[ovs-git] [openvswitch/ovs] 742513: dpctl: Simplify dpctl_flush_conntrack.
GitHub
noreply at github.com
Fri Aug 17 17:31:56 UTC 2018
Branch: refs/heads/branch-2.10
Home: https://github.com/openvswitch/ovs
Commit: 74251328dd6b28f504a194b307673dc83a530993
https://github.com/openvswitch/ovs/commit/74251328dd6b28f504a194b307673dc83a530993
Author: Darrell Ball <dlu998 at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M lib/dpctl.c
Log Message:
-----------
dpctl: Simplify dpctl_flush_conntrack.
The function dpctl_flush_conntrack() and other such new functions with
multiple optional arguments can be simplified by reodering the checks
for optional parameters, where the datapath argument is checked for
last.
Signed-off-by: Darrell Ball <dlu998 at gmail.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>
Commit: 36758e09186d194e6d054d98da4d25da30b380fd
https://github.com/openvswitch/ovs/commit/36758e09186d194e6d054d98da4d25da30b380fd
Author: Darrell Ball <dlu998 at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M lib/dpctl.c
M tests/system-traffic.at
Log Message:
-----------
dpctl: Make opt_dpif_open() more general.
By making opt_dpif_open() more general, it can be used effectively
by all potential callers and avoids trying to open potentially bogus
datapaths provided by the user. Also, the error handling is improved by
reducing bogus errors and having more specific real errors.
Signed-off-by: Darrell Ball <dlu998 at gmail.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>
Commit: bfcd4b08a7b969344f423e763ad0e19d72ceb536
https://github.com/openvswitch/ovs/commit/bfcd4b08a7b969344f423e763ad0e19d72ceb536
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M acinclude.m4
M datapath/linux/Modules.mk
M datapath/linux/compat/include/net/netfilter/nf_conntrack.h
A datapath/linux/compat/include/uapi/linux/netfilter.h
A datapath/linux/compat/nf_conntrack_proto.c
Log Message:
-----------
compat: Backport nf_ct_netns_{get, put}()
This patch backports nf_ct_netns_get/put() in order to support a feature
in the follow up patch.
nf_ct_netns_{get,put} were first introduced in upstream net-next commit
ecb2421b5ddf ("netfilter: add and use nf_ct_netns_get/put") in kernel
v4.10, and then updated in commmit 7e35ec0e8044 ("netfilter: conntrack:
move nf_ct_netns_{get,put}() to core") in kernel v4.15. We need to
invoke nf_ct_netns_get/put() when the underlying nf_conntrack_l3proto
supports net_ns_{get,put}().
Therefore, there are 3 cases that we need to consider.
1) Before nf_ct_{get,put}() is introduced.
We just mock nf_ct_nets_{get,put}() and do nothing.
2) After 1) and before v4.15
Backports based on commit 7e35ec0e8044 .
3) Staring from v4.15
Use the upstream version.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: e0f527e9458552de19e5c93c294b8cd54361d28e
https://github.com/openvswitch/ovs/commit/e0f527e9458552de19e5c93c294b8cd54361d28e
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M acinclude.m4
M datapath/linux/Modules.mk
A datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
A datapath/linux/compat/nf_conncount.c
Log Message:
-----------
datapath: compat: Backports nf_conncount
This patch backports the nf_conncount backend that counts the number
of connections matching an arbitrary key. The following patch will
use the feature to support connection tracking zone limit in ovs
kernel datapath.
This backport is based on an upstream net-next upstream commits.
5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search")
34848d5c896e ("netfilter: nf_conncount: Split insert and traversal")
2ba39118c10a ("netfilter: nf_conncount: Move locking into count_tree()")
976afca1ceba ("netfilter: nf_conncount: Early exit in nf_conncount_lookup() and cleanup")
cb2b36f5a97d ("netfilter: nf_conncount: Switch to plain list")
2a406e8ac7c3 ("netfilter: nf_conncount: Early exit for garbage collection")
b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race")
21ba8847f857 ("netfilter: nf_conncount: Fix garbage collection with zones")
5e5cbc7b23ea ("netfilter: nf_conncount: expose connection list interface")
35d8deb80c30 ("netfilter: conncount: Support count only use case")
6aec208786c2 ("netfilter: Refactor nf_conncount")
d384e65f1e75 ("netfilter: return booleans instead of integers")
625c556118f3 ("netfilter: connlimit: split xt_connlimit into front and backend")
The upstream nf_conncount has a couple of export functions while
this patch only export the ones that ovs kernel module needs.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: a8b1d793839800be98a2ee0095e8b8d745bb3e5c
https://github.com/openvswitch/ovs/commit/a8b1d793839800be98a2ee0095e8b8d745bb3e5c
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M acinclude.m4
M datapath/linux/Modules.mk
A datapath/linux/compat/include/linux/static_key.h
Log Message:
-----------
datapath: compat: Introduce static key support
Static keys allow the inclusion of seldom used features in
performance-sensitive fast-path kernel code, via a GCC feature and a
code patching technique. For more information:
* https://www.kernel.org/doc/Documentation/static-keys.txt
Since upstream ovs kernel module now uses some static key API that was
introduced in v4.3 kernel, we shall backport them to the compat module
for older kernel supprots.
This backport is based on upstream net-next commit 11276d5306b8
("locking/static_keys: Add a new static_key interface").
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: ba9e97d14f8e9c216f2f6389b62a37c3fc518c38
https://github.com/openvswitch/ovs/commit/ba9e97d14f8e9c216f2f6389b62a37c3fc518c38
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M datapath/linux/compat/include/linux/openvswitch.h
Log Message:
-----------
datapath: Add conntrack limit netlink definition
Upstream commit:
commit 5972be6b2495c6bffbf444497517fd1c070eef78
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: Thu May 24 17:56:42 2018 -0700
openvswitch: Add conntrack limit netlink definition
Define netlink messages and attributes to support user kernel
communication that uses the conntrack limit feature.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: 4f7e690e6a0d80a59a0f89a9e3c53f2501c47505
https://github.com/openvswitch/ovs/commit/4f7e690e6a0d80a59a0f89a9e3c53f2501c47505
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M NEWS
M datapath/compat.h
M datapath/conntrack.c
M datapath/conntrack.h
M datapath/datapath.c
M datapath/datapath.h
Log Message:
-----------
datapath: conntrack: Support conntrack zone limit
Upstream commit:
commit 11efd5cb04a184eea4f57b68ea63dddd463158d1
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: Thu May 24 17:56:43 2018 -0700
openvswitch: Support conntrack zone limit
Currently, nf_conntrack_max is used to limit the maximum number of
conntrack entries in the conntrack table for every network namespace.
For the VMs and containers that reside in the same namespace,
they share the same conntrack table, and the total # of conntrack entries
for all the VMs and containers are limited by nf_conntrack_max. In this
case, if one of the VM/container abuses the usage the conntrack entries,
it blocks the others from committing valid conntrack entries into the
conntrack table. Even if we can possibly put the VM in different network
namespace, the current nf_conntrack_max configuration is kind of rigid
that we cannot limit different VM/container to have different # conntrack
entries.
To address the aforementioned issue, this patch proposes to have a
fine-grained mechanism that could further limit the # of conntrack entries
per-zone. For example, we can designate different zone to different VM,
and set conntrack limit to each zone. By providing this isolation, a
mis-behaved VM only consumes the conntrack entries in its own zone, and
it will not influence other well-behaved VMs. Moreover, the users can
set various conntrack limit to different zone based on their preference.
The proposed implementation utilizes Netfilter's nf_conncount backend
to count the number of connections in a particular zone. If the number of
connection is above a configured limitation, ovs will return ENOMEM to the
userspace. If userspace does not configure the zone limit, the limit
defaults to zero that is no limitation, which is backward compatible to
the behavior without this patch.
The following high leve APIs are provided to the userspace:
- OVS_CT_LIMIT_CMD_SET:
* set default connection limit for all zones
* set the connection limit for a particular zone
- OVS_CT_LIMIT_CMD_DEL:
* remove the connection limit for a particular zone
- OVS_CT_LIMIT_CMD_GET:
* get the default connection limit for all zones
* get the connection limit for a particular zone
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: bc2f176e28ea69399bf86fec95996e4e187fe2b6
https://github.com/openvswitch/ovs/commit/bc2f176e28ea69399bf86fec95996e4e187fe2b6
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M lib/ct-dpif.c
M lib/ct-dpif.h
M lib/dpif-netdev.c
M lib/dpif-netlink.c
M lib/dpif-provider.h
Log Message:
-----------
dpif: Support conntrack zone limit.
This patch defines the dpif interface to support conntrack
per zone limit. Basically, OVS users can use this interface
to set, delete, and get the conntrack per zone limit for various
dpif interfaces. The following patch will make use of the proposed
interface to implement the feature.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: 35c651daa04918d1ba30d01d4bb8818413ea7993
https://github.com/openvswitch/ovs/commit/35c651daa04918d1ba30d01d4bb8818413ea7993
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M lib/ct-dpif.c
M lib/ct-dpif.h
Log Message:
-----------
ct-dpif: Helper functions for conntrack zone limit
This patch implments some helper function for conntrack zone limit.
It will be useful for the following patches.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: 01c04841d4c135ac7772a169ad100c1a9db42497
https://github.com/openvswitch/ovs/commit/01c04841d4c135ac7772a169ad100c1a9db42497
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M lib/dpif-netlink.c
Log Message:
-----------
dpif-netlink: Implement conntrack zone limit
This patch provides the implementation of conntrack zone limit
in dpif-netlink. It basically utilizes the netlink API to
communicate with OVS kernel module to set, delete, and get conntrack
zone limit.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: 6f825a8a4170e34ac453cc69fec932b2fc9ba490
https://github.com/openvswitch/ovs/commit/6f825a8a4170e34ac453cc69fec932b2fc9ba490
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M lib/dpctl.c
Log Message:
-----------
dpctl: Export next argument to be parsed in opt_dpif_open().
Make opt_dpif_open() to export the next argument to be parsed
in opt_dpif_open(). It will be useful for the following patches.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: 6e462049a5b5f173c56884fd91615d86f27b771b
https://github.com/openvswitch/ovs/commit/6e462049a5b5f173c56884fd91615d86f27b771b
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M Documentation/faq/releases.rst
M NEWS
M lib/ct-dpif.c
M lib/ct-dpif.h
M lib/dpctl.c
M lib/dpctl.man
Log Message:
-----------
dpctl: Implement dpctl commands for conntrack per zone limit
This patch implments the following three commands on dpctl so that
users can use ovs-dpctl or ovs-appctl to set, delete, and get the
per zone limit.
For example,
$ ovs-appctl dpctl/ct-set-limits default=10 zone=0,limit=5 zone=1,limit=3
$ ovs-appctl dpct/ct-del-limits zone=0
$ ovs-appctl dpct/ct-get-limits zone=1,2,3
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: aefb5ae8c229345abb276a5c4b5241db81dc64e5
https://github.com/openvswitch/ovs/commit/aefb5ae8c229345abb276a5c4b5241db81dc64e5
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M tests/system-traffic.at
Log Message:
-----------
system-traffic: Add conntrack per zone limit test case
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Compare: https://github.com/openvswitch/ovs/compare/fdcdc5e948b0...aefb5ae8c229
**NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
More information about the git
mailing list