Skip to content
Blame History Permalink
  • Ben Pfaff's avatar
    ofproto-dpif-upcall: Slow path flows that datapath can't fully match. · 687bafbb
    Ben Pfaff authored 
    In the OVS architecture, when a datapath doesn't have a match for a packet,
it sends the packet and the flow that it extracted from it to userspace.
Userspace then examines the packet and the flow and compares them.
Commonly, the flow is the same as what userspace expects, given the packet,
but there are two other possibilities:

    - The flow lacks one or more fields that userspace expects to be there,
      that is, the datapath doesn't understand or parse them but userspace
      does.  This is, for example, what would happen if current OVS
      userspace, which understands and extracts TCP flags, were to be
      paired with an older OVS kernel module, which does not.  Internally
      OVS uses the name ODP_FIT_TOO_LITTLE for this situation.

    - The flow includes fields that userspace does not know about, that is,
      the datapath understands and parses them but userspace does not.
      This is, for example, what would happen if an old OVS userspace that
      does not understand or extract TCP flags, were to be paired with a
      recent OVS kernel module that does.  Internally, OVS uses the name
      ODP_FIT_TOO_MUCH for this situation.

The latter is not a big deal and OVS doesn't have to do much to cope with
it.

The former is more of a problem.  When the datapath can't match on all the
fields that OVS supports, it means that OVS can't safely install a flow at
all, other than one that directs packets to the slow path.  Otherwise, if
OVS did install a flow, it could match a packet that does not match the
flow that OVS intended to match and could cause the wrong behavior.

Somehow, this nuance was lost a long time.  From about 2013 until today,
it seems that OVS has ignored ODP_FIT_TOO_LITTLE.  Instead, it happily
installs a flow regardless of whether the datapath can actually fully match
it.  I imagine that this is rarely a problem because most of the time
the datapath and userspace are well matched, but it is still an important
problem to fix.  This commit fixes it, by forcing flows into the slow path
when the datapath cannot match specifically enough.

CC: Ethan Jackson <ejj@eecs.berkeley.edu>
Fixes: e79a6c83

 ("ofproto: Handle flow installation and eviction in upcall.")
Reported-by: default avatarHuanle Han <hanxueluo@gmail.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-January/343665.html


Signed-off-by: default avatarBen Pfaff <blp@ovn.org>
    687bafbb