {
 : > expout
 
 # OFPT_PACKET_IN, OFPR_ACTION (controller_id=0)
-ovs-ofctl -v packet-out br0 controller controller 
'0001020304050010203040501234'
+ovs-ofctl packet-out br0 controller controller 
'0001020304050010203040501234'
 if test X"$1" = X"OFPR_ACTION"; then shift;
 echo >>expout "OFPT_PACKET_IN: total_len=14 in_port=CONTROLLER (via 
action) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
 fi
 
 # OFPT_PACKET_IN, OFPR_NO_MATCH (controller_id=123)
-ovs-ofctl -v packet-out br0 controller 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
+ovs-ofctl packet-out br0 controller 'controller(reason=no_match,id=123)' 
'0001020304050010203040501234'
 if test X"$1" = X"OFPR_NO_MATCH"; then shift;
 echo >>expout "OFPT_PACKET_IN: total_len=14 in_port=CONTROLLER (via 
no_match) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
@@ -3394,14 +3394,14 @@ check_async () {
 : > expout
 
 # OFPT_PACKET_IN, OFPR_ACTION (controller_id=0)
-ovs-ofctl -O OpenFlow12 -v packet-out br0 none controller 
'0001020304050010203040501234'
+ovs-ofctl -O OpenFlow12 packet-out br0 none controller 
'0001020304050010203040501234'
 if test X"$1" = X"OFPR_ACTION"; then shift;
 echo >>expout "OFPT_PACKET_IN (OF1.2): total_len=14 in_port=ANY (via 
action) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
 fi
 
 # OFPT_PACKET_IN, OFPR_NO_MATCH (controller_id=123)
-ovs-ofctl -O OpenFlow12 -v packet-out br0 none 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
+ovs-ofctl -O OpenFlow12 packet-out br0 none 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
 if test X"$1" = X"OFPR_NO_MATCH"; then shift;
 echo >>expout "OFPT_PACKET_IN (OF1.2): total_len=14 in_port=ANY (via 
no_match) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
@@ -3500,7 +3500,7 @@ check_async () {
 
 # OFPT_PACKET_IN, OFPR_ACTION (controller_id=0)
 # OFPR_ACTION_SET is treated as OFPR_ACTION in OpenFlow 1.3
-ovs-ofctl -O OpenFlow13 -v packet-out br0 none controller 
'0001020304050010203040501234'
+ovs-ofctl -O OpenFlow13 packet-out br0 none controller 
'0001020304050010203040501234'
 ovs-ofctl -O OpenFlow13 add-flow br0 'in_port=10 
actions=write_actions(output(CONTROLLER))'
 ovs-appctl netdev-dummy/receive p1 
'in_port(10),eth(src=00:10:20:30:40:50,dst=00:01:02:03:04:05),eth_type(0x1234)'
 if test X"$1" = X"OFPR_ACTION"; then shift;
@@ -3511,7 +3511,7 @@ 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234
 fi
 
 # OFPT_PACKET_IN, OFPR_NO_MATCH (controller_id=123)
-ovs-ofctl -O OpenFlow13 -v packet-out br0 none 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
+ovs-ofctl -O OpenFlow13 packet-out br0 none 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
 if test X"$1" = X"OFPR_NO_MATCH"; then shift;
 echo >>expout "OFPT_PACKET_IN (OF1.3): total_len=14 in_port=ANY (via 
no_match) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
@@ -3614,7 +3614,7 @@ check_async () {
 : > expout
 
 # OFPT_PACKET_IN, OFPR_PACKET_OUT (controller_id=0)
-ovs-ofctl -O OpenFlow14 -v packet-out br0 none controller 
'0001020304050010203040501234'
+ovs-ofctl -O OpenFlow14 packet-out br0 none controller 
'0001020304050010203040501234'
 if test X"$1" = X"OFPR_PACKET_OUT"; then shift;
 echo >>expout "OFPT_PACKET_IN (OF1.4): total_len=14 in_port=ANY (via 
packet_out) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
@@ -3629,7 +3629,7 @@ 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234
 fi
 
 # OFPT_PACKET_IN, OFPR_NO_MATCH (controller_id=123)
-ovs-ofctl -O OpenFlow14 -v packet-out br0 none 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
+ovs-ofctl -O OpenFlow14 packet-out br0 none 
'controller(reason=no_match,id=123)' '0001020304050010203040501234'
 if test X"$1" = X"OFPR_NO_MATCH"; then shift;
 echo >>expout "OFPT_PACKET_IN (OF1.4): total_len=14 in_port=ANY (via 
no_match) data_len=14 (unbuffered)
 
vlan_tci=0x,dl_src=00:10:20:30:40:50,dl_dst=00:01:02:03:04:05,dl_type=0x1234"
-- 
2

[ovs-dev] [PATCH 4/9] tests: Disable syslog for daemons.

2018-08-01 Thread Ilya Maximets
We can not just make an alias for deamons because many of them
has logging options in their command lines.
Let's handle them one by one. Additionally, it's a good chance
to wrap all the very long lines for better readability.

Signed-off-by: Ilya Maximets 
---
 tests/ofproto-macros.at  |  10 +-
 tests/ovn-controller-vtep.at |  35 +--
 tests/ovn-nbctl.at   |   4 +-
 tests/ovn-sbctl.at   |  19 +++-
 tests/ovs-vsctl.at   |  21 +++-
 tests/ovs-vswitchd.at|  17 +++-
 tests/ovsdb-idl.at   |   8 +-
 tests/ovsdb-lock.at  |   6 +-
 tests/ovsdb-monitor.at   |  23 -
 tests/ovsdb-rbac.at  |   3 +-
 tests/ovsdb-server.at| 227 ---
 tests/vlog.at|   4 +-
 tests/vtep-ctl.at|   4 +-
 13 files changed, 291 insertions(+), 90 deletions(-)

diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
index a4bcc41..b95b7d2 100644
--- a/tests/ofproto-macros.at
+++ b/tests/ofproto-macros.at
@@ -54,7 +54,7 @@ m4_define([PARSE_LISTENING_PORT],
 [OVS_WAIT_UNTIL([$2=`sed -n 's/.*0:.*: listening on port 
\([[0-9]]*\)$/\1/p' "$1"` && test X != X"[$]$2"])])
 
 start_daemon () {
-"$@" -vconsole:off --detach --no-chdir --pidfile --log-file
+"$@" -vconsole:off -vsyslog:off --detach --no-chdir --pidfile --log-file
 pidfile="$OVS_RUNDIR"/$1.pid
 on_exit "test -e \"$pidfile\" && kill \`cat \"$pidfile\"\`"
 }
@@ -335,7 +335,9 @@ m4_define([_OVS_VSWITCHD_START],
AT_CHECK([ovsdb-tool create conf.db 
$abs_top_srcdir/vswitchd/vswitch.ovsschema])
 
dnl Start ovsdb-server.
-   AT_CHECK([ovsdb-server --detach --no-chdir --pidfile --log-file 
--remote=punix:$OVS_RUNDIR/db.sock], [0], [], [stderr])
+   AT_CHECK([ovsdb-server -vsyslog:off --detach --no-chdir --pidfile \
+  --log-file --remote=punix:$OVS_RUNDIR/db.sock],
+[0], [], [stderr])
on_exit "kill `cat ovsdb-server.pid`"
AT_CHECK([[sed < stderr '
 /vlog|INFO|opened log file/d
@@ -346,7 +348,9 @@ m4_define([_OVS_VSWITCHD_START],
AT_CHECK([ovs-vsctl --no-wait init $2])
 
dnl Start ovs-vswitchd.
-   AT_CHECK([ovs-vswitchd $1 --detach --no-chdir --pidfile --log-file -vvconn 
-vofproto_dpif -vunixctl], [0], [], [stderr])
+   AT_CHECK([ovs-vswitchd $1 -vvconn -vofproto_dpif -vunixctl -vsyslog:off \
+ --detach --no-chdir --pidfile --log-file],
+[0], [], [stderr])
AT_CAPTURE_FILE([ovs-vswitchd.log])
on_exit "kill_ovs_vswitchd `cat ovs-vswitchd.pid`"
AT_CHECK([[sed < stderr '
diff --git a/tests/ovn-controller-vtep.at b/tests/ovn-controller-vtep.at
index 416e954..e4f93a8 100644
--- a/tests/ovn-controller-vtep.at
+++ b/tests/ovn-controller-vtep.at
@@ -24,9 +24,21 @@ m4_define([OVN_CONTROLLER_VTEP_START],
done
 
dnl Start ovsdb-server.
-   AT_CHECK([ovsdb-server --detach --no-chdir --pidfile --log-file 
--remote=punix:$OVS_RUNDIR/db.sock vswitchd.db vtep.db], [0], [], [stderr])
-   AT_CHECK([ovsdb-server --detach --no-chdir --pidfile=ovsdb-nb-server.pid 
--log-file=ovsdb-nb-server.log --remote=punix:$OVS_RUNDIR/ovnnb_db.sock 
ovn-nb.db], [0], [], [stderr])
-   AT_CHECK([ovsdb-server --detach --no-chdir --pidfile=ovsdb-sb-server.pid 
--log-file=ovsdb-sb-server.log --remote=punix:$OVS_RUNDIR/ovnsb_db.sock 
ovn-sb.db ovn-sb.db], [0], [], [stderr])
+   AT_CHECK([ovsdb-server -vsyslog:off --detach --no-chdir \
+  --pidfile --log-file \
+  --remote=punix:$OVS_RUNDIR/db.sock vswitchd.db 
vtep.db],
+[0], [], [stderr])
+   AT_CHECK([ovsdb-server -vsyslog:off --detach --no-chdir \
+  --pidfile=ovsdb-nb-server.pid\
+  --log-file=ovsdb-nb-server.log   \
+  --remote=punix:$OVS_RUNDIR/ovnnb_db.sock ovn-nb.db],
+[0], [], [stderr])
+   AT_CHECK([ovsdb-server -vsyslog:off --detach --no-chdir \
+  --pidfile=ovsdb-sb-server.pid\
+  --log-file=ovsdb-sb-server.log   \
+  --remote=punix:$OVS_RUNDIR/ovnsb_db.sock \
+  ovn-sb.db ovn-sb.db],
+[0], [], [stderr])
on_exit "kill `cat ovsdb-server.pid` `cat ovsdb-nb-server.pid` `cat 
ovsdb-sb-server.pid`"
AT_CHECK([[sed < stderr '
 /vlog|INFO|opened log file/d
@@ -34,7 +46,10 @@ m4_define([OVN_CONTROLLER_VTEP_START],
AT_CAPTURE_FILE([ovsdb-server.log])
 
dnl Start ovs-vswitchd.
-   AT_CHECK([ovs-vswitchd --enable-dummy=system --disable-system --detach 
--no-chdir --pidfile --log-file -vvconn -vofproto_dpif], [0], [], [stderr])
+   AT_CHECK([ovs-vswitchd -vvconn -vofproto_dpif -vsyslog:off   \
+  --enable-dummy=system --disable-system\
+  --detach --no-chdir --pidfile --log-file],
+[0], [], [

[ovs-dev] [PATCH 3/9] tests: Disable syslog by default for control utils.

2018-08-01 Thread Ilya Maximets
syslog messages from unit tests are not useful and only litter the
system logs on build / test machines.

Signed-off-by: Ilya Maximets 
---
 tests/ofproto-macros.at | 2 +-
 tests/ovs-macros.at | 6 --
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
index 96219cd..a4bcc41 100644
--- a/tests/ofproto-macros.at
+++ b/tests/ofproto-macros.at
@@ -112,7 +112,7 @@ as() {
  cmd=$1; shift;
  for util in $OVS_UTILS_LIST; do
  if test "X$util" == "X$cmd"; then
- $cmd $OVS_TIMEOUT "$@"
+ $cmd $OVS_UTILS_DEFAULT_OPTIONS "$@"
  exit "$?"
  fi
  done
diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at
index e3365b6..e654259 100644
--- a/tests/ovs-macros.at
+++ b/tests/ovs-macros.at
@@ -114,7 +114,7 @@ if test "$IS_WIN32" = "yes"; then
 }
 fi
 
-# Try to add a default timeout for the following control utilities:
+# Try to add a default options for the following control utilities:
 # - ovs-vsctl
 # - ovs-ofctl
 # - ovs-appctl
@@ -123,11 +123,13 @@ fi
 # - vtep-ctl
 # Set default timeout for 30 seconds.
 # This should be sufficient on all platforms.
+# Disable unwanted logging to syslog.
 OVS_TIMEOUT=30
+OVS_UTILS_DEFAULT_OPTIONS="-vsyslog:off --timeout=$OVS_TIMEOUT"
 OVS_UTILS_LIST="ovs-vsctl ovs-ofctl ovs-appctl ovn-sbctl ovn-nbctl
 vtep-ctl ovsdb-client"
 for util in $OVS_UTILS_LIST; do
-alias $util="$util $OVS_TIMEOUT" >/dev/null 2>&1
+alias $util="$util $OVS_UTILS_DEFAULT_OPTIONS" >/dev/null 2>&1
 done
 
 # parent_pid PID
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH 2/9] tests: Set default timeout for utils in subshell.

2018-08-01 Thread Ilya Maximets
Aliases are not inheritable. To add a default options for utils
executed in subshell we may try to catch them here and append
options explicitly.

There are still few cases with utils invocation in subshell inside
the functions that we can not track this way, but they are not
very frequent.

Signed-off-by: Ilya Maximets 
---
 tests/ofproto-macros.at | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
index 2a56ae6..96219cd 100644
--- a/tests/ofproto-macros.at
+++ b/tests/ofproto-macros.at
@@ -107,7 +107,17 @@ sim_add () {
 # there.
 as() {
 if test "X$2" != X; then
-(ovs_setenv $1; shift; "$@")
+(
+ ovs_setenv $1; shift;
+ cmd=$1; shift;
+ for util in $OVS_UTILS_LIST; do
+ if test "X$util" == "X$cmd"; then
+ $cmd $OVS_TIMEOUT "$@"
+ exit "$?"
+ fi
+ done
+ $cmd "$@"
+)
 else
 ovs_setenv $1
 fi
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH 1/9] tests: Simplify the setting of aliases.

2018-08-01 Thread Ilya Maximets
There is no need to create a separate function for each alias.
This will simplify adding new default options and utils.

Signed-off-by: Ilya Maximets 
---
 tests/ovs-macros.at | 35 +--
 1 file changed, 5 insertions(+), 30 deletions(-)

diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at
index 677eea7..e3365b6 100644
--- a/tests/ovs-macros.at
+++ b/tests/ovs-macros.at
@@ -124,36 +124,11 @@ fi
 # Set default timeout for 30 seconds.
 # This should be sufficient on all platforms.
 OVS_TIMEOUT=30
-alias ovs-vsctl='OVS_VSCTL_TIMEOUT' >/dev/null 2>&1
-if [ $? -eq 0 ]; then
-OVS_VSCTL_TIMEOUT () {
-command ovs-vsctl --timeout=$OVS_TIMEOUT "$@"
-}
-alias ovs-ofctl='OVS_OFCTL_TIMEOUT'
-alias ovs-appctl='OVS_APPCTL_TIMEOUT'
-alias ovn-sbctl='OVS_SBCTL_TIMEOUT'
-alias ovn-nbctl='OVN_NBCTL_TIMEOUT'
-alias vtep-ctl='VTEP_CTL_TIMEOUT'
-alias ovsdb-client='OVSDB_CLIENT_TIMEOUT'
-OVS_OFCTL_TIMEOUT () {
-command ovs-ofctl --timeout=$OVS_TIMEOUT "$@"
-}
-OVS_APPCTL_TIMEOUT () {
-command ovs-appctl --timeout=$OVS_TIMEOUT "$@"
-}
-OVS_SBCTL_TIMEOUT () {
-command ovn-sbctl --timeout=$OVS_TIMEOUT "$@"
-}
-OVN_NBCTL_TIMEOUT () {
-command ovn-nbctl --timeout=$OVS_TIMEOUT "$@"
-}
-VTEP_CTL_TIMEOUT () {
-command vtep-ctl --timeout=$OVS_TIMEOUT "$@"
-}
-OVSDB_CLIENT_TIMEOUT () {
-command ovsdb-client --timeout=$OVS_TIMEOUT "$@"
-}
-fi
+OVS_UTILS_LIST="ovs-vsctl ovs-ofctl ovs-appctl ovn-sbctl ovn-nbctl
+vtep-ctl ovsdb-client"
+for util in $OVS_UTILS_LIST; do
+alias $util="$util $OVS_TIMEOUT" >/dev/null 2>&1
+done
 
 # parent_pid PID
 #
-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH 0/9] tests: Clean up syslog.

2018-08-01 Thread Ilya Maximets
Each run of the testsuite produces millions lines in a system
log. This is completely unnecessary and makes it difficult to
use system logs on test / build servers.

This series is aimed to disable most of the syslog messages.
There are still few logs that requires significant changes in
tests or code to disable. They will be removed separately if
needed.

Some testing results:
  OS : RHEL 7.5
  CPU: Xeon E5 v4 2.6GHz
  Cmd: make check TESTSUITEFLAGS='-j20'

  Without patches:
  * 3.350.097 Lines of logs in journalctl
  * Execution time: 11 minutes
  * jourlald eats 100% of one cpu core.

  With patch-set applied:
  * 226 Lines of logs in journalctl
  * Execution time: 2.5 minutes

So, in addition to clean logs, this patch-set significantly
speeds up the testsuite execution in parralel builds (more
than 4 times! in my case).

Side effects:
  * default timeout applied to control utils in a subshell.
  * tests refactored to be more readable.
  * testsuite execution speed up.

Ilya Maximets (9):
  tests: Simplify the setting of aliases.
  tests: Set default timeout for utils in subshell.
  tests: Disable syslog by default for control utils.
  tests: Disable syslog for daemons.
  tests: Enable only file logging by vlog/set appctl.
  tests: Drop full logging for ovs-ofctl.
  tests: Disable syslog for test utils.
  tests: Reorder logging args for ovn-sbctl in a subshell.
  tests: Disable syslog for ovsdb-tool.

 tests/bridge.at   |   3 +-
 tests/dpif-netdev.at  |  10 +-
 tests/learn.at|   6 +-
 tests/mpls-xlate.at   |   4 +-
 tests/ofproto-dpif.at | 138 +
 tests/ofproto-macros.at   |  22 +++-
 tests/ofproto.at  |  20 ++--
 tests/ovn-controller-vtep.at  |  35 +--
 tests/ovn-nbctl.at|   4 +-
 tests/ovn-sbctl.at|  19 +++-
 tests/ovs-macros.at   |  39 ++--
 tests/ovs-ofctl.at|   4 +-
 tests/ovs-vsctl.at|  21 +++-
 tests/ovs-vswitchd.at |  17 +++-
 tests/ovsdb-cluster.at|   8 +-
 tests/ovsdb-idl.at|  37 +--
 tests/ovsdb-lock.at   |   6 +-
 tests/ovsdb-monitor.at|  23 -
 tests/ovsdb-rbac.at   |   3 +-
 tests/ovsdb-server.at | 227 --
 tests/ovsdb.at|   2 +-
 tests/pmd.at  |  20 ++--
 tests/stp.at  |   6 +-
 tests/system-traffic.at   |   4 +-
 tests/tunnel-push-pop-ipv6.at |   2 +-
 tests/tunnel-push-pop.at  |   2 +-
 tests/vlog.at |  15 +--
 tests/vtep-ctl.at |   4 +-
 28 files changed, 463 insertions(+), 238 deletions(-)

-- 
2.7.4

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH V2 0/4] Enable set/match of tos/ttl for IP tunnels on TC data-path

2018-08-01 Thread Or Gerlitz
On Wed, Aug 1, 2018 at 2:29 PM, Simon Horman  wrote:
> Hi Or,
>
> On 1 August 2018 at 13:21, Or Gerlitz  wrote:
>>
>> On Wed, Aug 1, 2018 at 2:07 PM, Simon Horman 
>> wrote:
>> > On 1 August 2018 at 11:31, Simon Horman 
>> > wrote:
>> >>
>> >> Thanks Or, Thanks Ben,
>> >>
>> >> On 1 August 2018 at 08:43, Or Gerlitz  wrote:
>> >>>
>> >>> On Tue, Jul 31, 2018 at 1:40 PM, Or Gerlitz 
>> >>> wrote:
>> >>> > This series comes to address the case to set (encap) and match
>> >>> > (decap)
>> >>> > also the tos and ttl fields of TC based IP tunnels. This happens e.g
>> >>> > due to inherit setup of tunnel port for tos or due to specific OF
>> >>> > rule.
>> >>> >
>> >>> > The series is rebased over Jianbo's patches for QinQ [1]
>> >>>
>> >>> FWIW - note that v2 was actually rebased to the master where Jianbo's
>> >>> work
>> >>> is already applied
>> >>
>> >>
>> >> I have also reviewed these patches, tested that travis-ci is happy with
>> >> everything when applied on top of
>> >> 185b13f228ac ("ovn: Add Meter and Meter_Band tables to the NB and SB
>> >> databases."), which was the most recent
>> >> travis-ci-clean commit in the master branch yesterday, and Netronome
>> >> has
>> >> performed some testing in the lab.
>> >>
>> >> Overall I am happy with these patches and plan to apply them later
>> >> today
>> >> after one final run through travis-ci after rebasing onto the current
>> >> master
>> >> branch (which is not travis-ci-clean :( [See: "Re: [ovs-dev] [PATCH v2
>> >> 3/3]
>> >> ovn-northd: Propagate dynamic addresses to port group address sets."]).
>>
>> > Thanks again Or, I have applied this series to master.
>>
>>
>> Thank you.
>>
>> So how is the stable process @ ovs goes? is that documented, where?
>> e.g b4496fc "lib/tc: Handle ttl for ipv6 too" is a bug fix, should/who I
>> ask
>> for stable inclusion?

> The usual procedure, as I understand, is to ask if the maintainer doesn't 
> apply
> the fix to the desired stable branches. I'll take the above as a request to
> apply the patch to branch-2.10.
> Do you want it considered for any other stable branches?

Hi Simon,

Yes, please do apply the ttl fix to 2.10 and if possible, to 2.9 as well since
the bug was introduced there.

Also, it would be good if dfa2ccd "lib/tc: Support matching on ip tos"
would also go to 2.10.
I realized that commit 8f283af "netdev-tc-offloads: Implement netdev
flow put using tc interface"
has blindly set the tos field @ the mask to zero (see mask->nw_tos = 0
in netdev_tc_flow_put)
as if we offloaded that to the TC DP, but we didn't..

Or.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [PATCH] Add opterr and optopt to Windows headers

2018-08-01 Thread aserdean
> -Mesaj original-
> De la: ovs-dev-boun...@openvswitch.org  boun...@openvswitch.org> În numele Ben Pfaff
> Trimis: Tuesday, July 31, 2018 7:37 PM
> Către: Alin Gabriel Serdean 
> Cc: d...@openvswitch.org
> Subiect: Re: [ovs-dev] [PATCH] Add opterr and optopt to Windows headers
> 
> On Tue, Jul 31, 2018 at 03:08:13PM +0300, Alin Gabriel Serdean wrote:
> > Until now we only had optind defined in the header.
> >
> > Since we are using the BSD getopt variant add opterr and optopt.
> >
> > Fixes: current Windows build failures.
> 
> Usually Fixes is used like this:
> 
> CC: Jakub Sitnicki 
> Fixes: 3ec06ea9c668 ("ovn-nbctl: Initial support for daemon mode.")
> 
> I use the following script, installed under the name git-fixes, to
generate it:
> 
> #! /bin/sh
> git --no-pager log -1 --pretty=format:"CC: %an <%ae>%nFixes: %h
> (\"%s\")%n" --abbrev=12 "$@"
> 
Thanks or the script Ben. I updated the commit message and sent out a v2.

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


Re: [ovs-dev] [ACL Meters 4/7] ovn: Add Meter and Meter_Band tables to the NB and SB databases.

2018-08-01 Thread Simon Horman
On Sun, Jul 29, 2018 at 11:46:35PM -0700, Justin Pettit wrote:
> Add support for configuring meters through the Meter and Meter_Band
> tables in the Northbound database.  This commit also has ovn-northd
> sync those tables between the Northbound and Southbound databases.
> 
> Add support for configuring meters with ovn-nbctl.
> 
> Signed-off-by: Justin Pettit 

Hi Justin,

it seems that this patch broke building with older GCC:

https://travis-ci.org/openvswitch/ovs/jobs/410404752:

Ben applied a fix for that to master.

04a12e42e089 ("ofctrl: Placate GCC.")

I believe that change is also needed in branch-2.10.

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


[ovs-dev] [PATCH v7 3/4] Document the flows for redirecting VLAN packets

2018-08-01 Thread vkommadi
From: venkata anil 

We have added new flows for using vlans instead of tunnels for
redirecting VLAN packets to a gateway chassis. This patch documents
these flows in ovn-northd.8.xml and ovn-architecture.7.xml.

Signed-off-by: Venkata Anil 
---

v6->v7:
* Rebased

v5->v6:
* Rebased

v4->v5:
* This patch is added to document the logical and physical flows

 ovn/northd/ovn-northd.8.xml | 46 +
 ovn/ovn-architecture.7.xml  | 26 -
 2 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index f1771c6..8fa5272 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -995,6 +995,23 @@ output;
 
   
 
+  For each enabled router port P which is connected to
+  a VLAN network, a priority-100 flow that matches inport ==
+  P && flags.rcv_from_vlan == 1,
+  with action next;.
+
+
+
+  For the gateway port on a distributed logical router (where
+  one of the logical router ports specifies a
+  redirect-chassis), the above flow is only
+  programmed on the gateway port instance on the
+  redirect-chassis.
+
+  
+
+  
+
   For each enabled router port P with Ethernet address
   E, a priority-50 flow that matches inport ==
   P && (eth.mcast || eth.dst ==
@@ -1146,6 +1163,18 @@ output;
 
   For the gateway port on a distributed logical router (where
   one of the logical router ports specifies a
+  redirect-chassis), when the ARP request is
+  from router internal ports connected to vlan network (i.e
+  flags.rcv_from_vlan == 1), a priority-90 flow matches
+   flags.rcv_from_vlan == 1 && arp.op == 1
+  && arp.tpa == A will have the
+  above action but outport set to all router internal ports
+  which are connected to vlan network.
+
+
+
+  For the gateway port on a distributed logical router (where
+  one of the logical router ports specifies a
   redirect-chassis), the above flows are only
   programmed on the gateway port instance on the
   redirect-chassis.  This behavior avoids generation
@@ -1839,6 +1868,23 @@ next;
   If the address A is in the link-local scope, the
   route will be limited to sending on the ingress port.
 
+
+
+  If the route's outport is a gateway port on a
+  distributed logical router (where one of the logical router ports
+  specifies a redirect-chassis), for the packets matching
+  MLF_RCV_FROM_VLAN flag along with ip4.dst ==
+  N/M, or ip6.dst ==
+  N/M, add a flow with priority we get
+  by adding 1 to number of 1-bits in M, with an action
+  REGBIT_NAT_REDIRECT  =  1;  next;.
+  By setting the REGBIT_NAT_REDIRECT flag, in the ingress
+  table Gateway Redirect this will trigger a redirect to
+  the instance of the gateway port on the redict-chassis.
+  This flow is programmed on the gateway port instance other than the
+  redirect-chassis. This flow is also added if the route
+  is from a configured static route.
+
   
 
 
diff --git a/ovn/ovn-architecture.7.xml b/ovn/ovn-architecture.7.xml
index ae5ca8e..ad2101c 100644
--- a/ovn/ovn-architecture.7.xml
+++ b/ovn/ovn-architecture.7.xml
@@ -874,6 +874,19 @@
 Encapsulations for encoding details).  Then the actions resubmit
 to table 33 to enter the logical egress pipeline.
   
+
+  
+For VLAN packets coming through localnet port from remote chassis,
+table 0 sets logical datapath and logical ingress port based on
+localnet port. If these VLAN packets have distributed gateway port MAC
+(gateway port on a distributed logical router where one of the logical
+router ports specifies a redirect-chassis) as destination MAC address,
+a new flow with priority 200 is added which sets logical datapath to
+router metadata and logical ingress port to the patch port connecting
+router and vlan network, resubmit into the logical router ingress
+pipeline i.e table 8. This flow is only programmed  on the gateway
+port instance on the redirect-chassis.
+  
 
 
 
@@ -1020,6 +1033,16 @@
   determine the output port.
 
 
+  A higher-priority rule to match packets received from router ports
+  which are connected to vlan networks, based on flag
+  MLF_RCV_FROM_VLAN, where logical output port is a gateway port, on
+  a distributed logical router (where one of the logical router ports
+  specifies a redirect-chassis), but on remote hypervisor, the actions
+  tag the packet with input network VLAN

[ovs-dev] [PATCH v7 4/4] Replace router internal MAC with gateway MAC for reply packets

2018-08-01 Thread vkommadi
From: venkata anil 

Previous patches in the series doesn't address issue 1 explained in [1]
i.e
1) removal of router gateway port MAC address on external switches
   after expiring of aging time.
2) then external switches unable to learn the gateway MAC as
   reply packets carry router internal port MAC address as source

To fix this, router on gateway node will use router gateway MAC address
instead of router internal port MAC address as source for reply packets,
so that external switches can learn gateway MAC address.
This is done only for reply packets from router gateway to tenant VLAN
switch ports.
Later before delivering the packet to the port, ovn-controller will
replace the gateway MAC with router internal port MAC in table 33.

[1] //mail.openvswitch.org/pipermail/ovs-dev/2018-July/349803.html

Reported-by: Miguel Angel Ajo 
Reported-at: 
https://mail.openvswitch.org/pipermail/ovs-dev/2018-July/349803.html
Signed-off-by: Venkata Anil 
---

v6->v7:
* Added this patch


 ovn/controller/physical.c   | 60 ++---
 ovn/northd/ovn-northd.8.xml | 10 
 ovn/northd/ovn-northd.c | 29 ++
 ovn/ovn-architecture.7.xml  |  4 ++-
 4 files changed, 99 insertions(+), 4 deletions(-)

diff --git a/ovn/controller/physical.c b/ovn/controller/physical.c
index f269a1d..1f41f59 100644
--- a/ovn/controller/physical.c
+++ b/ovn/controller/physical.c
@@ -190,7 +190,9 @@ get_zone_ids(const struct sbrec_port_binding *binding,
 static void
 put_local_common_flows(uint32_t dp_key, uint32_t port_key,
bool nested_container, const struct zone_ids *zone_ids,
-   struct ofpbuf *ofpacts_p, struct hmap *flow_table)
+   struct ofpbuf *ofpacts_p, struct hmap *flow_table,
+   struct local_datapath *ld,
+   const struct hmap *local_datapaths)
 {
 struct match match;
 
@@ -221,11 +223,63 @@ put_local_common_flows(uint32_t dp_key, uint32_t port_key,
 }
 }
 
+struct ofpbuf *clone = NULL;
+clone = ofpbuf_clone(ofpacts_p);
+
 /* Resubmit to table 34. */
 put_resubmit(OFTABLE_CHECK_LOOPBACK, ofpacts_p);
 ofctrl_add_flow(flow_table, OFTABLE_LOCAL_OUTPUT, 100, 0,
 &match, ofpacts_p);
 
+/* For a reply packet from gateway with VLAN switch port as destination
+ * (excluding localnet_port and external VLAN networks), gateway router
+ * will use gateway MAC address as source MAC instead of router internal
+ * port MAC, so that external switches can learn gateway MAC address.
+ * Here (before packet is given to the port) we replace router gateway
+ * MAC address with router internal port MAC. */
+if (ld->localnet_port && (port_key != ld->localnet_port->tunnel_key)) {
+for (int i = 0; i < ld->n_peer_dps; i++) {
+struct local_datapath *peer_ldp = get_local_datapath(
+local_datapaths, ld->peer_dps[i]->peer_dp->tunnel_key);
+const struct sbrec_port_binding *crp;
+crp = peer_ldp->chassisredirect_port;
+if (!crp) {
+continue;
+}
+
+if (strcmp(smap_get(&crp->options, "distributed-port"),
+   ld->peer_dps[i]->peer->logical_port) &&
+(port_key != ld->peer_dps[i]->patch->tunnel_key)) {
+for (int j = 0; j < crp->n_mac; j++) {
+struct lport_addresses laddrs;
+if (!extract_lsp_addresses(crp->mac[j], &laddrs)) {
+continue;
+}
+match_set_dl_src(&match, laddrs.ea);
+destroy_lport_addresses(&laddrs);
+break;
+}
+for (int j = 0; j < ld->peer_dps[i]->peer->n_mac; j++) {
+struct lport_addresses laddrs;
+uint64_t mac64;
+if (!extract_lsp_addresses(
+ld->peer_dps[i]->peer->mac[j], &laddrs)) {
+continue;
+}
+mac64 = eth_addr_to_uint64(laddrs.ea);
+put_load(mac64,
+ MFF_ETH_SRC, 0, 48, clone);
+destroy_lport_addresses(&laddrs);
+break;
+}
+put_resubmit(OFTABLE_CHECK_LOOPBACK, clone);
+ofctrl_add_flow(flow_table, OFTABLE_LOCAL_OUTPUT, 150, 0,
+&match, clone);
+}
+}
+}
+ofpbuf_delete(clone);
+
 /* Table 34, Priority 100.
  * ===
  *
@@ -330,7 +384,7 @@ consider_port_binding(struct ovsdb_idl_index 
*sbrec_chassis_by_name,
 
 struct zone_ids binding_zones = get_zone_ids(binding, ct_zones);
 put_local_common_flows(dp_key, port_key, false, &binding_zones,
-   ofpacts_p, flow_table);
+   

  1   2   >