From patchwork Mon Dec  4 05:49:08 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ales Musil <amusil@redhat.com>
X-Patchwork-Id: 1871377
X-Patchwork-Delegate: i.maximets@samsung.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=PTQ2ieAF;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SkCRJ3wJJz23nk
	for <incoming@patchwork.ozlabs.org>; Mon,  4 Dec 2023 16:49:32 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp1.osuosl.org (Postfix) with ESMTP id 5FE3B8198A;
	Mon,  4 Dec 2023 05:49:29 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 5FE3B8198A
Authentication-Results: smtp1.osuosl.org;
	dkim=fail reason="signature verification failed" (1024-bit key)
 header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=PTQ2ieAF
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp1.osuosl.org ([127.0.0.1])
	by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id vweYGqr6vdmT; Mon,  4 Dec 2023 05:49:27 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org
 [IPv6:2605:bc80:3010:104::8cd3:938])
	by smtp1.osuosl.org (Postfix) with ESMTPS id 65265817E4;
	Mon,  4 Dec 2023 05:49:26 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 65265817E4
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 1B35BC0DD6;
	Mon,  4 Dec 2023 05:49:24 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 7C88CC0037
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id 4B213415EF
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:22 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 4B213415EF
Authentication-Results: smtp4.osuosl.org;
 dkim=fail reason="signature verification failed" (1024-bit key)
 header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=PTQ2ieAF
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id xaNv9Q49iuNQ for <dev@openvswitch.org>;
 Mon,  4 Dec 2023 05:49:21 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by smtp4.osuosl.org (Postfix) with ESMTPS id EE510415C8
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:20 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org EE510415C8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1701668959;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=KfEFI+AtCgs28UZIoe67Wyw+xJHNmk7rvs5Dmo6vm+c=;
 b=PTQ2ieAFUA2J96NU6E/Dz6jQZ5rbu3MuD86E7LApY6tGrMhRzx+R7J3BUquJ3/hpVryTaf
 S15125V4bhoPeFk50mb/cEkAwrXV9VMofBn6L9UvKPvza7c31G4d0DyvCL0M7rs+l0mzBm
 broAtgCPzyzp8vQrxZGOL6Fwln5x6Bg=
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-624-RHVjJE1MNzm0pj45PRrlSA-1; Mon,
 04 Dec 2023 00:49:17 -0500
X-MC-Unique: RHVjJE1MNzm0pj45PRrlSA-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8595F3C025C1;
 Mon,  4 Dec 2023 05:49:17 +0000 (UTC)
Received: from amusil.redhat.com (unknown [10.45.224.15])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 3B56D40C6EB9;
 Mon,  4 Dec 2023 05:49:16 +0000 (UTC)
From: Ales Musil <amusil@redhat.com>
To: dev@openvswitch.org
Date: Mon,  4 Dec 2023 06:49:08 +0100
Message-ID: <20231204054913.14249-2-amusil@redhat.com>
In-Reply-To: <20231204054913.14249-1-amusil@redhat.com>
References: <20231204054913.14249-1-amusil@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Cc: i.maximets@ovn.org
Subject: [ovs-dev] [PATCH v8 1/6] ct-dpif: Handle default zone limit the
	same way as other limits.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

Internally handle default CT zone limit as other limits that
can be passed via the list with special value -1. Currently,
the -1 is treated by both datapaths as default, add static
asserts to make sure that this remains the case in the future.
This allows us to easily delete the default zone limit.

Signed-off-by: Ales Musil <amusil@redhat.com>
---
v8: Rebase on top of current master.
v7: Rebase on top of current master.
    Do not populate count for default zone and add note about it to the dpif_class.
v6: Rebase on top of current master.
    Address comments from Ilya:
    - Add assert to conntrack.h for the zone numbers.
    - Some minot cosmetic changes.
v5: Rebase on top of current master.
    Address comments from Ilya:
    - Fix some typos.
    - Use OVS_ZONE_LIMIT_DEFAULT_ZONE instead of special constant.
    - Do not relay on DEFAULT_ZONE being -1 for the limit list.
    - Fix wrong netlink message.
---
 lib/conntrack.c     |  2 +-
 lib/conntrack.h     |  7 +++++--
 lib/ct-dpif.c       | 28 +++++++++++++++-------------
 lib/ct-dpif.h       | 14 ++++++--------
 lib/dpctl.c         | 15 ++++++++-------
 lib/dpif-netdev.c   | 21 ++++++---------------
 lib/dpif-netlink.c  | 29 ++++++-----------------------
 lib/dpif-provider.h | 24 +++++++++++-------------
 8 files changed, 58 insertions(+), 82 deletions(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index 47a443fba..31f00a127 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -398,7 +398,7 @@ zone_limit_clean(struct conntrack *ct, struct zone_limit *zl)
 }
 
 int
-zone_limit_delete(struct conntrack *ct, uint16_t zone)
+zone_limit_delete(struct conntrack *ct, int32_t zone)
 {
     ovs_mutex_lock(&ct->ct_lock);
     struct zone_limit *zl = zone_limit_lookup_protected(ct, zone);
diff --git a/lib/conntrack.h b/lib/conntrack.h
index 57d5159b6..18c182f85 100644
--- a/lib/conntrack.h
+++ b/lib/conntrack.h
@@ -122,11 +122,14 @@ struct timeout_policy {
 
 enum {
     INVALID_ZONE = -2,
-    DEFAULT_ZONE = -1, /* Default zone for zone limit management. */
+    DEFAULT_ZONE = OVS_ZONE_LIMIT_DEFAULT_ZONE, /* Default zone for zone
+                                                 * limit management. */
     MIN_ZONE = 0,
     MAX_ZONE = 0xFFFF,
 };
 
+BUILD_ASSERT_DECL(DEFAULT_ZONE > INVALID_ZONE && DEFAULT_ZONE < MIN_ZONE);
+
 struct ct_dpif_entry;
 struct ct_dpif_tuple;
 
@@ -154,6 +157,6 @@ struct ipf *conntrack_ipf_ctx(struct conntrack *ct);
 struct conntrack_zone_limit zone_limit_get(struct conntrack *ct,
                                            int32_t zone);
 int zone_limit_update(struct conntrack *ct, int32_t zone, uint32_t limit);
-int zone_limit_delete(struct conntrack *ct, uint16_t zone);
+int zone_limit_delete(struct conntrack *ct, int32_t zone);
 
 #endif /* conntrack.h */
diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index f59c6e560..2ee045164 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -398,23 +398,19 @@ ct_dpif_get_tcp_seq_chk(struct dpif *dpif, bool *enabled)
 }
 
 int
-ct_dpif_set_limits(struct dpif *dpif, const uint32_t *default_limit,
-                   const struct ovs_list *zone_limits)
+ct_dpif_set_limits(struct dpif *dpif, const struct ovs_list *zone_limits)
 {
     return (dpif->dpif_class->ct_set_limits
-            ? dpif->dpif_class->ct_set_limits(dpif, default_limit,
-                                              zone_limits)
+            ? dpif->dpif_class->ct_set_limits(dpif, zone_limits)
             : EOPNOTSUPP);
 }
 
 int
-ct_dpif_get_limits(struct dpif *dpif, uint32_t *default_limit,
-                   const struct ovs_list *zone_limits_in,
+ct_dpif_get_limits(struct dpif *dpif, const struct ovs_list *zone_limits_in,
                    struct ovs_list *zone_limits_out)
 {
     return (dpif->dpif_class->ct_get_limits
-            ? dpif->dpif_class->ct_get_limits(dpif, default_limit,
-                                              zone_limits_in,
+            ? dpif->dpif_class->ct_get_limits(dpif, zone_limits_in,
                                               zone_limits_out)
             : EOPNOTSUPP);
 }
@@ -854,7 +850,7 @@ ct_dpif_format_tcp_stat(struct ds * ds, int tcp_state, int conn_per_state)
 
 
 void
-ct_dpif_push_zone_limit(struct ovs_list *zone_limits, uint16_t zone,
+ct_dpif_push_zone_limit(struct ovs_list *zone_limits, int32_t zone,
                         uint32_t limit, uint32_t count)
 {
     struct ct_dpif_zone_limit *zone_limit = xmalloc(sizeof *zone_limit);
@@ -928,15 +924,21 @@ error:
 }
 
 void
-ct_dpif_format_zone_limits(uint32_t default_limit,
-                           const struct ovs_list *zone_limits, struct ds *ds)
+ct_dpif_format_zone_limits(const struct ovs_list *zone_limits, struct ds *ds)
 {
     struct ct_dpif_zone_limit *zone_limit;
 
-    ds_put_format(ds, "default limit=%"PRIu32, default_limit);
+    LIST_FOR_EACH (zone_limit, node, zone_limits) {
+        if (zone_limit->zone == OVS_ZONE_LIMIT_DEFAULT_ZONE) {
+            ds_put_format(ds, "default limit=%"PRIu32, zone_limit->limit);
+        }
+    }
 
     LIST_FOR_EACH (zone_limit, node, zone_limits) {
-        ds_put_format(ds, "\nzone=%"PRIu16, zone_limit->zone);
+        if (zone_limit->zone == OVS_ZONE_LIMIT_DEFAULT_ZONE) {
+            continue;
+        }
+        ds_put_format(ds, "\nzone=%"PRIu16, (uint16_t) zone_limit->zone);
         ds_put_format(ds, ",limit=%"PRIu32, zone_limit->limit);
         ds_put_format(ds, ",count=%"PRIu32, zone_limit->count);
     }
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index 0b728b529..c8a7c155e 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -237,7 +237,7 @@ struct ct_dpif_dump_state {
 };
 
 struct ct_dpif_zone_limit {
-    uint16_t zone;
+    int32_t zone;
     uint32_t limit;       /* Limit on number of entries. */
     uint32_t count;       /* Current number of entries. */
     struct ovs_list node;
@@ -307,10 +307,9 @@ int ct_dpif_get_maxconns(struct dpif *dpif, uint32_t *maxconns);
 int ct_dpif_get_nconns(struct dpif *dpif, uint32_t *nconns);
 int ct_dpif_set_tcp_seq_chk(struct dpif *dpif, bool enabled);
 int ct_dpif_get_tcp_seq_chk(struct dpif *dpif, bool *enabled);
-int ct_dpif_set_limits(struct dpif *dpif, const uint32_t *default_limit,
-                       const struct ovs_list *);
-int ct_dpif_get_limits(struct dpif *dpif, uint32_t *default_limit,
-                       const struct ovs_list *, struct ovs_list *);
+int ct_dpif_set_limits(struct dpif *dpif, const struct ovs_list *);
+int ct_dpif_get_limits(struct dpif *dpif, const struct ovs_list *,
+                       struct ovs_list *);
 int ct_dpif_del_limits(struct dpif *dpif, const struct ovs_list *);
 int ct_dpif_sweep(struct dpif *, uint32_t *ms);
 int ct_dpif_ipf_set_enabled(struct dpif *, bool v6, bool enable);
@@ -329,13 +328,12 @@ void ct_dpif_format_ipproto(struct ds *ds, uint16_t ipproto);
 void ct_dpif_format_tuple(struct ds *, const struct ct_dpif_tuple *);
 uint8_t ct_dpif_coalesce_tcp_state(uint8_t state);
 void ct_dpif_format_tcp_stat(struct ds *, int, int);
-void ct_dpif_push_zone_limit(struct ovs_list *, uint16_t zone, uint32_t limit,
+void ct_dpif_push_zone_limit(struct ovs_list *, int32_t zone, uint32_t limit,
                              uint32_t count);
 void ct_dpif_free_zone_limits(struct ovs_list *);
 bool ct_dpif_parse_zone_limit_tuple(const char *s, uint16_t *pzone,
                                     uint32_t *plimit, struct ds *);
-void ct_dpif_format_zone_limits(uint32_t default_limit,
-                                const struct ovs_list *, struct ds *);
+void ct_dpif_format_zone_limits(const struct ovs_list *, struct ds *);
 bool ct_dpif_set_timeout_policy_attr_by_name(struct ct_dpif_timeout_policy *tp,
                                              const char *key, uint32_t value);
 bool ct_dpif_timeout_policy_support_ipproto(uint8_t ipproto);
diff --git a/lib/dpctl.c b/lib/dpctl.c
index cd12625a1..76f21a530 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -2202,7 +2202,7 @@ dpctl_ct_set_limits(int argc, const char *argv[],
     struct dpif *dpif;
     struct ds ds = DS_EMPTY_INITIALIZER;
     int i =  dp_arg_exists(argc, argv) ? 2 : 1;
-    uint32_t default_limit, *p_default_limit = NULL;
+    uint32_t default_limit;
     struct ovs_list zone_limits = OVS_LIST_INITIALIZER(&zone_limits);
 
     int error = opt_dpif_open(argc, argv, dpctl_p, INT_MAX, &dpif);
@@ -2213,7 +2213,8 @@ dpctl_ct_set_limits(int argc, const char *argv[],
     /* Parse default limit */
     if (!strncmp(argv[i], "default=", 8)) {
         if (ovs_scan(argv[i], "default=%"SCNu32, &default_limit)) {
-            p_default_limit = &default_limit;
+            ct_dpif_push_zone_limit(&zone_limits, OVS_ZONE_LIMIT_DEFAULT_ZONE,
+                                    default_limit, 0);
             i++;
         } else {
             ds_put_cstr(&ds, "invalid default limit");
@@ -2233,7 +2234,7 @@ dpctl_ct_set_limits(int argc, const char *argv[],
         ct_dpif_push_zone_limit(&zone_limits, zone, limit, 0);
     }
 
-    error = ct_dpif_set_limits(dpif, p_default_limit, &zone_limits);
+    error = ct_dpif_set_limits(dpif, &zone_limits);
     if (!error) {
         ct_dpif_free_zone_limits(&zone_limits);
         dpif_close(dpif);
@@ -2322,7 +2323,6 @@ dpctl_ct_get_limits(int argc, const char *argv[],
 {
     struct dpif *dpif;
     struct ds ds = DS_EMPTY_INITIALIZER;
-    uint32_t default_limit;
     int i =  dp_arg_exists(argc, argv) ? 2 : 1;
     struct ovs_list list_query = OVS_LIST_INITIALIZER(&list_query);
     struct ovs_list list_reply = OVS_LIST_INITIALIZER(&list_reply);
@@ -2333,16 +2333,17 @@ dpctl_ct_get_limits(int argc, const char *argv[],
     }
 
     if (argc > i) {
+        ct_dpif_push_zone_limit(&list_query, OVS_ZONE_LIMIT_DEFAULT_ZONE,
+                                0, 0);
         error = parse_ct_limit_zones(argv[i], &list_query, &ds);
         if (error) {
             goto error;
         }
     }
 
-    error = ct_dpif_get_limits(dpif, &default_limit, &list_query,
-                               &list_reply);
+    error = ct_dpif_get_limits(dpif, &list_query, &list_reply);
     if (!error) {
-        ct_dpif_format_zone_limits(default_limit, &list_reply, &ds);
+        ct_dpif_format_zone_limits(&list_reply, &ds);
         dpctl_print(dpctl_p, "%s\n", ds_cstr(&ds));
         goto out;
     } else {
diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index b8f065d1d..9a59a1b03 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -9450,17 +9450,10 @@ dpif_netdev_ct_get_sweep_interval(struct dpif *dpif, uint32_t *ms)
 
 static int
 dpif_netdev_ct_set_limits(struct dpif *dpif,
-                           const uint32_t *default_limits,
                            const struct ovs_list *zone_limits)
 {
     int err = 0;
     struct dp_netdev *dp = get_dp_netdev(dpif);
-    if (default_limits) {
-        err = zone_limit_update(dp->conntrack, DEFAULT_ZONE, *default_limits);
-        if (err != 0) {
-            return err;
-        }
-    }
 
     struct ct_dpif_zone_limit *zone_limit;
     LIST_FOR_EACH (zone_limit, node, zone_limits) {
@@ -9475,20 +9468,12 @@ dpif_netdev_ct_set_limits(struct dpif *dpif,
 
 static int
 dpif_netdev_ct_get_limits(struct dpif *dpif,
-                           uint32_t *default_limit,
                            const struct ovs_list *zone_limits_request,
                            struct ovs_list *zone_limits_reply)
 {
     struct dp_netdev *dp = get_dp_netdev(dpif);
     struct conntrack_zone_limit czl;
 
-    czl = zone_limit_get(dp->conntrack, DEFAULT_ZONE);
-    if (czl.zone == DEFAULT_ZONE) {
-        *default_limit = czl.limit;
-    } else {
-        return EINVAL;
-    }
-
     if (!ovs_list_is_empty(zone_limits_request)) {
         struct ct_dpif_zone_limit *zone_limit;
         LIST_FOR_EACH (zone_limit, node, zone_limits_request) {
@@ -9502,6 +9487,12 @@ dpif_netdev_ct_get_limits(struct dpif *dpif,
             }
         }
     } else {
+        czl = zone_limit_get(dp->conntrack, DEFAULT_ZONE);
+        if (czl.zone == DEFAULT_ZONE) {
+            ct_dpif_push_zone_limit(zone_limits_reply, DEFAULT_ZONE,
+                                    czl.limit, 0);
+        }
+
         for (int z = MIN_ZONE; z <= MAX_ZONE; z++) {
             czl = zone_limit_get(dp->conntrack, z);
             if (czl.zone == z) {
diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c
index 9194971d3..5f92a2b65 100644
--- a/lib/dpif-netlink.c
+++ b/lib/dpif-netlink.c
@@ -3360,7 +3360,6 @@ dpif_netlink_ct_flush(struct dpif *dpif OVS_UNUSED, const uint16_t *zone,
 
 static int
 dpif_netlink_ct_set_limits(struct dpif *dpif OVS_UNUSED,
-                           const uint32_t *default_limits,
                            const struct ovs_list *zone_limits)
 {
     if (ovs_ct_limit_family < 0) {
@@ -3378,13 +3377,6 @@ dpif_netlink_ct_set_limits(struct dpif *dpif OVS_UNUSED,
 
     size_t opt_offset;
     opt_offset = nl_msg_start_nested(request, OVS_CT_LIMIT_ATTR_ZONE_LIMIT);
-    if (default_limits) {
-        struct ovs_zone_limit req_zone_limit = {
-            .zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE,
-            .limit   = *default_limits,
-        };
-        nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit);
-    }
 
     if (!ovs_list_is_empty(zone_limits)) {
         struct ct_dpif_zone_limit *zone_limit;
@@ -3406,7 +3398,6 @@ dpif_netlink_ct_set_limits(struct dpif *dpif OVS_UNUSED,
 
 static int
 dpif_netlink_zone_limits_from_ofpbuf(const struct ofpbuf *buf,
-                                     uint32_t *default_limit,
                                      struct ovs_list *zone_limits)
 {
     static const struct nl_policy ovs_ct_limit_policy[] = {
@@ -3439,11 +3430,8 @@ dpif_netlink_zone_limits_from_ofpbuf(const struct ofpbuf *buf,
                 nl_attr_get(attr[OVS_CT_LIMIT_ATTR_ZONE_LIMIT]);
 
     while (rem >= sizeof *zone_limit) {
-        if (zone_limit->zone_id == OVS_ZONE_LIMIT_DEFAULT_ZONE) {
-            *default_limit = zone_limit->limit;
-        } else if (zone_limit->zone_id < OVS_ZONE_LIMIT_DEFAULT_ZONE ||
-                   zone_limit->zone_id > UINT16_MAX) {
-        } else {
+        if (zone_limit->zone_id >= OVS_ZONE_LIMIT_DEFAULT_ZONE &&
+            zone_limit->zone_id <= UINT16_MAX) {
             ct_dpif_push_zone_limit(zone_limits, zone_limit->zone_id,
                                     zone_limit->limit, zone_limit->count);
         }
@@ -3456,7 +3444,6 @@ dpif_netlink_zone_limits_from_ofpbuf(const struct ofpbuf *buf,
 
 static int
 dpif_netlink_ct_get_limits(struct dpif *dpif OVS_UNUSED,
-                           uint32_t *default_limit,
                            const struct ovs_list *zone_limits_request,
                            struct ovs_list *zone_limits_reply)
 {
@@ -3477,14 +3464,11 @@ dpif_netlink_ct_get_limits(struct dpif *dpif OVS_UNUSED,
         size_t opt_offset = nl_msg_start_nested(request,
                                                 OVS_CT_LIMIT_ATTR_ZONE_LIMIT);
 
-        struct ovs_zone_limit req_zone_limit = {
-            .zone_id = OVS_ZONE_LIMIT_DEFAULT_ZONE,
-        };
-        nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit);
-
         struct ct_dpif_zone_limit *zone_limit;
         LIST_FOR_EACH (zone_limit, node, zone_limits_request) {
-            req_zone_limit.zone_id = zone_limit->zone;
+            struct ovs_zone_limit req_zone_limit = {
+                    .zone_id = zone_limit->zone,
+            };
             nl_msg_put(request, &req_zone_limit, sizeof req_zone_limit);
         }
 
@@ -3497,8 +3481,7 @@ dpif_netlink_ct_get_limits(struct dpif *dpif OVS_UNUSED,
         goto out;
     }
 
-    err = dpif_netlink_zone_limits_from_ofpbuf(reply, default_limit,
-                                               zone_limits_reply);
+    err = dpif_netlink_zone_limits_from_ofpbuf(reply, zone_limits_reply);
 
 out:
     ofpbuf_delete(request);
diff --git a/lib/dpif-provider.h b/lib/dpif-provider.h
index 1b822cb07..520e21e68 100644
--- a/lib/dpif-provider.h
+++ b/lib/dpif-provider.h
@@ -520,19 +520,17 @@ struct dpif_class {
 
     /* Sets the max connections allowed per zone according to 'zone_limits',
      * a list of 'struct ct_dpif_zone_limit' entries (the 'count' member
-     * is not used when setting limits).  If 'default_limit' is not NULL,
-     * modifies the default limit to '*default_limit'. */
-    int (*ct_set_limits)(struct dpif *, const uint32_t *default_limit,
-                         const struct ovs_list *zone_limits);
-
-    /* Looks up the default per zone limit and stores that in
-     * 'default_limit'.  Look up the per zone limits for all zones in
-     * the 'zone_limits_in' list of 'struct ct_dpif_zone_limit' entries
-     * (the 'limit' and 'count' members are not used), and stores the
-     * reply that includes the zone, the per zone limit, and the number
-     * of connections in the zone into 'zone_limits_out' list. */
-    int (*ct_get_limits)(struct dpif *, uint32_t *default_limit,
-                         const struct ovs_list *zone_limits_in,
+     * is not used when setting limits). */
+    int (*ct_set_limits)(struct dpif *, const struct ovs_list *zone_limits);
+
+    /* Looks up the per zone limits for all zones in the 'zone_limits_in' list
+     * of 'struct ct_dpif_zone_limit' entries (the 'limit' and 'count' members
+     * are not used), and stores the reply that includes the zone, the per
+     * zone limit, and the number of connections in the zone into
+     * 'zone_limits_out' list.  If the 'zone_limits_in' list is empty the
+     * report will contain all previously set zone limits and the default
+     * limit.  Note: The default zone limit "count" is not used. */
+    int (*ct_get_limits)(struct dpif *, const struct ovs_list *zone_limits_in,
                          struct ovs_list *zone_limits_out);
 
     /* Deletes per zone limit of all zones specified in 'zone_limits', a

From patchwork Mon Dec  4 05:49:09 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ales Musil <amusil@redhat.com>
X-Patchwork-Id: 1871378
X-Patchwork-Delegate: i.maximets@samsung.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=P+Lv2APV;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=140.211.166.138; helo=smtp1.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SkCRP0nS9z23n4
	for <incoming@patchwork.ozlabs.org>; Mon,  4 Dec 2023 16:49:37 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp1.osuosl.org (Postfix) with ESMTP id 5D33B81815;
	Mon,  4 Dec 2023 05:49:30 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 5D33B81815
Authentication-Results: smtp1.osuosl.org;
	dkim=fail reason="signature verification failed" (1024-bit key)
 header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=P+Lv2APV
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp1.osuosl.org ([127.0.0.1])
	by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id hE27gOAIXdox; Mon,  4 Dec 2023 05:49:29 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org
 [IPv6:2605:bc80:3010:104::8cd3:938])
	by smtp1.osuosl.org (Postfix) with ESMTPS id BDB09818C4;
	Mon,  4 Dec 2023 05:49:27 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org BDB09818C4
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id B177AC0072;
	Mon,  4 Dec 2023 05:49:24 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id BC960C0DD5
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:23 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id 80739415C8
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:22 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 80739415C8
Authentication-Results: smtp4.osuosl.org;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.a=rsa-sha256 header.s=mimecast20190719 header.b=P+Lv2APV
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id HIEGPdgtrI1p for <dev@openvswitch.org>;
 Mon,  4 Dec 2023 05:49:21 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 90524415EA
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:21 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 90524415EA
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1701668960;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=vbjAsoS25mHsOgyIOlzo/oIzr4fRWm5zsckIVKQWs9Q=;
 b=P+Lv2APVkmqC39ycQ+HJTVd8Xgnw0PsuqRwqosax0L2vpFu+UZ2+xXH39dIvURmE2a+tnf
 JbKk6zs79u6B7tuMzguJ7xOrdhv2Ht1G7405/Mk+jN+56ULtrTNJwSxmPfwz3AQmatIRyK
 CJKkYqNCW6fBHP3js0X1nYrdtspdVDI=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-467-RNEOO4uUPtmpjRq_NuDzkw-1; Mon, 04 Dec 2023 00:49:19 -0500
X-MC-Unique: RNEOO4uUPtmpjRq_NuDzkw-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id DF171101A529;
 Mon,  4 Dec 2023 05:49:18 +0000 (UTC)
Received: from amusil.redhat.com (unknown [10.45.224.15])
 by smtp.corp.redhat.com (Postfix) with ESMTP id E4EE940C6EB9;
 Mon,  4 Dec 2023 05:49:17 +0000 (UTC)
From: Ales Musil <amusil@redhat.com>
To: dev@openvswitch.org
Date: Mon,  4 Dec 2023 06:49:09 +0100
Message-ID: <20231204054913.14249-3-amusil@redhat.com>
In-Reply-To: <20231204054913.14249-1-amusil@redhat.com>
References: <20231204054913.14249-1-amusil@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Cc: i.maximets@ovn.org
Subject: [ovs-dev] [PATCH v8 2/6] dpctl: Allow the default CT zone limit to
	de deleted.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

Add optional argument to dpctl ct-del-limits called
"default", which allows to remove the default limit
making it effectively system default.

Signed-off-by: Ales Musil <amusil@redhat.com>
---
v8: Rebase on top of current master.
v7: Rebase on top of current master.
    Address cosmetic comments.
v6: Rebase on top of current master.
    Address comments from Ilya:
    - Adjust the log message so it doesn't report anything for default zone.
v5: Rebase on top of current master.
    Address comments from Ilya:
    - Correct the NEWS entry.
    - Fix style related problems.
---
 NEWS                    |  2 ++
 lib/conntrack.c         | 12 +++++++-----
 lib/dpctl.c             | 21 +++++++++++++++------
 tests/system-traffic.at | 26 ++++++++++++++++++++++++++
 4 files changed, 50 insertions(+), 11 deletions(-)

diff --git a/NEWS b/NEWS
index 490e275da..0ad36c563 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,8 @@ Post-v3.2.0
      * Added support for Generic Segmentation Offloading for the cases where
        TSO is enabled but not supported by an egress interface (except for
        tunnel interfaces).
+     * Added support for removal of default CT zone limit, e.g.
+       "ovs-appctl dpctl/ct-del-limits default".
 
 
 v3.2.0 - 17 Aug 2023
diff --git a/lib/conntrack.c b/lib/conntrack.c
index 31f00a127..71c470661 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -404,13 +404,15 @@ zone_limit_delete(struct conntrack *ct, int32_t zone)
     struct zone_limit *zl = zone_limit_lookup_protected(ct, zone);
     if (zl) {
         zone_limit_clean(ct, zl);
-        ovs_mutex_unlock(&ct->ct_lock);
-        VLOG_INFO("Deleted zone limit for zone %d", zone);
-    } else {
-        ovs_mutex_unlock(&ct->ct_lock);
-        VLOG_INFO("Attempted delete of non-existent zone limit: zone %d",
+    }
+
+    if (zone != DEFAULT_ZONE) {
+        VLOG_INFO(zl ? "Deleted zone limit for zone %d"
+                     : "Attempted delete of non-existent zone limit: zone %d",
                   zone);
     }
+
+    ovs_mutex_unlock(&ct->ct_lock);
     return 0;
 }
 
diff --git a/lib/dpctl.c b/lib/dpctl.c
index 76f21a530..a8c654747 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -2291,14 +2291,23 @@ dpctl_ct_del_limits(int argc, const char *argv[],
     int i =  dp_arg_exists(argc, argv) ? 2 : 1;
     struct ovs_list zone_limits = OVS_LIST_INITIALIZER(&zone_limits);
 
-    error = opt_dpif_open(argc, argv, dpctl_p, 3, &dpif);
+    error = opt_dpif_open(argc, argv, dpctl_p, 4, &dpif);
     if (error) {
         return error;
     }
 
-    error = parse_ct_limit_zones(argv[i], &zone_limits, &ds);
-    if (error) {
-        goto error;
+    /* Parse default limit. */
+    if (!strcmp(argv[i], "default")) {
+        ct_dpif_push_zone_limit(&zone_limits, OVS_ZONE_LIMIT_DEFAULT_ZONE,
+                                0, 0);
+        i++;
+    }
+
+    if (argc > i) {
+        error = parse_ct_limit_zones(argv[i], &zone_limits, &ds);
+        if (error) {
+            goto error;
+        }
     }
 
     error = ct_dpif_del_limits(dpif, &zone_limits);
@@ -3031,8 +3040,8 @@ static const struct dpctl_command all_commands[] = {
     { "ct-get-tcp-seq-chk", "[dp]", 0, 1, dpctl_ct_get_tcp_seq_chk, DP_RO },
     { "ct-set-limits", "[dp] [default=L] [zone=N,limit=L]...", 1, INT_MAX,
         dpctl_ct_set_limits, DP_RO },
-    { "ct-del-limits", "[dp] zone=N1[,N2]...", 1, 2, dpctl_ct_del_limits,
-        DP_RO },
+    { "ct-del-limits", "[dp] [default] [zone=N1[,N2]...]", 1, 3,
+        dpctl_ct_del_limits, DP_RO },
     { "ct-get-limits", "[dp] [zone=N1[,N2]...]", 0, 2, dpctl_ct_get_limits,
         DP_RO },
     { "ct-get-sweep-interval", "[dp]", 0, 1, dpctl_ct_get_sweep, DP_RO },
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index a37a694c5..3927bb8b1 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -5240,6 +5240,32 @@ udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=3),reply=(src=10.1.1.4,dst=10.
 udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=4),reply=(src=10.1.1.4,dst=10.1.1.3,sport=4,dport=1),zone=3
 ])
 
+dnl Test ct-del-limits for default zone.
+
+AT_CHECK([ovs-appctl dpctl/ct-set-limits default=15 zone=4,limit=4])
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=4], [0], [dnl
+default limit=15
+zone=4,limit=4,count=0
+])
+
+AT_CHECK([ovs-appctl dpctl/ct-del-limits default])
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=4], [0], [dnl
+default limit=0
+zone=4,limit=4,count=0
+])
+
+AT_CHECK([ovs-appctl dpctl/ct-set-limits default=15])
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=4], [0], [dnl
+default limit=15
+zone=4,limit=4,count=0
+])
+
+AT_CHECK([ovs-appctl dpctl/ct-del-limits default zone=4])
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=4], [0], [dnl
+default limit=0
+zone=4,limit=0,count=0
+])
+
 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
 /could not create datapath/d
 /(Cannot allocate memory) on packet/d"])

From patchwork Mon Dec  4 05:49:10 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ales Musil <amusil@redhat.com>
X-Patchwork-Id: 1871380
X-Patchwork-Delegate: i.maximets@samsung.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=H5ipQ2iL;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SkCRS321Bz23n4
	for <incoming@patchwork.ozlabs.org>; Mon,  4 Dec 2023 16:49:40 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp4.osuosl.org (Postfix) with ESMTP id 6B6C741730;
	Mon,  4 Dec 2023 05:49:38 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 6B6C741730
Authentication-Results: smtp4.osuosl.org;
	dkim=fail reason="signature verification failed" (1024-bit key)
 header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=H5ipQ2iL
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
	by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id xrzG2UAGgxff; Mon,  4 Dec 2023 05:49:33 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org
 [IPv6:2605:bc80:3010:104::8cd3:938])
	by smtp4.osuosl.org (Postfix) with ESMTPS id D6418415EF;
	Mon,  4 Dec 2023 05:49:31 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org D6418415EF
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 55174C0DE3;
	Mon,  4 Dec 2023 05:49:28 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by lists.linuxfoundation.org (Postfix) with ESMTP id D350FC008E
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp3.osuosl.org (Postfix) with ESMTP id AFF5D60DDF
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:26 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org AFF5D60DDF
Authentication-Results: smtp3.osuosl.org;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.a=rsa-sha256 header.s=mimecast20190719 header.b=H5ipQ2iL
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
 by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id rQblsnHG-v1O for <dev@openvswitch.org>;
 Mon,  4 Dec 2023 05:49:25 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by smtp3.osuosl.org (Postfix) with ESMTPS id 29D1D60B32
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:24 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 29D1D60B32
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1701668963;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=ui1ZT78tgWmZrpUo/XLlV/G6k1o3MsIhxGTcL96AG0o=;
 b=H5ipQ2iLgfjpxsRp+IejWs/TmL4am2O0QFYQV5oKaiL7FT/GcfvI7xkzSJuHrXnGjlXlV1
 bIWVStDrJuqaEs7sHn95XiIqnz62K3ZL7xoHHqY0xfYclA3Yc3KX88Bkprxudj6PR0Xykg
 RvwRknCq5eJk4jd2rEmWeOmnF8CYr70=
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-104-osMEzhwaOYir_wERsAotJQ-1; Mon,
 04 Dec 2023 00:49:20 -0500
X-MC-Unique: osMEzhwaOYir_wERsAotJQ-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6AC6429AA38D;
 Mon,  4 Dec 2023 05:49:20 +0000 (UTC)
Received: from amusil.redhat.com (unknown [10.45.224.15])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 2CEBA40C6EB9;
 Mon,  4 Dec 2023 05:49:19 +0000 (UTC)
From: Ales Musil <amusil@redhat.com>
To: dev@openvswitch.org
Date: Mon,  4 Dec 2023 06:49:10 +0100
Message-ID: <20231204054913.14249-4-amusil@redhat.com>
In-Reply-To: <20231204054913.14249-1-amusil@redhat.com>
References: <20231204054913.14249-1-amusil@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Cc: i.maximets@ovn.org
Subject: [ovs-dev] [PATCH v8 3/6] ovs-vsctl: Add limit to CT zone.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

Add limit to the CT zone DB table with ovs-vsctl
helper methods. The limit has two special values
besides any number, 0 is unlimited and empty limit
is to leave the value untouched in the datapath.

This is preparation step and the value is not yet
propagated to the datapath.

Signed-off-by: Ales Musil <amusil@redhat.com>
---
v8: Address comments from Ilya:
    - Change the commands to have positional arguments instead of named ones.
    - Fix the usage string.
    - Add missing string for autocomplete.
v7: Rebase on top of current master.
    Address comments from Ilya:
    - Add missing 'a'.
    - Slightly change the format for limit listing.
    - Add usage string for all the new comamnds.
v6: Rebase on top of current master.
    Address comments from Ilya:
    - Update the semantics and documentation of the set command.
v5: Rebase on top of current master.
    Address comments from Ilya:
    - Use only single command for setting zone and default limit.
    - Correct the errors in the man page.
    - Use references for the column description.
v4: Rebase on top of current master.
    Address comments from Ilya:
    - Make sure that the NEWS is clear on what has been added.
    - Make the usage of --may-exist and --if-exists more intuitive for the new commands.
    - Some cosmetics.
    Add command and column for default limit.
---
 NEWS                       |   5 ++
 tests/ovs-vsctl.at         |  88 ++++++++++++++++++++++-
 utilities/ovs-vsctl.8.in   |  31 ++++++--
 utilities/ovs-vsctl.c      | 141 +++++++++++++++++++++++++++++++++++--
 vswitchd/vswitch.ovsschema |  14 +++-
 vswitchd/vswitch.xml       |  14 ++++
 6 files changed, 277 insertions(+), 16 deletions(-)

diff --git a/NEWS b/NEWS
index 0ad36c563..6824b9c1a 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,11 @@ Post-v3.2.0
        tunnel interfaces).
      * Added support for removal of default CT zone limit, e.g.
        "ovs-appctl dpctl/ct-del-limits default".
+   - ovs-vsctl:
+     * New commands 'set-zone-limit', 'del-zone-limit' and 'list-zone-limit'
+       to manage the maximum number of connections in conntrack zones via
+       a new 'limit' column in the 'CT_Zone' database table and
+       'ct_zone_default_limit' column in the 'Datapath' table.
 
 
 v3.2.0 - 17 Aug 2023
diff --git a/tests/ovs-vsctl.at b/tests/ovs-vsctl.at
index a368bff6e..febb9dadf 100644
--- a/tests/ovs-vsctl.at
+++ b/tests/ovs-vsctl.at
@@ -975,6 +975,67 @@ AT_CHECK(
   [0], [stdout])
 AT_CHECK([RUN_OVS_VSCTL([list-zone-tp netdev])], [0], [Zone:10, Timeout Policies: system default
 ])
+AT_CHECK([RUN_OVS_VSCTL([--if-exists del-zone-tp netdev zone=10])])
+
+AT_CHECK([RUN_OVS_VSCTL([list-zone-limits netdev])])
+
+AT_CHECK([RUN_OVS_VSCTL([set-zone-limit netdev 1 1])])
+AT_CHECK([RUN_OVS_VSCTL([list-zone-limits netdev])], [0], [dnl
+Zone: 1, Limit: 1
+])
+
+AT_CHECK([RUN_OVS_VSCTL([set-zone-limit netdev 1 5])])
+AT_CHECK([RUN_OVS_VSCTL([list-zone-limits netdev])], [0], [dnl
+Zone: 1, Limit: 5
+])
+
+AT_CHECK([RUN_OVS_VSCTL([del-zone-limit netdev 1])])
+AT_CHECK([RUN_OVS_VSCTL([list-zone-limits netdev])])
+
+AT_CHECK([RUN_OVS_VSCTL([set-zone-limit netdev 10 5])])
+AT_CHECK([RUN_OVS_VSCTL([list-zone-limits netdev])], [0], [dnl
+Zone: 10, Limit: 5
+])
+
+AT_CHECK([RUN_OVS_VSCTL([add-zone-tp netdev zone=10 icmp_first=1 icmp_reply=2])])
+AT_CHECK([RUN_OVS_VSCTL([list-zone-tp netdev])], [0], [dnl
+Zone:10, Timeout Policies: icmp_first=1 icmp_reply=2
+])
+
+AT_CHECK([RUN_OVS_VSCTL([del-zone-limit netdev 10])])
+AT_CHECK([RUN_OVS_VSCTL([list-zone-limits netdev])])
+AT_CHECK([RUN_OVS_VSCTL([list-zone-tp netdev])], [0], [dnl
+Zone:10, Timeout Policies: icmp_first=1 icmp_reply=2
+])
+
+AT_CHECK([RUN_OVS_VSCTL([set-zone-limit netdev 10 5])])
+AT_CHECK([RUN_OVS_VSCTL([del-zone-tp netdev zone=10])])
+AT_CHECK([RUN_OVS_VSCTL([list-zone-limits netdev])], [0], [dnl
+Zone: 10, Limit: 5
+])
+AT_CHECK([RUN_OVS_VSCTL([list-zone-tp netdev])], [0], [dnl
+Zone:10, Timeout Policies: system default
+])
+
+AT_CHECK([RUN_OVS_VSCTL([set-zone-limit netdev default 5])])
+AT_CHECK([RUN_OVS_VSCTL([list-zone-limits netdev])], [0], [dnl
+Default, Limit: 5
+Zone: 10, Limit: 5
+])
+
+AT_CHECK([RUN_OVS_VSCTL([set-zone-limit netdev default 10])])
+AT_CHECK([RUN_OVS_VSCTL([list-zone-limits netdev])], [0], [dnl
+Default, Limit: 10
+Zone: 10, Limit: 5
+])
+
+AT_CHECK([RUN_OVS_VSCTL([del-zone-limit netdev default])])
+AT_CHECK([RUN_OVS_VSCTL([list-zone-limits netdev])], [0], [dnl
+Zone: 10, Limit: 5
+])
+
+AT_CHECK([RUN_OVS_VSCTL([--if-exists del-zone-limit netdev default])])
+
 
 AT_CHECK([RUN_OVS_VSCTL([-- --id=@m create Datapath datapath_version=0 'capabilities={recirc=true}' -- set Open_vSwitch . datapaths:"system"=@m])], [0], [stdout])
 AT_CHECK([RUN_OVS_VSCTL([list-dp-cap system])], [0], [recirc=true
@@ -1113,16 +1174,39 @@ AT_CHECK([RUN_OVS_VSCTL([add-zone-tp netdevxx zone=1 icmp_first=1 icmp_reply=2])
 ])
 AT_CHECK([RUN_OVS_VSCTL([add-zone-tp netdev zone=2 icmp_first=2 icmp_reply=3])])
 AT_CHECK([RUN_OVS_VSCTL([add-zone-tp netdev zone=2 icmp_first=2 icmp_reply=3])],
-  [1], [], [ovs-vsctl: zone id 2 already exists
+  [1], [], [ovs-vsctl: zone id 2 already has a policy
 ])
 AT_CHECK([RUN_OVS_VSCTL([list-zone-tp netdev])], [0], [Zone:2, Timeout Policies: icmp_first=2 icmp_reply=3
 ])
 AT_CHECK([RUN_OVS_VSCTL([del-zone-tp netdev zone=11])],
-  [1], [], [ovs-vsctl: zone id 11 does not exist
+  [1], [], [ovs-vsctl: zone id 11 does not have a policy
 ])
 AT_CHECK([RUN_OVS_VSCTL([list-zone-tp netdev])], [0], [Zone:2, Timeout Policies: icmp_first=2 icmp_reply=3
 ])
 
+AT_CHECK([RUN_OVS_VSCTL([set-zone-limit netdevxx 5 1])],
+  [1], [], [ovs-vsctl: datapath netdevxx does not exist
+])
+AT_CHECK([RUN_OVS_VSCTL([set-zone-limit netdev 88888 1])],
+  [1], [], [ovs-vsctl: zone_id (88888) out of range
+])
+AT_CHECK([RUN_OVS_VSCTL([set-zone-limit netdev 5 -1])],
+  [1], [], [ovs-vsctl: limit (-1) out of range
+])
+AT_CHECK([RUN_OVS_VSCTL([del-zone-limit netdev 10])],
+  [1], [], [ovs-vsctl: zone_id 10 does not have a limit
+])
+
+AT_CHECK([RUN_OVS_VSCTL([set-zone-limit netdevxx default 1])],
+  [1], [], [ovs-vsctl: datapath netdevxx does not exist
+])
+AT_CHECK([RUN_OVS_VSCTL([set-zone-limit netdev default -1])],
+  [1], [], [ovs-vsctl: limit (-1) out of range
+])
+AT_CHECK([RUN_OVS_VSCTL([del-zone-limit netdev default])],
+  [1], [], [ovs-vsctl: datapath netdev does not have a limit
+])
+
 AT_CHECK([RUN_OVS_VSCTL([-- --id=@m create Datapath datapath_version=0 'capabilities={recirc=true}' -- set Open_vSwitch . datapaths:"system"=@m])], [0], [stdout])
 AT_CHECK([RUN_OVS_VSCTL([list-dp-cap nosystem])],
   [1], [], [ovs-vsctl: datapath "nosystem" record not found
diff --git a/utilities/ovs-vsctl.8.in b/utilities/ovs-vsctl.8.in
index 9e319aa1c..5ce949df4 100644
--- a/utilities/ovs-vsctl.8.in
+++ b/utilities/ovs-vsctl.8.in
@@ -354,7 +354,7 @@ Prints the name of the bridge that contains \fIiface\fR on standard
 output.
 .
 .SS "Conntrack Zone Commands"
-These commands query and modify datapath CT zones and Timeout Policies.
+These commands query and modify datapath CT zones, Timeout Policies and Limits.
 .
 .IP "[\fB\-\-may\-exist\fR] \fBadd\-zone\-tp \fIdatapath \fBzone=\fIzone_id \fIpolicies\fR"
 Creates a conntrack zone timeout policy with \fIzone_id\fR in
@@ -365,20 +365,37 @@ packet and a 60-second policy for ICMP reply packets.  See the
 \fBCT_Timeout_Policy\fR table in \fBovs-vswitchd.conf.db\fR(5) for the
 supported keys.
 .IP
-Without \fB\-\-may\-exist\fR, attempting to add a \fIzone_id\fR that
-already exists is an error.  With \fB\-\-may\-exist\fR,
-this command does nothing if \fIzone_id\fR already exists.
+Without \fB\-\-may\-exist\fR, attempting to add a \fIpolicy\fR for
+\fIzone_id\fR that already has a policy is an error.
+ With \fB\-\-may\-exist\fR, this command does nothing if policy for
+ \fIzone_id\fR already exists.
 .
 .IP "[\fB\-\-if\-exists\fR] \fBdel\-zone\-tp \fIdatapath \fBzone=\fIzone_id\fR"
 Delete the timeout policy associated with \fIzone_id\fR from \fIdatapath\fR.
 .IP
-Without \fB\-\-if\-exists\fR, attempting to delete a zone that
-does not exist is an error.  With \fB\-\-if\-exists\fR, attempting to
-delete a zone that does not exist has no effect.
+Without \fB\-\-if\-exists\fR, attempting to delete a policy for zone that
+does not exist or doesn't have a policy is an error.  With
+\fB\-\-if\-exists\fR, attempting to delete a a policy that does not
+exist has no effect.
 .
 .IP "\fBlist\-zone\-tp \fIdatapath\fR"
 Prints the timeout policies of all zones in \fIdatapath\fR.
 .
+.IP "\fBset\-zone\-limit \fIdatapath \fIzone_id\fR|\fBdefault \fIzone_limit\fR"
+Sets a conntrack zone limit with \fIzone_id\fR|\fIdefault\fR in
+\fIdatapath\fR.  The \fIlimit\fR with value \fB0\fR means unlimited.
+.IP
+.
+.IP "[\fB\-\-if\-exists\fR] \fBdel\-zone\-limit \fIdatapath \fIzone_id\fR|\fBdefault\fR"
+Delete the limit associated with \fIzone_id\fR from \fIdatapath\fR.
+.IP
+Without \fB\-\-if\-exists\fR, attempting to delete a limit for zone that
+does not exist or doesn't have a limit is an error.  With \fB\-\-if\-exists\fR,
+attempting to delete a limit that does not exist has no effect.
+.
+.IP "\fBlist\-zone\-limits \fIdatapath\fR"
+Prints the limits of all zones in \fIdatapath\fR.
+.
 .SS "Datapath Capabilities Command"
 The command query datapath capabilities.
 .
diff --git a/utilities/ovs-vsctl.c b/utilities/ovs-vsctl.c
index 5e549df00..63b932c28 100644
--- a/utilities/ovs-vsctl.c
+++ b/utilities/ovs-vsctl.c
@@ -442,6 +442,14 @@ Auto Attach commands:\n\
 Switch commands:\n\
   emer-reset                  reset switch to known good state\n\
 \n\
+Connection Tracking commands:\n\
+  set-zone-limit DATAPATH ZONE|default LIMIT\
+        set CT LIMIT for ZONE|default on DATAPATH\n\
+  del-zone-limit DATAPATH ZONE|default\
+        delete CT limit for ZONE|default on DATAPATH\n\
+  list-zone-limits DATAPATH\
+        list all limits configured on DATAPATH\n\
+\n\
 %s\
 %s\
 \n\
@@ -1302,8 +1310,8 @@ cmd_add_zone_tp(struct ctl_context *ctx)
         ctl_fatal("No timeout policy");
     }
 
-    if (zone && !may_exist) {
-        ctl_fatal("zone id %"PRIu64" already exists", zone_id);
+    if (zone && zone->timeout_policy && !may_exist) {
+        ctl_fatal("zone id %"PRIu64" already has a policy", zone_id);
     }
 
     tp = create_timeout_policy(ctx, &ctx->argv[3], n_tps);
@@ -1332,11 +1340,20 @@ cmd_del_zone_tp(struct ctl_context *ctx)
     }
 
     struct ovsrec_ct_zone *zone = find_ct_zone(dp, zone_id);
-    if (must_exist && !zone) {
-        ctl_fatal("zone id %"PRIu64" does not exist", zone_id);
+    if (must_exist && !(zone && zone->timeout_policy)) {
+        ctl_fatal("zone id %"PRIu64" does not have a policy", zone_id);
     }
 
-    if (zone) {
+    if (!zone) {
+        return;
+    }
+
+    if (zone->limit) {
+        if (zone->timeout_policy) {
+            ovsrec_ct_timeout_policy_delete(zone->timeout_policy);
+        }
+        ovsrec_ct_zone_set_timeout_policy(zone, NULL);
+    } else {
         ovsrec_datapath_update_ct_zones_delkey(dp, zone_id);
     }
 }
@@ -1371,12 +1388,118 @@ cmd_list_zone_tp(struct ctl_context *ctx)
     }
 }
 
+static void
+cmd_set_zone_limit(struct ctl_context *ctx)
+{
+    struct vsctl_context *vsctl_ctx = vsctl_context_cast(ctx);
+    int64_t zone_id = -1;
+    int64_t limit = -1;
+
+    const char *dp_name = ctx->argv[1];
+
+    ovs_scan(ctx->argv[2], "%"SCNi64, &zone_id);
+    ovs_scan(ctx->argv[3], "%"SCNi64, &limit);
+
+    struct ovsrec_datapath *dp = find_datapath(vsctl_ctx, dp_name);
+    if (!dp) {
+        ctl_fatal("datapath %s does not exist", dp_name);
+    }
+
+    if (limit < 0 || limit > UINT32_MAX) {
+        ctl_fatal("limit (%"PRIi64") out of range", limit);
+    }
+
+    if (!strcmp(ctx->argv[2], "default")) {
+        ovsrec_datapath_set_ct_zone_default_limit(dp, &limit, 1);
+        return;
+    }
+
+    if (zone_id < 0 || zone_id > UINT16_MAX) {
+        ctl_fatal("zone_id (%"PRIi64") out of range", zone_id);
+    }
+
+    struct ovsrec_ct_zone *zone = find_ct_zone(dp, zone_id);
+    if (!zone) {
+        zone = ovsrec_ct_zone_insert(ctx->txn);
+        ovsrec_datapath_update_ct_zones_setkey(dp, zone_id, zone);
+    }
+
+    ovsrec_ct_zone_set_limit(zone, &limit, 1);
+}
+
+static void
+cmd_del_zone_limit(struct ctl_context *ctx)
+{
+    struct vsctl_context *vsctl_ctx = vsctl_context_cast(ctx);
+    int64_t zone_id;
+
+    bool must_exist = !shash_find(&ctx->options, "--if-exists");
+    const char *dp_name = ctx->argv[1];
+
+    ovs_scan(ctx->argv[2], "%"SCNi64, &zone_id);
+
+    struct ovsrec_datapath *dp = find_datapath(vsctl_ctx, dp_name);
+    if (!dp) {
+        ctl_fatal("datapath %s does not exist", dp_name);
+    }
+
+    if (!strcmp(ctx->argv[2], "default")) {
+        if (must_exist && !dp->ct_zone_default_limit) {
+            ctl_fatal("datapath %s does not have a limit", dp_name);
+        }
+
+        ovsrec_datapath_set_ct_zone_default_limit(dp, NULL, 0);
+        return;
+    }
+
+    struct ovsrec_ct_zone *zone = find_ct_zone(dp, zone_id);
+    if (must_exist && !(zone && zone->limit)) {
+        ctl_fatal("zone_id %"PRIi64" does not have a limit", zone_id);
+    }
+
+    if (!zone) {
+        return;
+    }
+
+    if (zone->timeout_policy) {
+        ovsrec_ct_zone_set_limit(zone, NULL, 0);
+    } else {
+        ovsrec_datapath_update_ct_zones_delkey(dp, zone_id);
+    }
+}
+
+static void
+cmd_list_zone_limits(struct ctl_context *ctx)
+{
+    struct vsctl_context *vsctl_ctx = vsctl_context_cast(ctx);
+
+    struct ovsrec_datapath *dp = find_datapath(vsctl_ctx, ctx->argv[1]);
+    if (!dp) {
+        ctl_fatal("datapath: %s record not found", ctx->argv[1]);
+    }
+
+    if (dp->ct_zone_default_limit) {
+        ds_put_format(&ctx->output, "Default, Limit: %"PRIu64"\n",
+                      *dp->ct_zone_default_limit);
+    }
+
+    for (int i = 0; i < dp->n_ct_zones; i++) {
+        struct ovsrec_ct_zone *zone = dp->value_ct_zones[i];
+        if (zone->limit) {
+            ds_put_format(&ctx->output, "Zone: %"PRIu64", Limit: %"PRIu64"\n",
+                          dp->key_ct_zones[i], *zone->limit);
+        }
+    }
+}
+
 static void
 pre_get_zone(struct ctl_context *ctx)
 {
     ovsdb_idl_add_column(ctx->idl, &ovsrec_open_vswitch_col_datapaths);
     ovsdb_idl_add_column(ctx->idl, &ovsrec_datapath_col_ct_zones);
+    ovsdb_idl_add_column(ctx->idl, &ovsrec_datapath_col_ct_zone_default_limit);
     ovsdb_idl_add_column(ctx->idl, &ovsrec_ct_zone_col_timeout_policy);
+    ovsdb_idl_add_column(ctx->idl, &ovsrec_ct_zone_col_limit);
     ovsdb_idl_add_column(ctx->idl, &ovsrec_ct_timeout_policy_col_timeouts);
 }
 
@@ -3159,6 +3282,14 @@ static const struct ctl_command_syntax vsctl_commands[] = {
     /* Datapath capabilities. */
     {"list-dp-cap", 1, 1, "", pre_get_dp_cap, cmd_list_dp_cap, NULL, "", RO},
 
+    /* CT zone limit. */
+    {"set-zone-limit", 3, 3, "ARG ARG ARG", pre_get_zone, cmd_set_zone_limit, NULL,
+     "", RW},
+    {"del-zone-limit", 2, 2, "ARG ARG", pre_get_zone, cmd_del_zone_limit, NULL,
+     "--if-exists", RW},
+    {"list-zone-limits", 1, 1, "ARG", pre_get_zone, cmd_list_zone_limits, NULL,
+     "", RO},
+
     {NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, RO},
 };
 
diff --git a/vswitchd/vswitch.ovsschema b/vswitchd/vswitch.ovsschema
index 2d395ff95..e2d5e2e85 100644
--- a/vswitchd/vswitch.ovsschema
+++ b/vswitchd/vswitch.ovsschema
@@ -1,6 +1,6 @@
 {"name": "Open_vSwitch",
- "version": "8.4.0",
- "cksum": "2738838700 27127",
+ "version": "8.5.0",
+ "cksum": "4040946650 27557",
  "tables": {
    "Open_vSwitch": {
      "columns": {
@@ -670,6 +670,11 @@
        "capabilities": {
          "type": {"key": "string", "value": "string",
                   "min": 0, "max": "unlimited"}},
+       "ct_zone_default_limit": {
+          "type": { "key": {"type": "integer",
+                            "minInteger": 0,
+                            "maxInteger": 4294967295},
+                    "min": 0, "max": 1}},
        "external_ids": {
          "type": {"key": "string", "value": "string",
                   "min": 0, "max": "unlimited"}}}},
@@ -679,6 +684,11 @@
          "type": {"key": {"type": "uuid",
                           "refTable": "CT_Timeout_Policy"},
                   "min": 0, "max": 1}},
+       "limit": {
+          "type": { "key": {"type": "integer",
+                            "minInteger": 0,
+                            "maxInteger": 4294967295},
+                    "min": 0, "max": 1}},
        "external_ids": {
          "type": {"key": "string", "value": "string",
                   "min": 0, "max": "unlimited"}}}},
diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
index 68392ac41..eaccd85cf 100644
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@@ -6488,6 +6488,14 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
       </column>
     </group>
 
+    <column name="ct_zone_default_limit">
+        Default connection tracking zone limit that is applied to all zones
+        that didn't specify the <ref table="CT_Zone" column="limit"/>
+        explicitly. If the limit is unspecified the default limit
+        configuration for the datapath is left intact. The value 0 means
+        unlimited.
+    </column>
+
     <group title="Common Columns">
       The overall purpose of these columns is described under <code>Common
       Columns</code> at the beginning of this document.
@@ -6504,6 +6512,12 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
       is not specified, it defaults to the timeout policy in the system.
     </column>
 
+    <column name="limit">
+      Connection tracking limit for this zone. If the limit is unspecified
+      the <ref table="Datapath" column="ct_zone_default_limit"/> will be used.
+      The value 0 means unlimited.
+    </column>
+
     <group title="Common Columns">
       The overall purpose of these columns is described under <code>Common
       Columns</code> at the beginning of this document.

From patchwork Mon Dec  4 05:49:11 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ales Musil <amusil@redhat.com>
X-Patchwork-Id: 1871379
X-Patchwork-Delegate: i.maximets@samsung.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=hs5mWBLL;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=140.211.166.137; helo=smtp4.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SkCRP2ZGLz23nk
	for <incoming@patchwork.ozlabs.org>; Mon,  4 Dec 2023 16:49:37 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp4.osuosl.org (Postfix) with ESMTP id B9A7C416C8;
	Mon,  4 Dec 2023 05:49:33 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org B9A7C416C8
Authentication-Results: smtp4.osuosl.org;
	dkim=fail reason="signature verification failed" (1024-bit key)
 header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=hs5mWBLL
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
	by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id UfM7o3M49Zri; Mon,  4 Dec 2023 05:49:31 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org
 [IPv6:2605:bc80:3010:104::8cd3:938])
	by smtp4.osuosl.org (Postfix) with ESMTPS id 376A1416CC;
	Mon,  4 Dec 2023 05:49:30 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 376A1416CC
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 93AE6C0DE0;
	Mon,  4 Dec 2023 05:49:27 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 2E90FC0DDE
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id F122B415F8
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:25 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org F122B415F8
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Bx7Mb3BwK6z7 for <dev@openvswitch.org>;
 Mon,  4 Dec 2023 05:49:25 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by smtp4.osuosl.org (Postfix) with ESMTPS id B451F415C8
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:24 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org B451F415C8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1701668963;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=gXPNMb9lwL3MiAFxeUY8FSjbEAIe5J/QofdWJRzH9lI=;
 b=hs5mWBLLOnNMC+eCBfrnVwTWOytD18G92LuvBthrDlRwjCXqEtIhKc6lC6HVQYDOC+JAQ8
 KgReS1PTeWQsGOVFX96GKB7vPOiiV//gnGPBH67Yy4dJqvKs+lA0U4nkqnx5/5NFeGN2bd
 jxe7CVuWCi1jIDa7/92E1HDPlkRs0HQ=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-88-tWKtPRAPMNC67LU6NthFrQ-1; Mon, 04 Dec 2023 00:49:22 -0500
X-MC-Unique: tWKtPRAPMNC67LU6NthFrQ-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0C12480D720;
 Mon,  4 Dec 2023 05:49:22 +0000 (UTC)
Received: from amusil.redhat.com (unknown [10.45.224.15])
 by smtp.corp.redhat.com (Postfix) with ESMTP id ABB6340C6EB9;
 Mon,  4 Dec 2023 05:49:20 +0000 (UTC)
From: Ales Musil <amusil@redhat.com>
To: dev@openvswitch.org
Date: Mon,  4 Dec 2023 06:49:11 +0100
Message-ID: <20231204054913.14249-5-amusil@redhat.com>
In-Reply-To: <20231204054913.14249-1-amusil@redhat.com>
References: <20231204054913.14249-1-amusil@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Cc: i.maximets@ovn.org
Subject: [ovs-dev] [PATCH v8 4/6] vswitchd,
	ofproto-dpif: Propagate the CT limit from database.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

Propagate the CT limit that is present in the DB into
datapath. The limit is currently only propagated on change
and can be overwritten by the dpctl commands.

Signed-off-by: Ales Musil <amusil@redhat.com>
---
v8: Rebase on top of current master.
    Adjust the test for the new ovs-vsctl format.
v7: Rebase on top of current master.
v6: Rebase on top of current master.
    Address comments from Ilya:
    - Update the comments and names.
    - Use loop in the system-test.
v5: Rebase on top of current master.
    Address comments from Ilya:
    - Make sure the zones are always removed.
    - Fix style related problems.
    - Make sure the limit is initialized to -1.
v4: Rebase on top of current master.
    Make sure that the values from DB are propagated only if set. That applies to both limit and policies.
---
 ofproto/ofproto-dpif.c     | 39 ++++++++++++++++++++
 ofproto/ofproto-dpif.h     |  5 +++
 ofproto/ofproto-provider.h |  8 ++++
 ofproto/ofproto.c          | 12 ++++++
 ofproto/ofproto.h          |  2 +
 tests/system-traffic.at    | 54 +++++++++++++++++++++++++++
 vswitchd/bridge.c          | 75 +++++++++++++++++++++++++++++---------
 7 files changed, 177 insertions(+), 18 deletions(-)

diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index 54e057d43..bfae28d96 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -220,6 +220,7 @@ static void ofproto_unixctl_init(void);
 static void ct_zone_config_init(struct dpif_backer *backer);
 static void ct_zone_config_uninit(struct dpif_backer *backer);
 static void ct_zone_timeout_policy_sweep(struct dpif_backer *backer);
+static void ct_zone_limits_commit(struct dpif_backer *backer);
 
 static inline struct ofproto_dpif *
 ofproto_dpif_cast(const struct ofproto *ofproto)
@@ -513,6 +514,7 @@ type_run(const char *type)
 
     process_dpif_port_changes(backer);
     ct_zone_timeout_policy_sweep(backer);
+    ct_zone_limits_commit(backer);
 
     return 0;
 }
@@ -5532,6 +5534,8 @@ ct_zone_config_init(struct dpif_backer *backer)
     cmap_init(&backer->ct_zones);
     hmap_init(&backer->ct_tps);
     ovs_list_init(&backer->ct_tp_kill_list);
+    ovs_list_init(&backer->ct_zone_limits_to_add);
+    ovs_list_init(&backer->ct_zone_limits_to_del);
     clear_existing_ct_timeout_policies(backer);
 }
 
@@ -5555,6 +5559,8 @@ ct_zone_config_uninit(struct dpif_backer *backer)
     id_pool_destroy(backer->tp_ids);
     cmap_destroy(&backer->ct_zones);
     hmap_destroy(&backer->ct_tps);
+    ct_dpif_free_zone_limits(&backer->ct_zone_limits_to_add);
+    ct_dpif_free_zone_limits(&backer->ct_zone_limits_to_del);
 }
 
 static void
@@ -5635,6 +5641,38 @@ ct_del_zone_timeout_policy(const char *datapath_type, uint16_t zone_id)
     }
 }
 
+static void
+ct_zone_limit_update(const char *datapath_type, int32_t zone_id,
+                     int64_t *limit)
+{
+    struct dpif_backer *backer = shash_find_data(&all_dpif_backers,
+                                                 datapath_type);
+    if (!backer) {
+        return;
+    }
+
+    if (limit) {
+        ct_dpif_push_zone_limit(&backer->ct_zone_limits_to_add, zone_id,
+                                *limit, 0);
+    } else {
+        ct_dpif_push_zone_limit(&backer->ct_zone_limits_to_del, zone_id, 0, 0);
+    }
+}
+
+static void
+ct_zone_limits_commit(struct dpif_backer *backer)
+{
+    if (!ovs_list_is_empty(&backer->ct_zone_limits_to_add)) {
+        ct_dpif_set_limits(backer->dpif, &backer->ct_zone_limits_to_add);
+        ct_dpif_free_zone_limits(&backer->ct_zone_limits_to_add);
+    }
+
+    if (!ovs_list_is_empty(&backer->ct_zone_limits_to_del)) {
+        ct_dpif_del_limits(backer->dpif, &backer->ct_zone_limits_to_del);
+        ct_dpif_free_zone_limits(&backer->ct_zone_limits_to_del);
+    }
+}
+
 static void
 get_datapath_cap(const char *datapath_type, struct smap *cap)
 {
@@ -6925,4 +6963,5 @@ const struct ofproto_class ofproto_dpif_class = {
     ct_flush,                   /* ct_flush */
     ct_set_zone_timeout_policy,
     ct_del_zone_timeout_policy,
+    ct_zone_limit_update,
 };
diff --git a/ofproto/ofproto-dpif.h b/ofproto/ofproto-dpif.h
index 1fe22ab41..4709200bc 100644
--- a/ofproto/ofproto-dpif.h
+++ b/ofproto/ofproto-dpif.h
@@ -285,6 +285,11 @@ struct dpif_backer {
                                                 feature than 'bt_support'. */
 
     struct atomic_count tnl_count;
+
+    struct ovs_list ct_zone_limits_to_add;  /* CT zone limits queued for
+                                             * addition into datapath. */
+    struct ovs_list ct_zone_limits_to_del;  /* CT zone limt queued for
+                                             * deletion from datapath. */
 };
 
 /* All existing ofproto_backer instances, indexed by ofproto->up.type. */
diff --git a/ofproto/ofproto-provider.h b/ofproto/ofproto-provider.h
index 9f7b8b6e8..face0b574 100644
--- a/ofproto/ofproto-provider.h
+++ b/ofproto/ofproto-provider.h
@@ -1921,6 +1921,14 @@ struct ofproto_class {
     /* Deletes the timeout policy associated with 'zone' in datapath type
      * 'dp_type'. */
     void (*ct_del_zone_timeout_policy)(const char *dp_type, uint16_t zone);
+
+    /* Updates the CT zone limit for specified zone. Setting 'zone' to
+     * 'OVS_ZONE_LIMIT_DEFAULT_ZONE' represents the default zone.
+     * 'NULL' passed as 'limit' indicates that the limit should be removed for
+     * the specified zone. The caller must ensure that the 'limit' value is
+     * within proper range (0 - UINT32_MAX). */
+    void (*ct_zone_limit_update)(const char *dp_type, int32_t zone,
+                                 int64_t *limit);
 };
 
 extern const struct ofproto_class ofproto_dpif_class;
diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
index e78c80d11..649add089 100644
--- a/ofproto/ofproto.c
+++ b/ofproto/ofproto.c
@@ -1026,6 +1026,18 @@ ofproto_ct_del_zone_timeout_policy(const char *datapath_type, uint16_t zone_id)
 
 }
 
+void
+ofproto_ct_zone_limit_update(const char *datapath_type, int32_t zone_id,
+                             int64_t *limit)
+{
+    datapath_type = ofproto_normalize_type(datapath_type);
+    const struct ofproto_class *class = ofproto_class_find__(datapath_type);
+
+    if (class && class->ct_zone_limit_update) {
+        class->ct_zone_limit_update(datapath_type, zone_id, limit);
+    }
+}
+
 
 /* Spanning Tree Protocol (STP) configuration. */
 
diff --git a/ofproto/ofproto.h b/ofproto/ofproto.h
index 8efdb20a0..7ce6a65e1 100644
--- a/ofproto/ofproto.h
+++ b/ofproto/ofproto.h
@@ -384,6 +384,8 @@ void ofproto_ct_set_zone_timeout_policy(const char *datapath_type,
                                         struct simap *timeout_policy);
 void ofproto_ct_del_zone_timeout_policy(const char *datapath_type,
                                         uint16_t zone);
+void ofproto_ct_zone_limit_update(const char *datapath_type, int32_t zone_id,
+                                  int64_t *limit);
 void ofproto_get_datapath_cap(const char *datapath_type,
                               struct smap *dp_cap);
 
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 3927bb8b1..0eae3295a 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -5266,6 +5266,60 @@ default limit=0
 zone=4,limit=0,count=0
 ])
 
+dnl Test limit set via database.
+VSCTL_ADD_DATAPATH_TABLE()
+
+AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=0])
+AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=3])
+
+AT_CHECK([ovs-appctl dpctl/ct-set-limits default=10])
+AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=3])
+AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
+default limit=10
+zone=0,limit=5,count=0
+])
+
+AT_CHECK([ovs-vsctl set-zone-limit $DP_TYPE 0 3])
+AT_CHECK([ovs-vsctl set-zone-limit $DP_TYPE 3 3])
+
+OVS_WAIT_UNTIL_EQUAL([ovs-appctl dpctl/ct-get-limits], [dnl
+default limit=10
+zone=0,limit=3,count=0
+zone=3,limit=3,count=0])
+
+for i in 2 3 4 5 6; do
+  packet="50540000000a50540000000908004500001c000000000011a4c90a0101030a0101040001000${i}00080000"
+  AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 \
+              "in_port=2 packet=${packet} actions=resubmit(,0)"])
+done
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.3," | sort ], [0], [dnl
+udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=2),reply=(src=10.1.1.4,dst=10.1.1.3,sport=2,dport=1),zone=3
+udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=3),reply=(src=10.1.1.4,dst=10.1.1.3,sport=3,dport=1),zone=3
+udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=4),reply=(src=10.1.1.4,dst=10.1.1.3,sport=4,dport=1),zone=3
+])
+
+AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
+default limit=10
+zone=0,limit=3,count=0
+zone=3,limit=3,count=3
+])
+
+AT_CHECK([ovs-vsctl del-zone-limit $DP_TYPE 3])
+OVS_WAIT_UNTIL_EQUAL([ovs-appctl dpctl/ct-get-limits], [dnl
+default limit=10
+zone=0,limit=3,count=0])
+
+AT_CHECK([ovs-vsctl set-zone-limit $DP_TYPE default 5])
+OVS_WAIT_UNTIL_EQUAL([ovs-appctl dpctl/ct-get-limits], [dnl
+default limit=5
+zone=0,limit=3,count=0])
+
+AT_CHECK([ovs-vsctl del-zone-limit $DP_TYPE default])
+OVS_WAIT_UNTIL_EQUAL([ovs-appctl dpctl/ct-get-limits], [dnl
+default limit=0
+zone=0,limit=3,count=0])
+
 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
 /could not create datapath/d
 /(Cannot allocate memory) on packet/d"])
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index e9110c1d8..5be38b890 100644
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -157,6 +157,8 @@ struct aa_mapping {
 /* Internal representation of conntrack zone configuration table in OVSDB. */
 struct ct_zone {
     uint16_t zone_id;
+    int64_t limit;              /* Limit of allowed entries. '-1' if not
+                                 * specified. */
     struct simap tp;            /* A map from timeout policy attribute to
                                  * timeout value. */
     struct hmap_node node;      /* Node in 'struct datapath' 'ct_zones'
@@ -168,14 +170,15 @@ struct ct_zone {
 
 /* Internal representation of datapath configuration table in OVSDB. */
 struct datapath {
-    char *type;                 /* Datapath type. */
-    struct hmap ct_zones;       /* Map of 'struct ct_zone' elements, indexed
-                                 * by 'zone'. */
-    struct hmap_node node;      /* Node in 'all_datapaths' hmap. */
-    struct smap caps;           /* Capabilities. */
-    unsigned int last_used;     /* The last idl_seqno that this 'datapath'
-                                 * used in OVSDB. This number is used for
-                                 * garbage collection. */
+    char *type;                     /* Datapath type. */
+    struct hmap ct_zones;           /* Map of 'struct ct_zone' elements,
+                                     * indexed by 'zone'. */
+    struct hmap_node node;          /* Node in 'all_datapaths' hmap. */
+    struct smap caps;               /* Capabilities. */
+    unsigned int last_used;         /* The last idl_seqno that this 'datapath'
+                                     * used in OVSDB. This number is used for
+                                     * garbage collection. */
+    int64_t ct_zone_default_limit;  /* Default CT limit for all zones. */
 };
 
 /* All bridges, indexed by name. */
@@ -662,6 +665,7 @@ ct_zone_alloc(uint16_t zone_id, struct ovsrec_ct_timeout_policy *tp_cfg)
     struct ct_zone *ct_zone = xzalloc(sizeof *ct_zone);
 
     ct_zone->zone_id = zone_id;
+    ct_zone->limit = -1;
     simap_init(&ct_zone->tp);
     get_timeout_policy_from_ovsrec(&ct_zone->tp, tp_cfg);
     return ct_zone;
@@ -670,6 +674,14 @@ ct_zone_alloc(uint16_t zone_id, struct ovsrec_ct_timeout_policy *tp_cfg)
 static void
 ct_zone_remove_and_destroy(struct datapath *dp, struct ct_zone *ct_zone)
 {
+    if (!simap_is_empty(&ct_zone->tp)) {
+        ofproto_ct_del_zone_timeout_policy(dp->type, ct_zone->zone_id);
+    }
+
+    if (ct_zone->limit > -1) {
+        ofproto_ct_zone_limit_update(dp->type, ct_zone->zone_id, NULL);
+    }
+
     hmap_remove(&dp->ct_zones, &ct_zone->node);
     simap_destroy(&ct_zone->tp);
     free(ct_zone);
@@ -706,6 +718,7 @@ datapath_create(const char *type)
 {
     struct datapath *dp = xzalloc(sizeof *dp);
     dp->type = xstrdup(type);
+    dp->ct_zone_default_limit = -1;
     hmap_init(&dp->ct_zones);
     hmap_insert(&all_datapaths, &dp->node, hash_string(type, 0));
     smap_init(&dp->caps);
@@ -722,6 +735,11 @@ datapath_destroy(struct datapath *dp)
             ct_zone_remove_and_destroy(dp, ct_zone);
         }
 
+        if (dp->ct_zone_default_limit > -1) {
+            ofproto_ct_zone_limit_update(dp->type, OVS_ZONE_LIMIT_DEFAULT_ZONE,
+                                         NULL);
+        }
+
         hmap_remove(&all_datapaths, &dp->node);
         hmap_destroy(&dp->ct_zones);
         free(dp->type);
@@ -743,29 +761,50 @@ ct_zones_reconfigure(struct datapath *dp, struct ovsrec_datapath *dp_cfg)
         struct ovsrec_ct_timeout_policy *tp_cfg = zone_cfg->timeout_policy;
 
         ct_zone = ct_zone_lookup(&dp->ct_zones, zone_id);
-        if (ct_zone) {
-            struct simap new_tp = SIMAP_INITIALIZER(&new_tp);
-            get_timeout_policy_from_ovsrec(&new_tp, tp_cfg);
-            if (update_timeout_policy(&ct_zone->tp, &new_tp)) {
+        if (!ct_zone) {
+            ct_zone = ct_zone_alloc(zone_id, tp_cfg);
+            hmap_insert(&dp->ct_zones, &ct_zone->node, hash_int(zone_id, 0));
+        }
+
+        struct simap new_tp = SIMAP_INITIALIZER(&new_tp);
+        get_timeout_policy_from_ovsrec(&new_tp, tp_cfg);
+
+        if (update_timeout_policy(&ct_zone->tp, &new_tp)) {
+            if (simap_count(&ct_zone->tp)) {
                 ofproto_ct_set_zone_timeout_policy(dp->type, ct_zone->zone_id,
                                                    &ct_zone->tp);
+            } else {
+                ofproto_ct_del_zone_timeout_policy(dp->type, ct_zone->zone_id);
             }
-        } else {
-            ct_zone = ct_zone_alloc(zone_id, tp_cfg);
-            hmap_insert(&dp->ct_zones, &ct_zone->node, hash_int(zone_id, 0));
-            ofproto_ct_set_zone_timeout_policy(dp->type, ct_zone->zone_id,
-                                               &ct_zone->tp);
         }
+
+        int64_t desired_limit = zone_cfg->limit ? *zone_cfg->limit : -1;
+        if (ct_zone->limit != desired_limit) {
+            ofproto_ct_zone_limit_update(dp->type, zone_id, zone_cfg->limit);
+            ct_zone->limit = desired_limit;
+        }
+
         ct_zone->last_used = idl_seqno;
     }
 
     /* Purge 'ct_zone's no longer found in the database. */
     HMAP_FOR_EACH_SAFE (ct_zone, node, &dp->ct_zones) {
         if (ct_zone->last_used != idl_seqno) {
-            ofproto_ct_del_zone_timeout_policy(dp->type, ct_zone->zone_id);
             ct_zone_remove_and_destroy(dp, ct_zone);
         }
     }
+
+    /* Reconfigure default CT zone limit if needed. */
+    int64_t default_limit = dp_cfg->ct_zone_default_limit
+                            ? *dp_cfg->ct_zone_default_limit
+                            : -1;
+
+    if (dp->ct_zone_default_limit != default_limit) {
+        ofproto_ct_zone_limit_update(dp->type, OVS_ZONE_LIMIT_DEFAULT_ZONE,
+                                     dp_cfg->ct_zone_default_limit);
+        dp->ct_zone_default_limit = default_limit;
+    }
+
 }
 
 static void

From patchwork Mon Dec  4 05:49:12 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ales Musil <amusil@redhat.com>
X-Patchwork-Id: 1871381
X-Patchwork-Delegate: i.maximets@samsung.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=b0dsWfet;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=140.211.166.133; helo=smtp2.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SkCRZ1vhSz23n4
	for <incoming@patchwork.ozlabs.org>; Mon,  4 Dec 2023 16:49:46 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp2.osuosl.org (Postfix) with ESMTP id 1EB7940A47;
	Mon,  4 Dec 2023 05:49:43 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 1EB7940A47
Authentication-Results: smtp2.osuosl.org;
	dkim=fail reason="signature verification failed" (1024-bit key)
 header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=b0dsWfet
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
	by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id gzlroUQnWtff; Mon,  4 Dec 2023 05:49:39 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org
 [IPv6:2605:bc80:3010:104::8cd3:938])
	by smtp2.osuosl.org (Postfix) with ESMTPS id A08DD40AAF;
	Mon,  4 Dec 2023 05:49:36 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org A08DD40AAF
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 3B740C0072;
	Mon,  4 Dec 2023 05:49:36 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 0ACDDC0037
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:35 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id C56F940A87
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:32 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org C56F940A87
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 2GSo4IvsaWVN for <dev@openvswitch.org>;
 Mon,  4 Dec 2023 05:49:29 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 5604040A06
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:28 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 5604040A06
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1701668967;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=O0MAMpQxjD/Zaq6CohAhYfGWiYNLtjhoN751dB/6duM=;
 b=b0dsWfetYgjpq1rx8ZAMrdzsI9vwHS2GayLiD2B9euizizVIhgqSTcLyoQlHbUrXnxj1Rb
 4mgIpMR4rixLvhC53OOsGdor/ZHmj7MalL26xfFmJ0LvvueCWE7wv6Ia0xYdnSOmk/C6MC
 px/nZse96O5F7BdsZ2L2mYSVYm3A8tc=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-365-DssnU0NxNuiMlsSuYusvAQ-1; Mon, 04 Dec 2023 00:49:23 -0500
X-MC-Unique: DssnU0NxNuiMlsSuYusvAQ-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9248B811E7B;
 Mon,  4 Dec 2023 05:49:23 +0000 (UTC)
Received: from amusil.redhat.com (unknown [10.45.224.15])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 6C5A840C6EB9;
 Mon,  4 Dec 2023 05:49:22 +0000 (UTC)
From: Ales Musil <amusil@redhat.com>
To: dev@openvswitch.org
Date: Mon,  4 Dec 2023 06:49:12 +0100
Message-ID: <20231204054913.14249-6-amusil@redhat.com>
In-Reply-To: <20231204054913.14249-1-amusil@redhat.com>
References: <20231204054913.14249-1-amusil@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Cc: i.maximets@ovn.org
Subject: [ovs-dev] [PATCH v8 5/6] ct-dpif: Enforce CT zone limit protection.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

Make sure that if any zone limit was set via DB
all zones are forced to be set there also. This
is done by tracking which datapath has zone limit
protection and it is reflected in the dpctl command.

If the datapath is protected the dpctl command will
return permission error.

Signed-off-by: Ales Musil <amusil@redhat.com>
---
v8: Rebase on top of current master.
    Adjust the test for the new ovs-vsctl format.
v7: Rebase on top of current master.
    Remove leftover comments from testing.
v6: Rebase on top of current master.
    Address comments from Ilya:
    - Drop the log message about protection.
    - Make the dpctl error message more user-friendly.
    - Do not ignore error messages in the system-test.
v5: Rebase on top of current master.
    Address comments from Ilya:
    - Add more user friendly error message to the dpctl.
    - Fix style related problems.
v4: Rebase on top of current master.
    Make the protection datapath wide.
---
 lib/ct-dpif.c              | 25 +++++++++++++++++++++
 lib/ct-dpif.h              |  2 ++
 lib/dpctl.c                | 14 ++++++++++++
 ofproto/ofproto-dpif.c     | 13 +++++++++++
 ofproto/ofproto-provider.h |  5 +++++
 ofproto/ofproto.c          | 11 +++++++++
 ofproto/ofproto.h          |  2 ++
 tests/system-traffic.at    | 46 ++++++++++++++++++++++++++++++++++++++
 vswitchd/bridge.c          |  7 ++++++
 9 files changed, 125 insertions(+)

diff --git a/lib/ct-dpif.c b/lib/ct-dpif.c
index 2ee045164..5115c886b 100644
--- a/lib/ct-dpif.c
+++ b/lib/ct-dpif.c
@@ -23,6 +23,7 @@
 #include "openvswitch/ofp-ct.h"
 #include "openvswitch/ofp-parse.h"
 #include "openvswitch/vlog.h"
+#include "sset.h"
 
 VLOG_DEFINE_THIS_MODULE(ct_dpif);
 
@@ -32,6 +33,10 @@ struct flags {
     const char *name;
 };
 
+/* Protection for CT zone limit per datapath. */
+static struct sset ct_limit_protection =
+        SSET_INITIALIZER(&ct_limit_protection);
+
 static void ct_dpif_format_counters(struct ds *,
                                     const struct ct_dpif_counters *);
 static void ct_dpif_format_timestamp(struct ds *,
@@ -1064,3 +1069,23 @@ ct_dpif_get_features(struct dpif *dpif, enum ct_features *features)
             ? dpif->dpif_class->ct_get_features(dpif, features)
             : EOPNOTSUPP);
 }
+
+void
+ct_dpif_set_zone_limit_protection(struct dpif *dpif, bool protected)
+{
+    if (sset_contains(&ct_limit_protection, dpif->full_name) == protected) {
+        return;
+    }
+
+    if (protected) {
+        sset_add(&ct_limit_protection, dpif->full_name);
+    } else {
+        sset_find_and_delete(&ct_limit_protection, dpif->full_name);
+    }
+}
+
+bool
+ct_dpif_is_zone_limit_protected(struct dpif *dpif)
+{
+    return sset_contains(&ct_limit_protection, dpif->full_name);
+}
diff --git a/lib/ct-dpif.h b/lib/ct-dpif.h
index c8a7c155e..c3786d5ae 100644
--- a/lib/ct-dpif.h
+++ b/lib/ct-dpif.h
@@ -350,5 +350,7 @@ int ct_dpif_get_timeout_policy_name(struct dpif *dpif, uint32_t tp_id,
                                     uint16_t dl_type, uint8_t nw_proto,
                                     char **tp_name, bool *is_generic);
 int ct_dpif_get_features(struct dpif *dpif, enum ct_features *features);
+void ct_dpif_set_zone_limit_protection(struct dpif *, bool protected);
+bool ct_dpif_is_zone_limit_protected(struct dpif *);
 
 #endif /* CT_DPIF_H */
diff --git a/lib/dpctl.c b/lib/dpctl.c
index a8c654747..2a1aac5e5 100644
--- a/lib/dpctl.c
+++ b/lib/dpctl.c
@@ -2234,6 +2234,13 @@ dpctl_ct_set_limits(int argc, const char *argv[],
         ct_dpif_push_zone_limit(&zone_limits, zone, limit, 0);
     }
 
+    if (ct_dpif_is_zone_limit_protected(dpif)) {
+        ds_put_cstr(&ds, "the zone limits are set via database, "
+                         "use 'ovs-vsctl set-zone-limit <...>' instead.");
+        error = EPERM;
+        goto error;
+    }
+
     error = ct_dpif_set_limits(dpif, &zone_limits);
     if (!error) {
         ct_dpif_free_zone_limits(&zone_limits);
@@ -2310,6 +2317,13 @@ dpctl_ct_del_limits(int argc, const char *argv[],
         }
     }
 
+    if (ct_dpif_is_zone_limit_protected(dpif)) {
+        ds_put_cstr(&ds, "the zone limits are set via database, "
+                         "use 'ovs-vsctl del-zone-limit <...>' instead.");
+        error = EPERM;
+        goto error;
+    }
+
     error = ct_dpif_del_limits(dpif, &zone_limits);
     if (!error) {
         goto out;
diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index bfae28d96..6e62ed1f9 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -5673,6 +5673,18 @@ ct_zone_limits_commit(struct dpif_backer *backer)
     }
 }
 
+static void
+ct_zone_limit_protection_update(const char *datapath_type, bool protected)
+{
+    struct dpif_backer *backer = shash_find_data(&all_dpif_backers,
+                                                 datapath_type);
+    if (!backer) {
+        return;
+    }
+
+    ct_dpif_set_zone_limit_protection(backer->dpif, protected);
+}
+
 static void
 get_datapath_cap(const char *datapath_type, struct smap *cap)
 {
@@ -6964,4 +6976,5 @@ const struct ofproto_class ofproto_dpif_class = {
     ct_set_zone_timeout_policy,
     ct_del_zone_timeout_policy,
     ct_zone_limit_update,
+    ct_zone_limit_protection_update,
 };
diff --git a/ofproto/ofproto-provider.h b/ofproto/ofproto-provider.h
index face0b574..83c509fcf 100644
--- a/ofproto/ofproto-provider.h
+++ b/ofproto/ofproto-provider.h
@@ -1929,6 +1929,11 @@ struct ofproto_class {
      * within proper range (0 - UINT32_MAX). */
     void (*ct_zone_limit_update)(const char *dp_type, int32_t zone,
                                  int64_t *limit);
+
+    /* Sets the CT zone limit protection to "protected" for the specified
+     * datapath type. */
+    void (*ct_zone_limit_protection_update)(const char *dp_type,
+                                            bool protected);
 };
 
 extern const struct ofproto_class ofproto_dpif_class;
diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c
index 649add089..122a06f30 100644
--- a/ofproto/ofproto.c
+++ b/ofproto/ofproto.c
@@ -1038,6 +1038,17 @@ ofproto_ct_zone_limit_update(const char *datapath_type, int32_t zone_id,
     }
 }
 
+void
+ofproto_ct_zone_limit_protection_update(const char *datapath_type,
+                                        bool protected)
+{
+    datapath_type = ofproto_normalize_type(datapath_type);
+    const struct ofproto_class *class = ofproto_class_find__(datapath_type);
+
+    if (class && class->ct_zone_limit_protection_update) {
+        class->ct_zone_limit_protection_update(datapath_type, protected);
+    }
+}
 
 /* Spanning Tree Protocol (STP) configuration. */
 
diff --git a/ofproto/ofproto.h b/ofproto/ofproto.h
index 7ce6a65e1..1c07df275 100644
--- a/ofproto/ofproto.h
+++ b/ofproto/ofproto.h
@@ -386,6 +386,8 @@ void ofproto_ct_del_zone_timeout_policy(const char *datapath_type,
                                         uint16_t zone);
 void ofproto_ct_zone_limit_update(const char *datapath_type, int32_t zone_id,
                                   int64_t *limit);
+void ofproto_ct_zone_limit_protection_update(const char *datapath_type,
+                                             bool protected);
 void ofproto_get_datapath_cap(const char *datapath_type,
                               struct smap *dp_cap);
 
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 0eae3295a..8d1411bb8 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -5320,6 +5320,52 @@ OVS_WAIT_UNTIL_EQUAL([ovs-appctl dpctl/ct-get-limits], [dnl
 default limit=0
 zone=0,limit=3,count=0])
 
+dnl Try to overwrite the zone limit via dpctl command.
+AT_CHECK([ovs-appctl dpctl/ct-set-limits default=15 zone=3,limit=5 zone=0,limit=5], [2], [ignore], [dnl
+ovs-vswitchd: the zone limits are set via database, use 'ovs-vsctl set-zone-limit <...>' instead. (Operation not permitted)
+ovs-appctl: ovs-vswitchd: server returned an error
+])
+
+AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
+default limit=0
+zone=0,limit=3,count=0
+])
+
+AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=0], [2], [ignore], [dnl
+ovs-vswitchd: the zone limits are set via database, use 'ovs-vsctl del-zone-limit <...>' instead. (Operation not permitted)
+ovs-appctl: ovs-vswitchd: server returned an error
+])
+
+AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
+default limit=0
+zone=0,limit=3,count=0
+])
+
+AT_CHECK([ovs-vsctl del-zone-limit $DP_TYPE 0])
+AT_CHECK([ovs-vsctl set-zone-limit $DP_TYPE default 10])
+AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
+default limit=10
+])
+
+AT_CHECK([ovs-appctl dpctl/ct-set-limits default=15 zone=1,limit=5], [2], [ignore], [dnl
+ovs-vswitchd: the zone limits are set via database, use 'ovs-vsctl set-zone-limit <...>' instead. (Operation not permitted)
+ovs-appctl: ovs-vswitchd: server returned an error
+])
+
+dnl Delete all zones from DB, that should remove the protection.
+AT_CHECK([ovs-vsctl del-zone-limit $DP_TYPE default])
+
+AT_CHECK([ovs-appctl dpctl/ct-set-limits default=15 zone=1,limit=5])
+AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
+default limit=15
+zone=1,limit=5,count=0
+])
+
+AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=1])
+AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
+default limit=15
+])
+
 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
 /could not create datapath/d
 /(Cannot allocate memory) on packet/d"])
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index 5be38b890..95a65fcdc 100644
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -740,6 +740,7 @@ datapath_destroy(struct datapath *dp)
                                          NULL);
         }
 
+        ofproto_ct_zone_limit_protection_update(dp->type, false);
         hmap_remove(&all_datapaths, &dp->node);
         hmap_destroy(&dp->ct_zones);
         free(dp->type);
@@ -752,6 +753,7 @@ static void
 ct_zones_reconfigure(struct datapath *dp, struct ovsrec_datapath *dp_cfg)
 {
     struct ct_zone *ct_zone;
+    bool protected = false;
 
     /* Add new 'ct_zone's or update existing 'ct_zone's based on the database
      * state. */
@@ -785,6 +787,8 @@ ct_zones_reconfigure(struct datapath *dp, struct ovsrec_datapath *dp_cfg)
         }
 
         ct_zone->last_used = idl_seqno;
+
+        protected = protected || !!zone_cfg->limit;
     }
 
     /* Purge 'ct_zone's no longer found in the database. */
@@ -805,6 +809,9 @@ ct_zones_reconfigure(struct datapath *dp, struct ovsrec_datapath *dp_cfg)
         dp->ct_zone_default_limit = default_limit;
     }
 
+    protected = protected || !!dp_cfg->ct_zone_default_limit;
+
+    ofproto_ct_zone_limit_protection_update(dp->type, protected);
 }
 
 static void

From patchwork Mon Dec  4 05:49:13 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ales Musil <amusil@redhat.com>
X-Patchwork-Id: 1871382
X-Patchwork-Delegate: i.maximets@samsung.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=I1Sl3d1o;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SkCRZ5hyTz23nk
	for <incoming@patchwork.ozlabs.org>; Mon,  4 Dec 2023 16:49:46 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp4.osuosl.org (Postfix) with ESMTP id 7010941713;
	Mon,  4 Dec 2023 05:49:44 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7010941713
Authentication-Results: smtp4.osuosl.org;
	dkim=fail reason="signature verification failed" (1024-bit key)
 header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=I1Sl3d1o
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
	by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id IOhms5gsmeL1; Mon,  4 Dec 2023 05:49:41 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org
 [IPv6:2605:bc80:3010:104::8cd3:938])
	by smtp4.osuosl.org (Postfix) with ESMTPS id A301441685;
	Mon,  4 Dec 2023 05:49:39 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org A301441685
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id DD293C0DD6;
	Mon,  4 Dec 2023 05:49:36 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 09346C0072
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:36 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id 0B41C81A0D
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:32 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 0B41C81A0D
Authentication-Results: smtp1.osuosl.org;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.a=rsa-sha256 header.s=mimecast20190719 header.b=I1Sl3d1o
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id S9C-ePMKd61N for <dev@openvswitch.org>;
 Mon,  4 Dec 2023 05:49:30 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by smtp1.osuosl.org (Postfix) with ESMTPS id B9014817E4
 for <dev@openvswitch.org>; Mon,  4 Dec 2023 05:49:29 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org B9014817E4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1701668968;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=ilzrL7Lsd2lD0tY/XebQ2YBMhYgLj6QYRXw49hJuqvo=;
 b=I1Sl3d1oUuAUUUr/wL5tPZ+swKnBA5uIb8m5aq3Hj4Ka99csPL7ARQKNEldm/4Ek++miHv
 wfcUg5gzLrO2RVTDkxzY8gb2mpSX5mQLV80UQM2MsvYAq30bZoUsLAMX9Wk9GjDFLoMqXr
 VGfRPZQ0Oj80gmKdh52Bk1xdcK6aVAc=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-385-BV51hUkYM8K-iF9vc5RHtQ-1; Mon, 04 Dec 2023 00:49:25 -0500
X-MC-Unique: BV51hUkYM8K-iF9vc5RHtQ-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 084E9101A52D;
 Mon,  4 Dec 2023 05:49:25 +0000 (UTC)
Received: from amusil.redhat.com (unknown [10.45.224.15])
 by smtp.corp.redhat.com (Postfix) with ESMTP id DD62A40C6EB9;
 Mon,  4 Dec 2023 05:49:23 +0000 (UTC)
From: Ales Musil <amusil@redhat.com>
To: dev@openvswitch.org
Date: Mon,  4 Dec 2023 06:49:13 +0100
Message-ID: <20231204054913.14249-7-amusil@redhat.com>
In-Reply-To: <20231204054913.14249-1-amusil@redhat.com>
References: <20231204054913.14249-1-amusil@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Cc: i.maximets@ovn.org
Subject: [ovs-dev] [PATCH v8 6/6] tests: Do not use zone 0 for CT limit
	system test.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

The zone 0 is default system zone, do not use this
zone for the test because it might contain some
entries already which could cause flakiness during
the check.

In order to still have the zone 0 parsing coverage
add simple unit tests for dpctl.

Signed-off-by: Ales Musil <amusil@redhat.com>
---
v8: Rebase on top of current master.
    Adjust the test for the new ovs-vsctl format.
v7: Rebase on top of current master.
    Revert the unrelated EOL change.
v6: Rebase on top of current master.
---
 tests/dpctl.at          |  8 +++++-
 tests/system-traffic.at | 59 ++++++++++++++++++++---------------------
 2 files changed, 36 insertions(+), 31 deletions(-)

diff --git a/tests/dpctl.at b/tests/dpctl.at
index d2f1046f8..a87f67f98 100644
--- a/tests/dpctl.at
+++ b/tests/dpctl.at
@@ -136,7 +136,7 @@ AT_CHECK([ovs-appctl dpctl/del-dp dummy@br0])
 OVS_VSWITCHD_STOP
 AT_CLEANUP
 
-AT_SETUP([dpctl - ct-get-limits ct-del-limits])
+AT_SETUP([dpctl - ct-set-limits ct-get-limits ct-del-limits])
 OVS_VSWITCHD_START
 AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [default limit=0
 ])
@@ -149,5 +149,11 @@ AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=x], [2], [],
 ovs-appctl: ovs-vswitchd: server returned an error
 ])
 AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=])
+AT_CHECK([ovs-appctl dpctl/ct-set-limits zone=0,limit=0])
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0], [0], [default limit=0
+zone=0,limit=0,count=0
+])
+AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=0])
+
 OVS_VSWITCHD_STOP
 AT_CLEANUP
\ No newline at end of file
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 8d1411bb8..0ab7f666f 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -5169,20 +5169,20 @@ ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
 AT_DATA([flows.txt], [dnl
 priority=1,action=drop
 priority=10,arp,action=normal
-priority=100,in_port=1,udp,action=ct(commit),2
+priority=100,in_port=1,udp,action=ct(zone=1,commit),2
 priority=100,in_port=2,udp,action=ct(zone=3,commit),1
 ])
 
 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
 
-AT_CHECK([ovs-appctl dpctl/ct-set-limits default=10 zone=0,limit=5 zone=1,limit=15 zone=2,limit=3 zone=3,limit=3])
-AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=1,2,4])
-AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3], [],[dnl
+AT_CHECK([ovs-appctl dpctl/ct-set-limits default=10 zone=1,limit=5 zone=2,limit=3 zone=3,limit=3 zone=4,limit=15])
+AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=2,4,5])
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=1,2,3,4], [],[dnl
 default limit=10
-zone=0,limit=5,count=0
-zone=1,limit=10,count=0
+zone=1,limit=5,count=0
 zone=2,limit=10,count=0
 zone=3,limit=3,count=0
+zone=4,limit=10,count=0
 ])
 
 dnl Test UDP from port 1
@@ -5196,10 +5196,9 @@ AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a5
 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000900080000 actions=resubmit(,0)"])
 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000a00080000 actions=resubmit(,0)"])
 
-AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3,4,5], [0], [dnl
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=1,2,3,4,5], [0], [dnl
 default limit=10
-zone=0,limit=5,count=5
-zone=1,limit=10,count=0
+zone=1,limit=5,count=5
 zone=2,limit=10,count=0
 zone=3,limit=3,count=0
 zone=4,limit=10,count=0
@@ -5209,16 +5208,16 @@ zone=5,limit=10,count=0
 dnl Test ct-get-limits for all zones
 AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
 default limit=10
-zone=0,limit=5,count=5
+zone=1,limit=5,count=5
 zone=3,limit=3,count=0
 ])
 
 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1," | sort ], [0], [dnl
-udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
-udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=3),reply=(src=10.1.1.2,dst=10.1.1.1,sport=3,dport=1)
-udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=4),reply=(src=10.1.1.2,dst=10.1.1.1,sport=4,dport=1)
-udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=5),reply=(src=10.1.1.2,dst=10.1.1.1,sport=5,dport=1)
-udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=6),reply=(src=10.1.1.2,dst=10.1.1.1,sport=6,dport=1)
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),zone=1
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=3),reply=(src=10.1.1.2,dst=10.1.1.1,sport=3,dport=1),zone=1
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=4),reply=(src=10.1.1.2,dst=10.1.1.1,sport=4,dport=1),zone=1
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=5),reply=(src=10.1.1.2,dst=10.1.1.1,sport=5,dport=1),zone=1
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=6),reply=(src=10.1.1.2,dst=10.1.1.1,sport=6,dport=1),zone=1
 ])
 
 dnl Test UDP from port 2
@@ -5228,9 +5227,9 @@ AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a5
 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4c90a0101030a0101040001000500080000 actions=resubmit(,0)"])
 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4c90a0101030a0101040001000600080000 actions=resubmit(,0)"])
 
-AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,3], [0], [dnl
+AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=1,3], [0], [dnl
 default limit=10
-zone=0,limit=5,count=5
+zone=1,limit=5,count=5
 zone=3,limit=3,count=3
 ])
 
@@ -5269,22 +5268,22 @@ zone=4,limit=0,count=0
 dnl Test limit set via database.
 VSCTL_ADD_DATAPATH_TABLE()
 
-AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=0])
+AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=1])
 AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=3])
 
 AT_CHECK([ovs-appctl dpctl/ct-set-limits default=10])
 AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=3])
 AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
 default limit=10
-zone=0,limit=5,count=0
+zone=1,limit=5,count=0
 ])
 
-AT_CHECK([ovs-vsctl set-zone-limit $DP_TYPE 0 3])
+AT_CHECK([ovs-vsctl set-zone-limit $DP_TYPE 1 3])
 AT_CHECK([ovs-vsctl set-zone-limit $DP_TYPE 3 3])
 
 OVS_WAIT_UNTIL_EQUAL([ovs-appctl dpctl/ct-get-limits], [dnl
 default limit=10
-zone=0,limit=3,count=0
+zone=1,limit=3,count=0
 zone=3,limit=3,count=0])
 
 for i in 2 3 4 5 6; do
@@ -5301,47 +5300,47 @@ udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=4),reply=(src=10.1.1.4,dst=10.
 
 AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
 default limit=10
-zone=0,limit=3,count=0
+zone=1,limit=3,count=0
 zone=3,limit=3,count=3
 ])
 
 AT_CHECK([ovs-vsctl del-zone-limit $DP_TYPE 3])
 OVS_WAIT_UNTIL_EQUAL([ovs-appctl dpctl/ct-get-limits], [dnl
 default limit=10
-zone=0,limit=3,count=0])
+zone=1,limit=3,count=0])
 
 AT_CHECK([ovs-vsctl set-zone-limit $DP_TYPE default 5])
 OVS_WAIT_UNTIL_EQUAL([ovs-appctl dpctl/ct-get-limits], [dnl
 default limit=5
-zone=0,limit=3,count=0])
+zone=1,limit=3,count=0])
 
 AT_CHECK([ovs-vsctl del-zone-limit $DP_TYPE default])
 OVS_WAIT_UNTIL_EQUAL([ovs-appctl dpctl/ct-get-limits], [dnl
 default limit=0
-zone=0,limit=3,count=0])
+zone=1,limit=3,count=0])
 
 dnl Try to overwrite the zone limit via dpctl command.
-AT_CHECK([ovs-appctl dpctl/ct-set-limits default=15 zone=3,limit=5 zone=0,limit=5], [2], [ignore], [dnl
+AT_CHECK([ovs-appctl dpctl/ct-set-limits default=15 zone=3,limit=5 zone=1,limit=5], [2], [ignore], [dnl
 ovs-vswitchd: the zone limits are set via database, use 'ovs-vsctl set-zone-limit <...>' instead. (Operation not permitted)
 ovs-appctl: ovs-vswitchd: server returned an error
 ])
 
 AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
 default limit=0
-zone=0,limit=3,count=0
+zone=1,limit=3,count=0
 ])
 
-AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=0], [2], [ignore], [dnl
+AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=1], [2], [ignore], [dnl
 ovs-vswitchd: the zone limits are set via database, use 'ovs-vsctl del-zone-limit <...>' instead. (Operation not permitted)
 ovs-appctl: ovs-vswitchd: server returned an error
 ])
 
 AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
 default limit=0
-zone=0,limit=3,count=0
+zone=1,limit=3,count=0
 ])
 
-AT_CHECK([ovs-vsctl del-zone-limit $DP_TYPE 0])
+AT_CHECK([ovs-vsctl del-zone-limit $DP_TYPE 1])
 AT_CHECK([ovs-vsctl set-zone-limit $DP_TYPE default 10])
 AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
 default limit=10