diff --git a/SOURCES/openvswitch-3.3.0.patch b/SOURCES/openvswitch-3.3.0.patch index 3a96bc8..1bc8761 100644 --- a/SOURCES/openvswitch-3.3.0.patch +++ b/SOURCES/openvswitch-3.3.0.patch @@ -740,6 +740,41 @@ index e952a686b5..89b2116734 100644 Jumbo Frames ------------ +diff --git a/Documentation/topics/userspace-tso.rst b/Documentation/topics/userspace-tso.rst +index a21bb2b5de..07bdc29465 100644 +--- a/Documentation/topics/userspace-tso.rst ++++ b/Documentation/topics/userspace-tso.rst +@@ -109,9 +109,9 @@ then started again. OvS will then report:: + Limitations + ~~~~~~~~~~~ + +-The current OvS userspace `TSO` implementation supports flat and VLAN networks +-only (i.e. no support for `TSO` over tunneled connection [VxLAN, GRE, IPinIP, +-etc.]). ++The current OvS userspace `TSO` implementation supports flat, VLAN networks, ++and some tunneled connections. Currently only VxLAN and Geneve tunnels are ++supported. + + The NIC driver must support and advertise checksum offload for TCP and UDP. + However, SCTP is not mandatory because very few drivers advertised support +@@ -120,11 +120,12 @@ in Open vSwitch. Currently, if the NIC supports that, then the feature is + enabled, otherwise TSO can still be enabled but SCTP packets sent to the NIC + will be dropped. + +-There is no software implementation of TSO, so all ports attached to the +-datapath must support TSO or packets using that feature will be dropped +-on ports without TSO support. That also means guests using vhost-user +-in client mode will receive TSO packet regardless of TSO being enabled +-or disabled within the guest. ++There is no software implementation of TSO in conjunction with tunnels. So ++when VxLAN or Geneve tunnels are in use, all ports attached to the datapath ++must support TSO or packets using this combination of features will be dropped ++on ports without hardware TSO support. That also means guests using ++vhost-user in client mode will receive TSO packet regardless of TSO being ++enabled or disabled within the guest. + + All kernel devices that use the raw socket interface (veth, for example) + require the kernel commit 9d2f67e43b73 ("net/packet: fix packet drop as of diff --git a/Makefile.am b/Makefile.am index 94f488d183..23c3417a70 100644 --- a/Makefile.am @@ -860,6 +895,19 @@ index 05afbb9cc8..e1e8e337c3 100644 AC_SUBST([CFLAGS]) AC_SUBST([OVS_CFLAGS]) AC_SUBST([OVS_LDFLAGS]) +diff --git a/debian/automake.mk b/debian/automake.mk +index 7b2afafae1..18be99bfac 100644 +--- a/debian/automake.mk ++++ b/debian/automake.mk +@@ -56,8 +56,6 @@ EXTRA_DIST += \ + debian/openvswitch-vtep.init \ + debian/openvswitch-vtep.install \ + debian/ovs-systemd-reload \ +- debian/patches/ovs-ctl-ipsec.patch \ +- debian/patches/series \ + debian/rules \ + debian/source/format \ + debian/source/lintian-overrides \ diff --git a/debian/changelog b/debian/changelog index 2049ddaa26..14d0e95e8a 100644 --- a/debian/changelog @@ -892,6 +940,110 @@ index 2049ddaa26..14d0e95e8a 100644 openvswitch (3.3.0-1) unstable; urgency=low * New upstream version +diff --git a/debian/control.in b/debian/control.in +index f9eea897ed..99b2b0d5df 100644 +--- a/debian/control.in ++++ b/debian/control.in +@@ -39,6 +39,7 @@ Rules-Requires-Root: no + Homepage: http://openvswitch.org/ + Vcs-Browser: https://salsa.debian.org/openstack-team/third-party/openvswitch/-/tree/debian/experimental + Vcs-Git: https://salsa.debian.org/openstack-team/third-party/openvswitch.git ++X-Python3-Version: >= 3.10 + + Package: openvswitch-common + Architecture: linux-any +@@ -94,7 +95,6 @@ Depends: + python3-openvswitch (= ${source:Version}), + strongswan, + ${misc:Depends}, +- ${shlibs:Depends}, + Suggests: python3:any + Breaks: + openvswitch-common (<< 2.17~), +@@ -258,7 +258,6 @@ Depends: + openvswitch-switch (>= ${binary:Version}), + python3-openvswitch (>= ${source:Version}), + ${misc:Depends}, +- ${python3:Depends}, + ${shlibs:Depends}, + Suggests: python3:any + Breaks: +diff --git a/debian/openvswitch-ipsec.service b/debian/openvswitch-ipsec.service +index 608a6a6188..51b9b315a0 100644 +--- a/debian/openvswitch-ipsec.service ++++ b/debian/openvswitch-ipsec.service +@@ -6,7 +6,8 @@ After=openvswitch-switch.service + [Service] + Type=forking + PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid +-ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ ++Restart=on-failure ++ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --no-monitor \ + --ike-daemon=strongswan start-ovs-ipsec + ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec + +diff --git a/debian/openvswitch-switch.ovs-vswitchd.service b/debian/openvswitch-switch.ovs-vswitchd.service +index 519d80d8ed..a4d445b953 100644 +--- a/debian/openvswitch-switch.ovs-vswitchd.service ++++ b/debian/openvswitch-switch.ovs-vswitchd.service +@@ -11,6 +11,7 @@ DefaultDependencies=no + [Service] + LimitNOFILE=1048576 + Type=forking ++PIDFile=/run/openvswitch/ovs-vswitchd.pid + Restart=on-failure + Environment=HOME=/var/run/openvswitch + EnvironmentFile=-/etc/default/openvswitch-switch +diff --git a/debian/openvswitch-switch.ovsdb-server.service b/debian/openvswitch-switch.ovsdb-server.service +index 339665b255..35654d7059 100644 +--- a/debian/openvswitch-switch.ovsdb-server.service ++++ b/debian/openvswitch-switch.ovsdb-server.service +@@ -8,6 +8,7 @@ DefaultDependencies=no + [Service] + LimitNOFILE=1048576 + Type=forking ++PIDFile=/run/openvswitch/ovsdb-server.pid + Restart=on-failure + EnvironmentFile=-/etc/default/openvswitch-switch + ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ +@@ -18,6 +19,3 @@ ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop + ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \ + --no-record-hostname \ + --no-monitor restart $OVS_CTL_OPTS +-RuntimeDirectory=openvswitch +-RuntimeDirectoryMode=0755 +-RuntimeDirectoryPreserve=yes +diff --git a/debian/patches/ovs-ctl-ipsec.patch b/debian/patches/ovs-ctl-ipsec.patch +deleted file mode 100644 +index 63375cd47d..0000000000 +--- a/debian/patches/ovs-ctl-ipsec.patch ++++ /dev/null +@@ -1,18 +0,0 @@ +-Description: Don't monitor ipsec daemon +- For Ubuntu systemd will monitor the ovs-monitor-ipsec daemon so +- there is no need to spawn a separate monitor thread to deal with +- restarts. Doing so has the side effect of confusing systemd into +- monitoring the wrong process. +-Author: James Page +-Forwarded: not-needed +- +---- a/utilities/ovs-ctl.in +-+++ b/utilities/ovs-ctl.in +-@@ -245,7 +245,7 @@ start_ovs_ipsec () { +- --pidfile=${rundir}/ovs-monitor-ipsec.pid \ +- --ike-daemon=$IKE_DAEMON \ +- $no_restart \ +-- --log-file --detach --monitor unix:${rundir}/db.sock || return 1 +-+ --log-file --detach unix:${rundir}/db.sock || return 1 +- return 0 +- } +diff --git a/debian/patches/series b/debian/patches/series +deleted file mode 100644 +index 87a2a1d97c..0000000000 +--- a/debian/patches/series ++++ /dev/null +@@ -1 +0,0 @@ +-ovs-ctl-ipsec.patch diff --git a/include/openvswitch/compiler.h b/include/openvswitch/compiler.h index 878c5c6a70..ecb91801cc 100644 --- a/include/openvswitch/compiler.h @@ -2192,7 +2344,7 @@ index 5788294ae0..f7035333e6 100644 } diff --git a/lib/flow.c b/lib/flow.c -index 8e3402388c..9be4375246 100644 +index 8e3402388c..0eb34892f2 100644 --- a/lib/flow.c +++ b/lib/flow.c @@ -408,7 +408,8 @@ parse_ethertype(const void **datap, size_t *sizep) @@ -2214,6 +2366,15 @@ index 8e3402388c..9be4375246 100644 struct eth_addr arp_buf[2]; /* This will populate whether we received Option 1 * or Option 2. */ +@@ -1186,7 +1187,7 @@ parse_dl_type(const void **datap, size_t *sizep, ovs_be16 *first_vlan_tci_p) + * If 'packet' is not an Ethernet packet embedding TCP, returns 0. + * 'dl_type_p' will be set only if the 'packet' is an Ethernet packet. + * 'nw_frag_p' will be set only if the 'packet' is an IP packet. +- * 'first_vlan_tci' will be set only if the 'packet' contains vlan header. ++ * 'first_vlan_tci_p' will be set only if the 'packet' contains vlan header. + * + * The caller must ensure that 'packet' is at least ETH_HEADER_LEN bytes + * long.'*/ @@ -3420,6 +3421,24 @@ flow_compose(struct dp_packet *p, const struct flow *flow, arp->ar_sha = flow->arp_sha; arp->ar_tha = flow->arp_tha; @@ -2264,10 +2425,38 @@ index c722f3c3cc..3d574de9b4 100644 if (n) { diff --git a/lib/ipf.c b/lib/ipf.c -index 7d74e2c131..2d715f5e9d 100644 +index 7d74e2c131..da50307a98 100644 --- a/lib/ipf.c +++ b/lib/ipf.c -@@ -506,13 +506,15 @@ ipf_reassemble_v6_frags(struct ipf_list *ipf_list) +@@ -410,11 +410,12 @@ ipf_reassemble_v4_frags(struct ipf_list *ipf_list) + dp_packet_set_size(pkt, dp_packet_size(pkt) - dp_packet_l2_pad_size(pkt)); + struct ip_header *l3 = dp_packet_l3(pkt); + int len = ntohs(l3->ip_tot_len); ++ int orig_len = dp_packet_size(pkt); + + int rest_len = frag_list[ipf_list->last_inuse_idx].end_data_byte - + frag_list[1].start_data_byte + 1; + +- if (len + rest_len > IPV4_PACKET_MAX_SIZE) { ++ if (orig_len + rest_len > IPV4_PACKET_MAX_SIZE) { + ipf_print_reass_packet( + "Unsupported big reassembled v4 packet; v4 hdr:", l3); + dp_packet_delete(pkt); +@@ -459,11 +460,12 @@ ipf_reassemble_v6_frags(struct ipf_list *ipf_list) + dp_packet_set_size(pkt, dp_packet_size(pkt) - dp_packet_l2_pad_size(pkt)); + struct ovs_16aligned_ip6_hdr *l3 = dp_packet_l3(pkt); + int pl = ntohs(l3->ip6_plen) - sizeof(struct ovs_16aligned_ip6_frag); ++ int orig_len = dp_packet_size(pkt); + + int rest_len = frag_list[ipf_list->last_inuse_idx].end_data_byte - + frag_list[1].start_data_byte + 1; + +- if (pl + rest_len > IPV6_PACKET_MAX_DATA) { ++ if (orig_len + rest_len > IPV6_PACKET_MAX_DATA) { + ipf_print_reass_packet( + "Unsupported big reassembled v6 packet; v6 hdr:", l3); + dp_packet_delete(pkt); +@@ -506,13 +508,15 @@ ipf_reassemble_v6_frags(struct ipf_list *ipf_list) } /* Called when a frag list state transitions to another state. This is @@ -2285,7 +2474,7 @@ index 7d74e2c131..2d715f5e9d 100644 enum ipf_list_state next_state; switch (curr_state) { case IPF_LIST_STATE_UNUSED: -@@ -562,12 +564,15 @@ ipf_list_state_transition(struct ipf *ipf, struct ipf_list *ipf_list, +@@ -562,12 +566,15 @@ ipf_list_state_transition(struct ipf *ipf, struct ipf_list *ipf_list, ipf_reassembled_list_add(&ipf->reassembled_pkt_list, rp); ipf_expiry_list_remove(ipf_list); next_state = IPF_LIST_STATE_COMPLETED; @@ -2301,7 +2490,7 @@ index 7d74e2c131..2d715f5e9d 100644 } /* Some sanity checks are redundant, but prudent, in case code paths for -@@ -799,7 +804,8 @@ ipf_is_frag_duped(const struct ipf_frag *frag_list, int last_inuse_idx, +@@ -799,7 +806,8 @@ ipf_is_frag_duped(const struct ipf_frag *frag_list, int last_inuse_idx, static bool ipf_process_frag(struct ipf *ipf, struct ipf_list *ipf_list, struct dp_packet *pkt, uint16_t start_data_byte, @@ -2311,7 +2500,7 @@ index 7d74e2c131..2d715f5e9d 100644 OVS_REQUIRES(ipf->ipf_lock) { bool duped_frag = ipf_is_frag_duped(ipf_list->frag_list, -@@ -820,7 +826,7 @@ ipf_process_frag(struct ipf *ipf, struct ipf_list *ipf_list, +@@ -820,7 +828,7 @@ ipf_process_frag(struct ipf *ipf, struct ipf_list *ipf_list, ipf_list->last_inuse_idx++; atomic_count_inc(&ipf->nfrag); ipf_count(ipf, v6, IPF_NFRAGS_ACCEPTED); @@ -2320,7 +2509,7 @@ index 7d74e2c131..2d715f5e9d 100644 } else { OVS_NOT_REACHED(); } -@@ -853,7 +859,8 @@ ipf_list_init(struct ipf_list *ipf_list, struct ipf_list_key *key, +@@ -853,7 +861,8 @@ ipf_list_init(struct ipf_list *ipf_list, struct ipf_list_key *key, * to a list of fragemnts. */ static bool ipf_handle_frag(struct ipf *ipf, struct dp_packet *pkt, ovs_be16 dl_type, @@ -2330,7 +2519,7 @@ index 7d74e2c131..2d715f5e9d 100644 OVS_REQUIRES(ipf->ipf_lock) { struct ipf_list_key key; -@@ -922,7 +929,7 @@ ipf_handle_frag(struct ipf *ipf, struct dp_packet *pkt, ovs_be16 dl_type, +@@ -922,7 +931,7 @@ ipf_handle_frag(struct ipf *ipf, struct dp_packet *pkt, ovs_be16 dl_type, } return ipf_process_frag(ipf, ipf_list, pkt, start_data_byte, @@ -2339,7 +2528,7 @@ index 7d74e2c131..2d715f5e9d 100644 } /* Filters out fragments from a batch of fragments and adjust the batch. */ -@@ -941,11 +948,17 @@ ipf_extract_frags_from_batch(struct ipf *ipf, struct dp_packet_batch *pb, +@@ -941,11 +950,17 @@ ipf_extract_frags_from_batch(struct ipf *ipf, struct dp_packet_batch *pb, || (dl_type == htons(ETH_TYPE_IPV6) && ipf_is_valid_v6_frag(ipf, pkt)))) { @@ -2358,7 +2547,7 @@ index 7d74e2c131..2d715f5e9d 100644 dp_packet_delete(pkt); } ovs_mutex_unlock(&ipf->ipf_lock); -@@ -1063,6 +1076,9 @@ ipf_send_completed_frags(struct ipf *ipf, struct dp_packet_batch *pb, +@@ -1063,6 +1078,9 @@ ipf_send_completed_frags(struct ipf *ipf, struct dp_packet_batch *pb, struct ipf_list *ipf_list; LIST_FOR_EACH_SAFE (ipf_list, list_node, &ipf->frag_complete_list) { @@ -2368,7 +2557,7 @@ index 7d74e2c131..2d715f5e9d 100644 if (ipf_send_frags_in_list(ipf, ipf_list, pb, IPF_FRAG_COMPLETED_LIST, v6, now)) { ipf_completed_list_clean(&ipf->frag_lists, ipf_list); -@@ -1096,6 +1112,9 @@ ipf_send_expired_frags(struct ipf *ipf, struct dp_packet_batch *pb, +@@ -1096,6 +1114,9 @@ ipf_send_expired_frags(struct ipf *ipf, struct dp_packet_batch *pb, size_t lists_removed = 0; LIST_FOR_EACH_SAFE (ipf_list, list_node, &ipf->frag_exp_list) { @@ -2378,7 +2567,7 @@ index 7d74e2c131..2d715f5e9d 100644 if (now <= ipf_list->expiration || lists_removed >= IPF_FRAG_LIST_MAX_EXPIRED) { break; -@@ -1116,7 +1135,8 @@ ipf_send_expired_frags(struct ipf *ipf, struct dp_packet_batch *pb, +@@ -1116,7 +1137,8 @@ ipf_send_expired_frags(struct ipf *ipf, struct dp_packet_batch *pb, /* Adds a reassmebled packet to a packet batch to be processed by the caller. */ static void @@ -2388,7 +2577,7 @@ index 7d74e2c131..2d715f5e9d 100644 { if (ovs_list_is_empty(&ipf->reassembled_pkt_list)) { return; -@@ -1127,6 +1147,7 @@ ipf_execute_reass_pkts(struct ipf *ipf, struct dp_packet_batch *pb) +@@ -1127,6 +1149,7 @@ ipf_execute_reass_pkts(struct ipf *ipf, struct dp_packet_batch *pb) LIST_FOR_EACH_SAFE (rp, rp_list_node, &ipf->reassembled_pkt_list) { if (!rp->list->reass_execute_ctx && @@ -2396,7 +2585,7 @@ index 7d74e2c131..2d715f5e9d 100644 ipf_dp_packet_batch_add(pb, rp->pkt, false)) { rp->list->reass_execute_ctx = rp->pkt; } -@@ -1237,7 +1258,7 @@ ipf_preprocess_conntrack(struct ipf *ipf, struct dp_packet_batch *pb, +@@ -1237,7 +1260,7 @@ ipf_preprocess_conntrack(struct ipf *ipf, struct dp_packet_batch *pb, } if (ipf_get_enabled(ipf) || atomic_count_get(&ipf->nfrag)) { @@ -3476,7 +3665,7 @@ index eb55dd0417..5d8f1672a8 100644 void * netdev_tnl_ip_extract_tnl_md(struct dp_packet *packet, struct flow_tnl *tnl, diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c -index 921d523177..3be1c08d24 100644 +index 921d523177..44b056535f 100644 --- a/lib/netdev-offload-tc.c +++ b/lib/netdev-offload-tc.c @@ -400,6 +400,8 @@ get_next_available_prio(ovs_be16 protocol) @@ -3488,6 +3677,66 @@ index 921d523177..3be1c08d24 100644 } } +@@ -1488,6 +1490,31 @@ parse_put_flow_ct_action(struct tc_flower *flower, + return 0; + } + ++/* This function returns true if the tc layer will add a l4 checksum action ++ * for this set action. Refer to the csum_update_flag() function for ++ * detailed logic. Note that even the kernel only supports updating TCP, ++ * UDP and ICMPv6. ++ */ ++static bool ++tc_will_add_l4_checksum(struct tc_flower *flower, int type) ++{ ++ switch (type) { ++ case OVS_KEY_ATTR_IPV4: ++ case OVS_KEY_ATTR_IPV6: ++ case OVS_KEY_ATTR_TCP: ++ case OVS_KEY_ATTR_UDP: ++ switch (flower->key.ip_proto) { ++ case IPPROTO_TCP: ++ case IPPROTO_UDP: ++ case IPPROTO_ICMPV6: ++ case IPPROTO_UDPLITE: ++ return true; ++ } ++ break; ++ } ++ return false; ++} ++ + static int + parse_put_flow_set_masked_action(struct tc_flower *flower, + struct tc_action *action, +@@ -1520,6 +1547,14 @@ parse_put_flow_set_masked_action(struct tc_flower *flower, + return EOPNOTSUPP; + } + ++ if (flower->key.flags & TCA_FLOWER_KEY_FLAGS_IS_FRAGMENT ++ && tc_will_add_l4_checksum(flower, type)) { ++ VLOG_DBG_RL(&rl, "set action type %d not supported on fragments " ++ "due to checksum limitation", type); ++ ofpbuf_uninit(&set_buf); ++ return EOPNOTSUPP; ++ } ++ + for (i = 0; i < ARRAY_SIZE(set_flower_map[type]); i++) { + struct netlink_field *f = &set_flower_map[type][i]; + +@@ -2445,6 +2480,12 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match, + } + + mask->nw_frag = 0; ++ } else { ++ /* This scenario should not occur. Currently, all installed IP DP ++ * flows perform a fully masked match on the fragmentation bits. ++ * However, since TC depends on this behavior, we return ENOTSUPP ++ * for now in case this behavior changes in the future. */ ++ return EOPNOTSUPP; + } + + if (key->nw_proto == IPPROTO_TCP) { diff --git a/lib/netlink-notifier.c b/lib/netlink-notifier.c index dfecb97789..7ea5a41818 100644 --- a/lib/netlink-notifier.c @@ -4123,10 +4372,22 @@ index 48d18b6518..b7addbf390 100644 json_string_create_nocopy(table_format_timestamp__())); } diff --git a/lib/tc.c b/lib/tc.c -index e9bcae4e4b..e55ba3b1bb 100644 +index e9bcae4e4b..2510d0a3ff 100644 --- a/lib/tc.c +++ b/lib/tc.c -@@ -3056,17 +3056,17 @@ nl_msg_put_flower_rewrite_pedits(struct ofpbuf *request, +@@ -2958,7 +2958,10 @@ csum_update_flag(struct tc_flower *flower, + * eth(dst=),eth_type(0x0800) actions=set(ipv4(src=)) + * we need to force a more specific flow as this can, for example, + * need a recalculation of icmp checksum if the packet that passes +- * is ICMPv6 and tcp checksum if its tcp. */ ++ * is ICMPv6 and tcp checksum if its tcp. ++ * ++ * This section of the code must be kept in sync with the pre-check ++ * function in netdev-offload-tc.c, tc_will_add_l4_checksum(). */ + + switch (htype) { + case TCA_PEDIT_KEY_EX_HDR_TYPE_IP4: +@@ -3056,17 +3059,17 @@ nl_msg_put_flower_rewrite_pedits(struct ofpbuf *request, struct tc_action *action, uint32_t action_pc) { @@ -4152,7 +4413,7 @@ index e9bcae4e4b..e55ba3b1bb 100644 for (i = 0; i < ARRAY_SIZE(flower_pedit_map); i++) { struct flower_key_to_pedit *m = &flower_pedit_map[i]; struct tc_pedit_key *pedit_key = NULL; -@@ -3100,8 +3100,8 @@ nl_msg_put_flower_rewrite_pedits(struct ofpbuf *request, +@@ -3100,8 +3103,8 @@ nl_msg_put_flower_rewrite_pedits(struct ofpbuf *request, return EOPNOTSUPP; } @@ -4163,7 +4424,7 @@ index e9bcae4e4b..e55ba3b1bb 100644 pedit_key_ex->cmd = TCA_PEDIT_KEY_EX_CMD_SET; pedit_key_ex->htype = m->htype; pedit_key->off = cur_offset; -@@ -3121,7 +3121,7 @@ nl_msg_put_flower_rewrite_pedits(struct ofpbuf *request, +@@ -3121,7 +3124,7 @@ nl_msg_put_flower_rewrite_pedits(struct ofpbuf *request, } } } @@ -4884,7 +5145,7 @@ index 2f858e19d5..3db6444de6 100755 print(".PE") - diff --git a/ovsdb/ovsdb-client.c b/ovsdb/ovsdb-client.c -index 7249805bab..cf2ecfd08a 100644 +index 7249805bab..8902c90fe0 100644 --- a/ovsdb/ovsdb-client.c +++ b/ovsdb/ovsdb-client.c @@ -451,8 +451,9 @@ usage(void) @@ -4899,6 +5160,15 @@ index 7249805bab..cf2ecfd08a 100644 "\n backup [SERVER] [DATABASE] > SNAPSHOT\n" " dump database contents in the form of a database file\n" "\n [--force] restore [SERVER] [DATABASE] < SNAPSHOT\n" +@@ -552,7 +553,7 @@ static void + check_ovsdb_error(struct ovsdb_error *error) + { + if (error) { +- ovs_fatal(0, "%s", ovsdb_error_to_string(error)); ++ ovs_fatal(0, "%s", ovsdb_error_to_string_free(error)); + } + } + diff --git a/ovsdb/ovsdb-doc b/ovsdb/ovsdb-doc index 099770d253..2edf487a28 100755 --- a/ovsdb/ovsdb-doc @@ -5182,6 +5452,19 @@ index b51fd42fe5..a876f8bcf7 100644 } unixctl_command_register("exit", "", 0, 0, ovsdb_server_exit, &exiting); +diff --git a/ovsdb/ovsdb-tool.c b/ovsdb/ovsdb-tool.c +index facd680ff3..354382f111 100644 +--- a/ovsdb/ovsdb-tool.c ++++ b/ovsdb/ovsdb-tool.c +@@ -247,7 +247,7 @@ static void + check_ovsdb_error(struct ovsdb_error *error) + { + if (error) { +- ovs_fatal(0, "%s", ovsdb_error_to_string(error)); ++ ovs_fatal(0, "%s", ovsdb_error_to_string_free(error)); + } + } + diff --git a/ovsdb/raft.c b/ovsdb/raft.c index f463afcb3d..ac3d37ac40 100644 --- a/ovsdb/raft.c @@ -5959,6 +6242,20 @@ index 5d24ebcda8..650a274bee 100644 PYTHON3=%{__python3} build-aux/dpdkstrip.py \ +diff --git a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service +index 92dad44f93..a4bf475d0c 100644 +--- a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service ++++ b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service +@@ -6,7 +6,8 @@ After=openvswitch.service + [Service] + Type=forking + PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid +-ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ ++Restart=on-failure ++ExecStart=/usr/share/openvswitch/scripts/ovs-ctl --no-monitor \ + --ike-daemon=libreswan start-ovs-ipsec + ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec + diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service index 49dc06e38c..558632320c 100644 --- a/rhel/usr_lib_systemd_system_ovsdb-server.service @@ -7576,10 +7873,25 @@ index d3d27133b9..4ab384d89c 100644 +OVS_TRAFFIC_VSWITCHD_STOP() +AT_CLEANUP diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at -index 5203b1df80..a48bd532a0 100644 +index 5203b1df80..7a7a19f7e4 100644 --- a/tests/system-kmod-macros.at +++ b/tests/system-kmod-macros.at -@@ -267,3 +267,94 @@ m4_define([OVS_CHECK_BAREUDP], +@@ -202,6 +202,14 @@ m4_define([DPCTL_CHECK_FRAGMENTATION_FAIL], + + ]) + ++# OVS_CHECK_FRAG_LARGE ++# ++# This check isn't valid for kernel ++m4_define([OVS_CHECK_FRAG_LARGE], ++[ ++ ++]) ++ + # OVS_CHECK_MIN_KERNEL([minversion], [minsublevel]) + # + # Skip test if kernel version falls below minversion.minsublevel +@@ -267,3 +275,94 @@ m4_define([OVS_CHECK_BAREUDP], AT_SKIP_IF([! ip link add dev ovs_bareudp0 type bareudp dstport 6635 ethertype mpls_uc 2>&1 >/dev/null]) AT_CHECK([ip link del dev ovs_bareudp0]) ]) @@ -7873,7 +8185,7 @@ index 3d84a53182..03ec01270f 100644 OVS_TRAFFIC_VSWITCHD_STOP(["/.*ethtool command ETHTOOL_G.*/d"]) diff --git a/tests/system-traffic.at b/tests/system-traffic.at -index 98e494abf4..07dabe7988 100644 +index 98e494abf4..e79f55c13f 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -38,7 +38,7 @@ NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], @@ -8035,7 +8347,106 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-flows | strip_stats | strip_used | dnl strip_key32 | strip_ptype | strip_eth | strip_recirc | dnl -@@ -2407,20 +2419,29 @@ dnl The flow will encap a mpls header to the ip packet +@@ -2390,6 +2402,98 @@ recirc_id(),in_port(2),eth_type(0x86dd),ipv6(proto=58,frag=no),icmpv6(ty + OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + ++AT_SETUP([datapath - mod_nw_src/set_field on IP fragments]) ++AT_SKIP_IF([test $HAVE_TCPDUMP = no]) ++OVS_TRAFFIC_VSWITCHD_START() ++ ++ADD_NAMESPACES(at_ns0, at_ns1) ++ ++ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", 36:b1:ee:7c:01:03) ++ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", 36:b1:ee:7c:01:02) ++ ++AT_DATA([flows.txt], [dnl ++ in_port=ovs-p0,ip,nw_src=10.1.1.1 actions=mod_nw_src=11.1.1.1,ovs-p1 ++ in_port=ovs-p0,ipv6,ipv6_src=fc00::1 actions=set_field:fc00::100->ipv6_src,ovs-p1 ++]) ++ ++AT_CHECK([ovs-ofctl del-flows br0]) ++AT_CHECK([ovs-ofctl -Oopenflow13 add-flows br0 flows.txt]) ++ ++NETNS_DAEMONIZE([at_ns1], ++ [tcpdump -l -nn -xx -U -i p1 -w p1.pcap 2> tcpdump.err], ++ [tcpdump.pid]) ++OVS_WAIT_UNTIL([grep "listening" tcpdump.err]) ++ ++dnl IPv4 Packet content: ++dnl Ethernet II, Src: 36:b1:ee:7c:01:03, Dst: 36:b1:ee:7c:01:02 ++dnl Type: IPv4 (0x0800) ++dnl Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.1.1.2 ++dnl 0100 .... = Version: 4 ++dnl .... 0101 = Header Length: 20 bytes (5) ++dnl Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) ++dnl Total Length: 38 ++dnl Identification: 0x0001 (1) ++dnl 001. .... = Flags: 0x1, More fragments ++dnl 0... .... = Reserved bit: Not set ++dnl .0.. .... = Don't fragment: Not set ++dnl ..1. .... = More fragments: Set ++dnl ...0 0000 0000 0000 = Fragment Offset: 0 ++dnl Time to Live: 64 ++dnl Protocol: UDP (17) ++dnl Header Checksum: 0x44c2 ++dnl Data (18 bytes) ++eth="36 b1 ee 7c 01 02 36 b1 ee 7c 01 03 08 00" ++ip="45 00 00 26 00 01 20 00 40 11 44 c2 0a 01 01 01 0a 01 01 02" ++data="0b c4 08 84 00 26 e9 64 01 02 03 04 05 06 07 08 09 0a" ++packet="${eth} ${ip} ${data}" ++ ++dnl We send each packet multiple times, one for learning, which will go to ++dnl ovs-vswitchd, and the others will go through the actual datapath. ++for i in 1 2 3 4 5; do ++ NS_CHECK_EXEC([at_ns0], ++ [$PYTHON3 $srcdir/sendpkt.py p0 ${packet} > /dev/null]) ++done ++ ++dnl Update source address and checksums in original packet for comparison. ++packet=$(echo "$packet" | sed -e 's/ //g' \ ++ -e 's/0a010101/0b010101/g' -e 's/44c2/43c2/g' -e 's/e964/e864/g') ++OVS_WAIT_UNTIL([test $(ovs-pcap p1.pcap | grep -c "${packet}") -eq 5]) ++ ++dnl Repeat similar test with IPv6. ++dnl Packet content: ++dnl Ethernet II, Src: 36:b1:ee:7c:01:03, Dst: 36:b1:ee:7c:01:02 ++dnl Type: IPv6 (0x86dd) ++dnl Internet Protocol Version 6, Src: fc00::1, Dst: fc00::2 ++dnl Payload Length: 24 ++dnl Next Header: Fragment Header for IPv6 (44) ++dnl Hop Limit: 64 ++dnl Fragment Header for IPv6 ++dnl Next header: UDP (17) ++dnl Reserved octet: 0x00 ++dnl 0000 0000 0000 0... = Offset: 0 (0 bytes) ++dnl .... .... .... .00. = Reserved bits: 0 ++dnl .... .... .... ...1 = More Fragments: Yes ++dnl Identification: 0x2316ab36 ++dnl Data (16 bytes) ++eth="36 b1 ee 7c 01 02 36 b1 ee 7c 01 03 86 dd" ++ip="60 00 00 00 00 18 2c 40 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 \ ++ fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 11 00 00 01 23 16 ab 36" ++data="0b c4 08 84 00 26 07 65 01 02 03 04 05 06 07 08" ++packet="${eth} ${ip} ${data}" ++ ++for i in 1 2 3 4 5; do ++ NS_CHECK_EXEC([at_ns0], ++ [$PYTHON3 $srcdir/sendpkt.py p0 ${packet} > /dev/null]) ++done ++ ++dnl Update checksum and source address in original packet for comparison. ++packet=$(echo "$packet" | sed -e 's/ //g' -e 's/0765/0666/g' -e \ ++ 's/fc000000000000000000000000000001/fc000000000000000000000000000100/g') ++OVS_WAIT_UNTIL([test $(ovs-pcap p1.pcap | grep -c "${packet}") -eq 5]) ++ ++OVS_TRAFFIC_VSWITCHD_STOP ++AT_CLEANUP ++ + AT_BANNER([MPLS]) + + AT_SETUP([mpls - encap header dp-support]) +@@ -2407,20 +2511,29 @@ dnl The flow will encap a mpls header to the ip packet dnl eth/ip/icmp --> OVS --> eth/mpls/eth/ip/icmp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x0800 actions=encap(mpls),set_mpls_label:2,encap(ethernet),set_field:00:00:00:00:00:02->dl_dst,set_field:00:00:00:00:00:01->dl_src,ovs-p1"]) @@ -8076,7 +8487,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -2439,20 +2460,29 @@ dnl The flow will encap a mpls header to the ip packet +@@ -2439,20 +2552,29 @@ dnl The flow will encap a mpls header to the ip packet dnl eth/ip/icmp --> OVS --> eth/mpls/eth/ip/icmp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x0800 actions=encap(mpls),set_mpls_label:2,encap(ethernet),set_field:00:00:00:00:00:02->dl_dst,set_field:00:00:00:00:00:01->dl_src,ovs-p1"]) @@ -8117,7 +8528,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -2472,20 +2502,29 @@ dnl The flow will encap a mpls header to the ip packet +@@ -2472,20 +2594,29 @@ dnl The flow will encap a mpls header to the ip packet dnl eth/ip/icmp --> OVS --> eth/mpls/eth/ip/icmp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x0800 actions=encap(mpls_mc),set_mpls_label:2,encap(ethernet),set_field:00:00:00:00:00:02->dl_dst,set_field:00:00:00:00:00:01->dl_src,ovs-p1"]) @@ -8158,7 +8569,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -2504,20 +2543,29 @@ dnl The flow will encap a mpls header to the ip packet +@@ -2504,20 +2635,29 @@ dnl The flow will encap a mpls header to the ip packet dnl eth/ip/icmp --> OVS --> eth/mpls/eth/ip/icmp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x0800 actions=encap(mpls_mc),set_mpls_label:2,encap(ethernet),set_field:00:00:00:00:00:02->dl_dst,set_field:00:00:00:00:00:01->dl_src,ovs-p1"]) @@ -8199,7 +8610,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -2538,24 +2586,30 @@ dnl eth/mpls/eth/ip/icmp --> OVS --> eth/ip/icmp +@@ -2538,24 +2678,30 @@ dnl eth/mpls/eth/ip/icmp --> OVS --> eth/ip/icmp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x8847,mpls_label=2 actions=decap(),decap(packet_type(ns=0,type=0)),ovs-p1"]) @@ -8217,12 +8628,6 @@ index 98e494abf4..07dabe7988 100644 +m4_define([MPLS_HEADER], [m4_join([,], + [eth_src=00:00:00:00:00:01,eth_dst=00:00:00:00:00:02,eth_type=0x8847], + [mpls_label=2,mpls_ttl=64,mpls_bos=1])]) -+ -+m4_define([ICMP_PKT], [m4_join([,], -+ [eth_src=36:b1:ee:7c:01:03,eth_dst=36:b1:ee:7c:01:02,eth_type=0x0800], -+ [nw_src=10.1.1.1,nw_dst=10.1.1.2], -+ [nw_proto=1,nw_ttl=64,nw_frag=no], -+ [icmp_type=8,icmp_code=0])]) -dnl Check the expected decapsulated on the egress interface -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0000: *36b1 *ee7c *0102 *36b1 *ee7c *0103 *0800 *4500" 2>&1 1>/dev/null]) @@ -8232,20 +8637,26 @@ index 98e494abf4..07dabe7988 100644 -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0040: *1617 *1819 *1a1b *1c1d *1e1f *2021 *2223 *2425" 2>&1 1>/dev/null]) -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0050: *2627 *2829 *2a2b *2c2d *2e2f *3031 *3233 *3435" 2>&1 1>/dev/null]) -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0060: *3637" 2>&1 1>/dev/null]) ++m4_define([ICMP_PKT], [m4_join([,], ++ [eth_src=36:b1:ee:7c:01:03,eth_dst=36:b1:ee:7c:01:02,eth_type=0x0800], ++ [nw_src=10.1.1.1,nw_dst=10.1.1.2], ++ [nw_proto=1,nw_ttl=64,nw_frag=no], ++ [icmp_type=8,icmp_code=0])]) + +dnl The packet is an eth/mpls/eth/ip/icmp sent from p0(at_ns0) interface +dnl directed to p1(at_ns1) interface. +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 \ + "$(ovs-ofctl compose-packet --bare 'MPLS_HEADER')" \ + "$(ovs-ofctl compose-packet --bare 'ICMP_PKT')"], + [0], [ignore]) - ++ +dnl Check the expected decapsulated on the egress interface. +OVS_WAIT_UNTIL([ovs-pcap p1.pcap | grep -q \ + "^$(ovs-ofctl compose-packet --bare 'ICMP_PKT')\$"]) OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -2575,24 +2629,30 @@ dnl eth/mpls/eth/ip/icmp --> OVS --> eth/ip/icmp +@@ -2575,24 +2721,30 @@ dnl eth/mpls/eth/ip/icmp --> OVS --> eth/ip/icmp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x8847,mpls_label=2 actions=decap(),decap(packet_type(ns=0,type=0)),ovs-p1"]) @@ -8263,12 +8674,6 @@ index 98e494abf4..07dabe7988 100644 +m4_define([MPLS_HEADER], [m4_join([,], + [eth_src=00:00:00:00:00:01,eth_dst=00:00:00:00:00:02,eth_type=0x8847], + [mpls_label=2,mpls_ttl=64,mpls_bos=1])]) -+ -+m4_define([ICMP_PKT], [m4_join([,], -+ [eth_src=36:b1:ee:7c:01:03,eth_dst=36:b1:ee:7c:01:02,eth_type=0x0800], -+ [nw_src=10.1.1.1,nw_dst=10.1.1.2], -+ [nw_proto=1,nw_ttl=64,nw_frag=no], -+ [icmp_type=8,icmp_code=0])]) -dnl Check the expected decapsulated on the egress interface -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0000: *36b1 *ee7c *0102 *36b1 *ee7c *0103 *0800 *4500" 2>&1 1>/dev/null]) @@ -8278,20 +8683,26 @@ index 98e494abf4..07dabe7988 100644 -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0040: *1617 *1819 *1a1b *1c1d *1e1f *2021 *2223 *2425" 2>&1 1>/dev/null]) -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0050: *2627 *2829 *2a2b *2c2d *2e2f *3031 *3233 *3435" 2>&1 1>/dev/null]) -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0060: *3637" 2>&1 1>/dev/null]) ++m4_define([ICMP_PKT], [m4_join([,], ++ [eth_src=36:b1:ee:7c:01:03,eth_dst=36:b1:ee:7c:01:02,eth_type=0x0800], ++ [nw_src=10.1.1.1,nw_dst=10.1.1.2], ++ [nw_proto=1,nw_ttl=64,nw_frag=no], ++ [icmp_type=8,icmp_code=0])]) + +dnl The packet is an eth/mpls/eth/ip/icmp sent from p0(at_ns0) interface +dnl directed to p1(at_ns1) interface. +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 \ + "$(ovs-ofctl compose-packet --bare 'MPLS_HEADER')" \ + "$(ovs-ofctl compose-packet --bare 'ICMP_PKT')"], + [0], [ignore]) - ++ +dnl Check the expected decapsulated on the egress interface. +OVS_WAIT_UNTIL([ovs-pcap p1.pcap | grep -q \ + "^$(ovs-ofctl compose-packet --bare 'ICMP_PKT')\$"]) OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3103,7 +3163,10 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +@@ -3103,7 +3255,10 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0) ]) @@ -8303,7 +8714,7 @@ index 98e494abf4..07dabe7988 100644 dnl Pings from ns1->ns0 should fail. NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl -@@ -3244,6 +3307,11 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl +@@ -3244,6 +3399,11 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl icmpv6,orig=(src=fc00::1,dst=fc00::2,id=,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=,type=129,code=0) ]) @@ -8315,7 +8726,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3280,10 +3348,10 @@ OVS_START_L7([at_ns1], [http]) +@@ -3280,10 +3440,10 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8328,7 +8739,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3323,10 +3391,10 @@ dnl traffic can't be identified, because the initial request wasn't committed. +@@ -3323,10 +3483,10 @@ dnl traffic can't be identified, because the initial request wasn't committed. dnl For the first pair of ports, this means that the connection fails. OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) @@ -8341,7 +8752,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3362,7 +3430,7 @@ OVS_START_L7([at_ns1], [http]) +@@ -3362,7 +3522,7 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8350,7 +8761,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -3370,7 +3438,7 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= +@@ -3370,7 +3530,7 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= dnl HTTP requests from p2->p3 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -8359,7 +8770,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=,dport=),reply=(src=10.1.1.4,dst=10.1.1.3,sport=,dport=),zone=2,protoinfo=(state=) -@@ -3409,7 +3477,7 @@ OVS_START_L7([at_ns1], [http]) +@@ -3409,7 +3569,7 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8368,7 +8779,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=4097,protoinfo=(state=) -@@ -3417,7 +3485,7 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= +@@ -3417,7 +3577,7 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= dnl HTTP requests from p2->p3 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -8377,7 +8788,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=,dport=),reply=(src=10.1.1.4,dst=10.1.1.3,sport=,dport=),zone=4098,protoinfo=(state=) -@@ -3451,7 +3519,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3451,7 +3611,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8386,7 +8797,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,dnl -@@ -3477,7 +3545,7 @@ AT_CHECK([ovs-ofctl mod-flows br0 dnl +@@ -3477,7 +3637,7 @@ AT_CHECK([ovs-ofctl mod-flows br0 dnl dnl Wait for a flow flush as some datapaths (read TC) might take time to clear. AT_CHECK([ovs-appctl revalidator/wait], [0]) @@ -8395,7 +8806,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-flows --names filter=in_port=ovs-p0 dnl | grep "+trk" | grep -q "ct_zone(0xf)" ], [0], []) -@@ -3511,7 +3579,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3511,7 +3671,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8404,7 +8815,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,dnl -@@ -3529,7 +3597,7 @@ AT_CHECK([ovs-ofctl mod-flows br0 'priority=100,ct_state=-trk,tcp,in_port="ovs-p +@@ -3529,7 +3689,7 @@ AT_CHECK([ovs-ofctl mod-flows br0 'priority=100,ct_state=-trk,tcp,in_port="ovs-p dnl Wait for a flow flush as some datapaths (read TC) might take time to clear. AT_CHECK([ovs-appctl revalidator/wait], [0]) @@ -8413,7 +8824,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-flows --names filter=in_port=ovs-p0 dnl | grep "+trk" | sed 's/0xffff000f\/0xffff/0xf\/0xffff/' dnl -@@ -3577,7 +3645,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt]) +@@ -3577,7 +3737,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -8422,7 +8833,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3606,10 +3674,10 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3606,10 +3766,10 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8435,7 +8846,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -3648,10 +3716,10 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) +@@ -3648,10 +3808,10 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8448,7 +8859,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -3693,14 +3761,14 @@ OVS_START_L7([at_ns1], [http]) +@@ -3693,14 +3853,14 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8465,7 +8876,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=,dport=),reply=(src=10.1.1.4,dst=10.1.1.3,sport=,dport=),mark=2,protoinfo=(state=) ]) -@@ -3735,7 +3803,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3735,7 +3895,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8474,7 +8885,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),mark=3,protoinfo=(state=) -@@ -3774,14 +3842,14 @@ OVS_START_L7([at_ns1], [http]) +@@ -3774,14 +3934,14 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8491,7 +8902,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=,dport=),reply=(src=10.1.1.4,dst=10.1.1.3,sport=,dport=),mark=2,protoinfo=(state=) ]) -@@ -3820,11 +3888,11 @@ OVS_START_L7([at_ns1], [http]) +@@ -3820,11 +3980,11 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8505,7 +8916,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3856,7 +3924,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3856,7 +4016,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8514,7 +8925,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),labels=0x200000001,protoinfo=(state=) -@@ -3894,7 +3962,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3894,7 +4054,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8523,7 +8934,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,mark=3,labels=0x200000001,protoinfo=(state=) -@@ -3930,7 +3998,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows1.txt]) +@@ -3930,7 +4090,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows1.txt]) dnl TCP traffic from ns0 to ns1 should fail. OVS_START_L7([at_ns1], [http]) @@ -8532,7 +8943,33 @@ index 98e494abf4..07dabe7988 100644 dnl Send UDP packet on port 1 twice. AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"]) -@@ -5230,14 +5298,14 @@ OVS_START_L7([at_ns0], [http]) +@@ -4200,7 +4360,11 @@ NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING + dnl Check userspace conntrack fragmentation counters. + DPCTL_CHECK_FRAGMENTATION_PASS() + +-OVS_TRAFFIC_VSWITCHD_STOP ++dnl Ipv4 max packet size fragmentation dropped. ++NS_EXEC([at_ns0], [ping -s 65507 -q -c 1 -W 0.5 10.1.1.2]) ++OVS_CHECK_FRAG_LARGE() ++ ++OVS_TRAFFIC_VSWITCHD_STOP(["/Unsupported big reassembled v4 packet/d"]) + AT_CLEANUP + + AT_SETUP([conntrack - IPv4 fragmentation expiry]) +@@ -4494,7 +4658,11 @@ NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -W 2 fc00::2 | FORMAT_PING + 3 packets transmitted, 3 received, 0% packet loss, time 0ms + ]) + +-OVS_TRAFFIC_VSWITCHD_STOP ++dnl Ipv6 max packet size fragmentation dropped. ++NS_EXEC([at_ns0], [ping6 -s 65487 -q -c 1 -W 0.5 fc00::2]) ++OVS_CHECK_FRAG_LARGE() ++ ++OVS_TRAFFIC_VSWITCHD_STOP(["/Unsupported big reassembled v6 packet/d"]) + AT_CLEANUP + + AT_SETUP([conntrack - IPv6 fragmentation expiry]) +@@ -5230,14 +5398,14 @@ OVS_START_L7([at_ns0], [http]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from ns0->ns1 should work fine. @@ -8549,7 +8986,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -5271,7 +5339,7 @@ OVS_START_L7([at_ns0], [http6]) +@@ -5271,7 +5439,7 @@ OVS_START_L7([at_ns0], [http6]) OVS_START_L7([at_ns1], [http6]) dnl HTTP requests from ns0->ns1 should work fine. @@ -8558,7 +8995,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl tcp,orig=(src=fc00::1,dst=fc00::2,sport=,dport=),reply=(src=fc00::2,dst=fc00::1,sport=,dport=),protoinfo=(state=) -@@ -5279,7 +5347,7 @@ tcp,orig=(src=fc00::1,dst=fc00::2,sport=,dport=),reply=(src=fc +@@ -5279,7 +5447,7 @@ tcp,orig=(src=fc00::1,dst=fc00::2,sport=,dport=),reply=(src=fc dnl HTTP requests from ns1->ns0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -8567,7 +9004,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -5317,19 +5385,21 @@ OVS_START_L7([at_ns1], [http]) +@@ -5317,19 +5485,21 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -8591,7 +9028,7 @@ index 98e494abf4..07dabe7988 100644 ADD_NAMESPACES(at_ns0) AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) -@@ -5359,10 +5429,10 @@ AT_CHECK([ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], [dnl +@@ -5359,10 +5529,10 @@ AT_CHECK([ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], [dnl OVS_START_L7([at_ns0], [http]) dnl HTTP requests from root namespace to p0 should work fine. @@ -8605,7 +9042,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=1 -@@ -5375,10 +5445,12 @@ OVS_TRAFFIC_VSWITCHD_STOP +@@ -5375,10 +5545,12 @@ OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP AT_SETUP([conntrack - multi-stage pipeline, local]) @@ -8618,7 +9055,7 @@ index 98e494abf4..07dabe7988 100644 ADD_NAMESPACES(at_ns0) AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) -@@ -5430,10 +5502,10 @@ AT_CHECK([ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], [dnl +@@ -5430,10 +5602,10 @@ AT_CHECK([ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], [dnl OVS_START_L7([at_ns0], [http]) dnl HTTP requests from root namespace to p0 should work fine. @@ -8631,7 +9068,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=1 -@@ -5682,7 +5754,7 @@ NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid]) +@@ -5682,7 +5854,7 @@ NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid]) OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8640,7 +9077,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([find -name index.html], [0], [dnl ./index.html -@@ -5749,12 +5821,12 @@ OVS_START_L7([at_ns1], [ftp]) +@@ -5749,12 +5921,12 @@ OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -8655,7 +9092,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp ]) -@@ -5765,12 +5837,12 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) +@@ -5765,12 +5937,12 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -8670,7 +9107,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),protoinfo=(state=) -@@ -5779,7 +5851,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= +@@ -5779,7 +5951,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl Passive FTP requests from p0->p1 should work fine. @@ -8679,7 +9116,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp ]) -@@ -5789,7 +5861,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt]) +@@ -5789,7 +5961,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt]) AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl FTP control requests from p0->p1 should work fine, but helper will not be assigned. @@ -8688,7 +9125,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=) ]) -@@ -5855,12 +5927,12 @@ OVS_START_L7([at_ns1], [ftp], [11111]) +@@ -5855,12 +6027,12 @@ OVS_START_L7([at_ns1], [ftp], [11111]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -8703,7 +9140,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp ]) -@@ -5871,12 +5943,12 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) +@@ -5871,12 +6043,12 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -8718,7 +9155,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),protoinfo=(state=) -@@ -5885,7 +5957,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= +@@ -5885,7 +6057,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl Passive FTP requests from p0->p1 should work fine. @@ -8727,7 +9164,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp ]) -@@ -5895,7 +5967,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt]) +@@ -5895,7 +6067,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt]) AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl FTP control requests from p0->p1 should work fine, but helper will not be assigned. @@ -8736,7 +9173,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=) ]) -@@ -5930,7 +6002,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt]) +@@ -5930,7 +6102,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8745,7 +9182,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp -@@ -5991,7 +6063,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) +@@ -5991,7 +6163,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8754,7 +9191,7 @@ index 98e494abf4..07dabe7988 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -6050,7 +6122,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) +@@ -6050,7 +6222,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP passive requests from p0->p1 should work fine. @@ -8763,7 +9200,7 @@ index 98e494abf4..07dabe7988 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -6100,12 +6172,12 @@ OVS_START_L7([at_ns1], [ftp]) +@@ -6100,12 +6272,12 @@ OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -8778,7 +9215,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=),helper=ftp tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=2,protoinfo=(state=),helper=ftp -@@ -6116,7 +6188,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= +@@ -6116,7 +6288,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl Passive FTP requests from p0->p1 should work fine. @@ -8787,7 +9224,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=),helper=ftp -@@ -6240,7 +6312,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6240,7 +6412,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -8796,7 +9233,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=,dport=),zone=1,protoinfo=(state=) -@@ -6330,7 +6402,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6330,7 +6502,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -8805,7 +9242,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=,dport=),zone=1,protoinfo=(state=) -@@ -6397,11 +6469,11 @@ ADD_NAMESPACES(at_ns0, at_ns1) +@@ -6397,11 +6569,11 @@ ADD_NAMESPACES(at_ns0, at_ns1) ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88]) ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") @@ -8819,7 +9256,7 @@ index 98e494abf4..07dabe7988 100644 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat) in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1 dnl -@@ -6425,17 +6497,28 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6425,17 +6597,28 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -8853,7 +9290,7 @@ index 98e494abf4..07dabe7988 100644 AT_CLEANUP AT_SETUP([conntrack - more complex SNAT]) -@@ -6481,7 +6564,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6481,7 +6664,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -8862,7 +9299,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=,dport=),zone=1,protoinfo=(state=) -@@ -6575,14 +6658,14 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6575,14 +6758,14 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl Should work with the virtual IP address through NAT OVS_START_L7([at_ns1], [http]) @@ -8879,7 +9316,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -6613,7 +6696,7 @@ table=2,in_port=1,ip,ct_mark=0xac,ct_label=0xac,actions=2 +@@ -6613,7 +6796,7 @@ table=2,in_port=1,ip,ct_mark=0xac,ct_label=0xac,actions=2 ]) AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) @@ -8888,7 +9325,7 @@ index 98e494abf4..07dabe7988 100644 dnl - make sure only dst nat has been performed AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.240)], [0], [dnl -@@ -6671,14 +6754,14 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6671,14 +6854,14 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl Should work with the virtual IP address through NAT OVS_START_L7([at_ns1], [http]) @@ -8905,7 +9342,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -7206,7 +7289,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null]) +@@ -7206,7 +7389,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8914,7 +9351,7 @@ index 98e494abf4..07dabe7988 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -@@ -7266,7 +7349,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null]) +@@ -7266,7 +7449,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8923,7 +9360,7 @@ index 98e494abf4..07dabe7988 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -@@ -7326,7 +7409,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.100.1 >/dev/null]) +@@ -7326,7 +7509,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.100.1 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8932,7 +9369,7 @@ index 98e494abf4..07dabe7988 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.200)], [0], [dnl -@@ -7386,7 +7469,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null]) +@@ -7386,7 +7569,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8941,7 +9378,7 @@ index 98e494abf4..07dabe7988 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -@@ -7446,7 +7529,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null]) +@@ -7446,7 +7629,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8950,7 +9387,7 @@ index 98e494abf4..07dabe7988 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.120.240)], [0], [dnl -@@ -7491,12 +7574,12 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2]) +@@ -7491,12 +7674,12 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2]) dnl HTTP requests from ns0->ns1 should work fine. OVS_START_L7([at_ns1], [http6]) @@ -8965,7 +9402,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -7535,7 +7618,7 @@ NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -W 2 fc00::240 | FORMAT_PING], [0] +@@ -7535,7 +7718,7 @@ NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -W 2 fc00::240 | FORMAT_PING], [0] dnl Should work with the virtual IP address through NAT OVS_START_L7([at_ns1], [http6]) @@ -8974,7 +9411,7 @@ index 98e494abf4..07dabe7988 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::1)], [0], [dnl icmpv6,orig=(src=fc00::1,dst=fc00::240,id=,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=,type=129,code=0),zone=1 -@@ -7685,7 +7768,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) +@@ -7685,7 +7868,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8983,7 +9420,7 @@ index 98e494abf4..07dabe7988 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -7746,7 +7829,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) +@@ -7746,7 +7929,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8992,7 +9429,7 @@ index 98e494abf4..07dabe7988 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -7806,7 +7889,7 @@ NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid]) +@@ -7806,7 +7989,7 @@ NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid]) OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp]) dnl FTP requests from p0->p1 should work fine. @@ -9001,7 +9438,7 @@ index 98e494abf4..07dabe7988 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -7949,7 +8032,7 @@ on_exit 'ovs-appctl dpif/dump-flows br0' +@@ -7949,7 +8132,7 @@ on_exit 'ovs-appctl dpif/dump-flows br0' dnl Should work with the virtual IP address through NAT for i in $(seq 1 50); do echo Request $i @@ -9010,7 +9447,7 @@ index 98e494abf4..07dabe7988 100644 done dnl Each server should have at least one connection. -@@ -8215,10 +8298,18 @@ table=2,priority=10 ct_state=+trk+est action=drop +@@ -8215,10 +8398,18 @@ table=2,priority=10 ct_state=+trk+est action=drop AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) @@ -9021,18 +9458,18 @@ index 98e494abf4..07dabe7988 100644 + [nw_src=10.1.1.1,nw_dst=10.1.1.2], + [nw_proto=1,nw_ttl=64,nw_frag=no], + [icmp_type=8,icmp_code=0])]) - --NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0 00 00 01 01 01 08 00 45 00 00 1c 00 01 00 00 40 01 64 dc 0a 01 01 01 0a 01 01 02 08 00 f7 ff ff ff ff ff > /dev/null]) ++ +# Sending ICMP packets, first and second. +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 \ + $(ovs-ofctl compose-packet --bare 'ICMP_PKT' '')], [0], [ignore]) -+ + +-NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0 00 00 01 01 01 08 00 45 00 00 1c 00 01 00 00 40 01 64 dc 0a 01 01 01 0a 01 01 02 08 00 f7 ff ff ff ff ff > /dev/null]) +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 \ + $(ovs-ofctl compose-packet --bare 'ICMP_PKT' '')], [0], [ignore]) sleep 1 -@@ -8237,6 +8328,7 @@ OVS_TRAFFIC_VSWITCHD_STOP +@@ -8237,6 +8428,7 @@ OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP AT_SETUP([conntrack - can match and clear ct_state from outside OVS]) @@ -9040,7 +9477,7 @@ index 98e494abf4..07dabe7988 100644 CHECK_CONNTRACK_LOCAL_STACK() OVS_CHECK_GENEVE() -@@ -8247,6 +8339,7 @@ AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) +@@ -8247,6 +8439,7 @@ AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) AT_CHECK([ovs-ofctl add-flow br-underlay "priority=100,ct_state=+trk,actions=ct_clear,resubmit(,0)"]) AT_CHECK([ovs-ofctl add-flow br-underlay "priority=10,actions=normal"]) @@ -9048,7 +9485,7 @@ index 98e494abf4..07dabe7988 100644 ADD_NAMESPACES(at_ns0) dnl Set up underlay link from host into the namespace using veth pair. -@@ -8389,6 +8482,53 @@ AT_CHECK([ovs-pcap client.pcap | grep 000000002010000000002000], [0], [dnl +@@ -8389,6 +8582,53 @@ AT_CHECK([ovs-pcap client.pcap | grep 000000002010000000002000], [0], [dnl OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP @@ -9102,7 +9539,7 @@ index 98e494abf4..07dabe7988 100644 AT_BANNER([IGMP]) AT_SETUP([IGMP - flood under normal action]) -@@ -8724,21 +8864,29 @@ dnl The flow will encap a nsh header to the TCP syn packet +@@ -8724,21 +8964,29 @@ dnl The flow will encap a nsh header to the TCP syn packet dnl eth/ip/tcp --> OVS --> eth/nsh/eth/ip/tcp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,ip,actions=encap(nsh(md_type=1)),set_field:0x1234->nsh_spi,set_field:0x11223344->nsh_c1,encap(ethernet),set_field:f2:ff:00:00:00:02->dl_dst,set_field:f2:ff:00:00:00:01->dl_src,ovs-p1"]) @@ -9126,11 +9563,6 @@ index 98e494abf4..07dabe7988 100644 +dnl p1(at_ns1) interface. +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 \ + $(ovs-ofctl compose-packet --bare 'TCP_SYN_PKT')], [0], [ignore]) -+ -+m4_define([NSH_HEADER], [m4_join([,], -+ [eth_src=f2:ff:00:00:00:01,eth_dst=f2:ff:00:00:00:02,eth_type=0x894f], -+ [nsh_ttl=63,nsh_np=3,nsh_spi=0x1234,nsh_si=255], -+ [nsh_mdtype=1,nsh_c1=0x11223344])]) -dnl Check the expected nsh encapsulated packet on the egress interface -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0000: *f2ff *0000 *0002 *f2ff *0000 *0001 *894f *0fc6" 2>&1 1>/dev/null]) @@ -9139,13 +9571,18 @@ index 98e494abf4..07dabe7988 100644 -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null]) -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null]) -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null]) ++m4_define([NSH_HEADER], [m4_join([,], ++ [eth_src=f2:ff:00:00:00:01,eth_dst=f2:ff:00:00:00:02,eth_type=0x894f], ++ [nsh_ttl=63,nsh_np=3,nsh_spi=0x1234,nsh_si=255], ++ [nsh_mdtype=1,nsh_c1=0x11223344])]) ++ +OVS_WAIT_UNTIL([ovs-pcap p1.pcap | grep -q "m4_join([], [^], + $(ovs-ofctl compose-packet --bare 'NSH_HEADER'), + $(ovs-ofctl compose-packet --bare 'TCP_SYN_PKT'), [\$])"]) OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -8756,19 +8904,31 @@ dnl The flow will decap a nsh header which in turn carries a TCP syn packet +@@ -8756,19 +9004,31 @@ dnl The flow will decap a nsh header which in turn carries a TCP syn packet dnl eth/nsh/eth/ip/tcp --> OVS --> eth/ip/tcp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,dl_type=0x894f, actions=decap(),decap(), ovs-p1"]) @@ -9187,7 +9624,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -8788,22 +8948,38 @@ dnl The flow will add another NSH header with nsh_spi=0x101, nsh_si=4, +@@ -8788,22 +9048,38 @@ dnl The flow will add another NSH header with nsh_spi=0x101, nsh_si=4, dnl nsh_ttl=7 and change the md1 context AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x03,actions=decap(),decap(),encap(nsh(md_type=1)),set_field:0x07->nsh_ttl,set_field:0x0101->nsh_spi,set_field:0x04->nsh_si,set_field:0x100f0e0d->nsh_c1,set_field:0x0c0b0a09->nsh_c2,set_field:0x08070605->nsh_c3,set_field:0x04030201->nsh_c4,encap(ethernet),set_field:f2:ff:00:00:00:02->dl_dst,set_field:f2:ff:00:00:00:01->dl_src,ovs-p1"]) @@ -9212,6 +9649,14 @@ index 98e494abf4..07dabe7988 100644 + [eth_src=f2:ff:00:00:00:01,eth_dst=f2:ff:00:00:00:02,eth_type=0x894f], + [nsh_ttl=8,nsh_np=3,nsh_spi=0x100,nsh_si=3,nsh_mdtype=1], + [nsh_c1=0x01020304,nsh_c2=0x05060708,nsh_c3=0x090a0b0c,nsh_c4=0x0d0e0f10])]) ++ ++dnl Send the NSH packet with TCP SYN payload from p0(at_ns0) interface directed ++dnl to p1(at_ns1) interface. ++dnl The nsh_ttl is 8, nsh_spi is 0x100 and nsh_si is 3. ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 \ ++ "$(ovs-ofctl compose-packet --bare 'NSH_HEADER_1')" \ ++ "$(ovs-ofctl compose-packet --bare 'TCP_SYN_PKT')"], ++ [0], [ignore]) -dnl Check the expected NSH packet with new fields in the header -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0000: *f2ff *0000 *0002 *f2ff *0000* 0001 *894f *01c6" 2>&1 1>/dev/null]) @@ -9220,14 +9665,6 @@ index 98e494abf4..07dabe7988 100644 -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null]) -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null]) -OVS_WAIT_UNTIL([cat p1.pcap | grep -E "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null]) -+dnl Send the NSH packet with TCP SYN payload from p0(at_ns0) interface directed -+dnl to p1(at_ns1) interface. -+dnl The nsh_ttl is 8, nsh_spi is 0x100 and nsh_si is 3. -+NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 \ -+ "$(ovs-ofctl compose-packet --bare 'NSH_HEADER_1')" \ -+ "$(ovs-ofctl compose-packet --bare 'TCP_SYN_PKT')"], -+ [0], [ignore]) -+ +m4_define([NSH_HEADER_2], [m4_join([,], + [eth_src=f2:ff:00:00:00:01,eth_dst=f2:ff:00:00:00:02,eth_type=0x894f], + [nsh_ttl=7,nsh_np=3,nsh_spi=0x101,nsh_si=4,nsh_mdtype=1], @@ -9240,7 +9677,7 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -8824,31 +9000,50 @@ dnl packet to to at_ns2. +@@ -8824,31 +9100,50 @@ dnl packet to to at_ns2. AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x02,actions=ovs-p1"]) AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x01,actions=ovs-p2"]) @@ -9317,10 +9754,25 @@ index 98e494abf4..07dabe7988 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP diff --git a/tests/system-userspace-macros.at b/tests/system-userspace-macros.at -index d9b5b7e4c4..c1be973478 100644 +index d9b5b7e4c4..49b277a089 100644 --- a/tests/system-userspace-macros.at +++ b/tests/system-userspace-macros.at -@@ -357,3 +357,19 @@ m4_define([OVS_CHECK_BAREUDP], +@@ -298,6 +298,14 @@ AT_CHECK([ovs-appctl dpctl/ipf-get-status -m | FORMAT_FRAG_LIST()], [], [dnl + ]) + ]) + ++# OVS_CHECK_FRAG_LARGE() ++# ++# The userspace needs to check that ipf larger fragments have occurred. ++m4_define([OVS_CHECK_FRAG_LARGE], ++[ ++ OVS_WAIT_UNTIL([grep -Eq 'Unsupported big reassembled (v4|v6) packet' ovs-vswitchd.log]) ++]) ++ + # OVS_CHECK_MIN_KERNEL([minversion], [maxversion]) + # + # The userspace skips all tests that check kernel version. +@@ -357,3 +365,19 @@ m4_define([OVS_CHECK_BAREUDP], [ AT_SKIP_IF([:]) ]) @@ -10489,6 +10941,28 @@ index 785014956e..2768c07400 100644 stderr_log], [0], [dnl 0 | module_0 | EMER | emergency 1 | module_0 | ERR | error +diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in +index 0b2820c361..46cdecf46f 100644 +--- a/utilities/ovs-ctl.in ++++ b/utilities/ovs-ctl.in +@@ -245,12 +245,15 @@ start_ovs_ipsec () { + if test X$RESTART_IKE_DAEMON = Xno; then + no_restart="--no-restart-ike-daemon" + fi ++ if test X"$MONITOR" != Xno; then ++ monitor_arg="--monitor" ++ fi + + ${datadir}/scripts/ovs-monitor-ipsec \ + --pidfile=${rundir}/ovs-monitor-ipsec.pid \ + --ike-daemon=$IKE_DAEMON \ +- $no_restart \ +- --log-file --detach --monitor unix:${rundir}/db.sock || return 1 ++ $no_restart $monitor_arg \ ++ --log-file --detach unix:${rundir}/db.sock || return 1 + return 0 + } + diff --git a/utilities/ovs-dpctl-top.in b/utilities/ovs-dpctl-top.in index 2c1766eff5..ec57eccd66 100755 --- a/utilities/ovs-dpctl-top.in diff --git a/SPECS/openvswitch3.3.spec b/SPECS/openvswitch3.3.spec index 73d977a..b8faca7 100644 --- a/SPECS/openvswitch3.3.spec +++ b/SPECS/openvswitch3.3.spec @@ -57,7 +57,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 3.3.0 -Release: 23%{?dist} +Release: 30%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -274,7 +274,7 @@ This package provides IPsec tunneling support for OVS tunnels. mv dpdk-*/ %{dpdkdir}/ %if %{apply_patch} -%patch0 -p1 +%patch -P0 -p1 %endif %build @@ -769,6 +769,51 @@ exit 0 %endif %changelog +* Thu Jan 16 2025 Open vSwitch CI - 3.3.0-30 +- Merging upstream branch-3.3 [RH git: 5cd967a3a2] + Commit list: + 540b649150 docs: Add tunnel support to TSO GRE documentation. + + +* Thu Jan 16 2025 Open vSwitch CI - 3.3.0-29 +- Merging upstream branch-3.3 [RH git: 2ef7377f0c] + Commit list: + 77a63b5c51 rhel, debian: Add missing restart policy to ipsec service. + 46af8a20ca rhel, debian: Fix systemd monitoring wrong pid for ovs-monitor-ipsec. + + +* Wed Jan 15 2025 Open vSwitch CI - 3.3.0-28 +- Merging upstream branch-3.3 [RH git: d167f50d9c] + Commit list: + 73a775cd59 dpif-netdev: Modify code comments for function parse_tcp_flags. + 8912017d1c ipf: Fix the over-sized reassembly. + + +* Tue Jan 14 2025 Open vSwitch CI - 3.3.0-27 +- Merging upstream branch-3.3 [RH git: a5c30684be] + Commit list: + 43754f1d52 debian: Let *-ctl handle runtime directory. + 3d5ed8b92f debian: Use PIDFile with systemd. + 4dfa23ce7f debian: Add X-Python3-Version stanza. + a02a6b1aa4 debian: Drop shlibs:Depends macro for -ipsec. + 2e7c4ab691 debian: Drop python3:Depends macro for -vtep. + + +* Fri Jan 10 2025 Open vSwitch CI - 3.3.0-26 +- Merging upstream branch-3.3 [RH git: 351e474c21] + Commit list: + 9c1ba8b76c ovsdb: Fix asan warning on ovsdb fatal errors. + 64364f3a95 netdev-tc-offloads: Don't offload header modification on ip fragments. (FDP-545) + + +* Thu Jan 09 2025 Timothy Redaelli - 3.3.0-25 +- pkgtool: escape %% in changelog [RH git: c1c84a03f2] + + +* Thu Jan 09 2025 Timothy Redaelli - 3.3.0-24 +- template: use %%patch -P0 instead of %%patch0 [RH git: e47332f1d2] + + * Fri Dec 13 2024 Open vSwitch CI - 3.3.0-23 - Merging upstream branch-3.3 [RH git: 7639ea3b9a] Commit list: