Ovs

--------------------
- The limit on the number of fields for address prefix tracking in flow
tables increased from 3 to 4. For example, it is now possible to
specify both IPv4 and IPv6 address fields at the same time:
$ ovs-vsctl set Bridge br0 flow_tables:123=N -- \
--id=N create Flow_Table \
name=table123 prefixes=nw_dst,nw_src,ipv6_dst,ipv6_src
- Address prefix tracking is now enabled by default for both IPv4 and IPv6
address fields: nw_dst, nw_src, ipv6_dst and ipv6_src.
This allows to significantly reduce amount of datapath flows generated
from mixed IPv4+IPv6 flow tables.
- SSL/TLS:
* TLSv1 and TLSv1.1 protocols are deprecated and disabled by default
on OpenFlow and database connections. Use --ssl-protocols to turn
them back on. Support will be fully removed in the next release.
* OpenSSL 1.1.1 or newer is now required for SSL/TLS support.
* The protocol list in --ssl-protocols or corresponding database column
now supports specifying simple protocol ranges like:
- "TLSv1-TLSv1.2" to enable all protocols between TLSv1 and TLSv1.2.
- "TLSv1.2+" to enable protocol TLSv1.2 and later.
The value must be a list of protocols or exactly one protocol range.
* Added explicit support for TLSv1.3. It can now be enabled via
--ssl-protocols (TLSv1.3 was supported in earlier versions only when
this option was not set). TLS ciphersuites for TLSv1.3 and later can
be configured via --ssl-ciphersuites (--ssl-ciphers only applies to
TLSv1.2 and earlier).
* ovs-pki now generates 3072-bit keys by default.
- Userspace datapath:
* The default zone limit, if set, is now inherited by any zone
that does not have a specific value defined, rather than being
treated as a global value, aligning the behavior with that of
the kernel datapath.
* Extended the support for TSO software fallback to include support for
VXLAN, Geneve, and GRE tunneled packets.
- Linux TC offload:
* Add support for matching tunnel flags if the kernel supports it.
* Add support for the "Don't Fragment" (DF) flag in the encap action,
if the kernel supports it.
- Python:
* Added tool called "ovs-flowviz" capable of parsing OpenFlow
and datapath flow dumps and displaying them in several different
formats.
* Dropped support for Python < 3.7.
- DPDK:
* Add support for DPDK 24.11.1.
* Add hardware offload support for matching ICMPv6 protocol
(experimental).
- Tunnels:
* LISP and STT tunnel port types are deprecated and will be removed in
the next release.
- IPsec:
* New option '--root-ipsec-conf' for ovs-monitor-ipsec with Libreswan
to allow cases where '--ipsec-conf' is not the main ipsec.conf, but
included from it. The value should be the path to the main ipsec.conf.
* New option '--use-default-crypto' for ovs-monitor-ipsec with Libreswan
to make it not configure any crypto options (ike/esp) for connections.
Most useful in combination with '--root-ipsec-conf' where system-wide
crypto-policy is included from the root ipsec.conf.
* New option '--ovs-monitor-ipsec-options' for 'ovs-ctl start-ovs-ipsec'
to pass above new options to ovs-monitor-ipsec.

--------------------
- Option '--mlockall' now only locks memory pages on fault, if possible.
This also makes it compatible with vHost Post-copy Live Migration.
- ovs-appctl:
* Added new option [-f|--format] to choose the output format, e.g. 'json'
or 'text' (by default).
* Added new option [--pretty] to print JSON output in a readable fashion.
* 'dpif/show' and 'list-commands' now support output in JSON format.
* Added 'ofproto/detrace' command that outputs the set of OpenFlow rules
and groups that contributed to the creation of a specific datapath flow.
- ovs-vsctl:
* Added a new filter column in the Mirror table which can be used to
apply filters to mirror ports.
- ovs-tcpdump:
* Added command line parameter --filter to enable filtering the packets
that are captured by tcpdump.
- Userspace datapath:
* Conntrack now supports 'random' flag for selecting ports in a range
while natting and 'persistent' flag for selection of the IP address
from a range.
* IPv6 UDP tunnel encapsulation including Geneve and VXLAN will now
honour the csum option. Configuring the interface with
"options:csum=false" now has the same effect as the udp6zerocsumtx
option has with Linux kernel UDP tunnels.
- The primary development branch has been renamed from 'master' to 'main'.
The OVS tree remains hosted on GitHub.
https://github.com/openvswitch/ovs.git
- DPDK:
* OVS validated with DPDK 23.11.1.
* Link status changes are now handled via interrupt mode if the DPDK
driver supports it. It is possible to revert to polling mode by setting
per interface 'options:dpdk-lsc-interrupt' to 'false'.
- Python:
* Added custom transaction support to the Idl via add_op().
* Added support for different output formats like 'json' to Python's
unixctl classes.
- Tunnels:
* Previously the kernel datapath did not enable UDP checksums by default
in IPv6 tunnels. This behaviour is non-standard, differs from the
Linux kernel, and as also different than the userspace datapath. Now
these tunnels will calculate checksums by default and that behaviour can
be changed with "options:csum=false" just as with the userspace
datapath.
- Local sampling is introduced. It reuses the OpenFlow sample action and
allows samples to be emitted locally (instead of via IPFIX) in a
datapath-specific manner. The Linux kernel datapath is the first to
support this feature by using the new datapath 'psample' action. See
'local-group-id' column in the Flow_Sample_Collector_Set table.
- A new configuration knob 'other-config:explicit-sampled-drops' in the
Open_vSwitch table controls whether an explicit drop action shall be
added at the end of datapath flows whose last action is an
observability-driven sample action.
- OpenFlow:
* A new version of the 'sample' action (NXAST_SAMPLE4) is introduced
that allows use of subfields in 'obs_point_id' and 'obs_domain_id'.

--------------------
- OVSDB:
* Support pre-vote mechanism in RAFT that protects the cluster against
disruptive servers (section 9.6 of the original RAFT paper). Upgrading
from older version is supported but it may trigger more leader elections
during the process, and error logs complaining unrecognized fields may
be observed on old nodes.
* New command line option --config-file that allows a fine control over
remotes and database configuration, including setting options for
connection methods for relays and active-backup replication.
For more details see ovsdb-server(1) and ovsdb(7).
* Make use of cooperative multitasking to improve maintenance of RAFT
cluster during long running processing such as online schema conversion.
- OpenFlow:
* NXT_CT_FLUSH extension is updated to support flushing connections
based on mark and labels. 'ct-flush' command of ovs-ofctl updated
to support these new arguments accordingly.
- ovs-appctl:
* 'ofproto/trace' now reports OpenFlow rules that make up a conjunctive
flow match.
* Output of 'dpctl/show' command no longer shows interface configuration
status, only values of the actual configuration options, a.k.a.
'requested' configuration. The interface configuration status,
a.k.a. 'configured' values, can be found in the 'status' column of
the Interface table, i.e. with 'ovs-vsctl get interface <..> status'.
Reported names adjusted accordingly.
* Added support for removal of default CT zone limit, e.g.
"ovs-appctl dpctl/ct-del-limits default".
* 'dpctl/flush-conntrack' is now capable of flushing connections based
on mark and labels.
* 'mdb/show': support for multicast snooping to show the protocol
responsible for adding/updating the entry.
- ovs-vsctl:
* New commands 'set-zone-limit', 'del-zone-limit' and 'list-zone-limits'
to manage the maximum number of connections in conntrack zones via
a new 'limit' column in the 'CT_Zone' database table and
'ct_zone_default_limit' column in the 'Datapath' table.
- Userspace datapath:
* Added support for Generic Segmentation Offloading for the cases where
TSO is enabled but not supported by an egress interface (except for
tunnel interfaces).
* 'pmd-sleep-max' is updated to also accept pmd-thread-core:sleep-max.
The existing behaviour is maintained and a non key:value pair value
will be applied to all other PMD thread cores.'pmd-sleep-show' is
updated to show the maximum sleep for each PMD thread core.
* The userspace conntrack module no longer requires the user to specify
connection helpers in all flow rules. Instead, the helper specified
during connection commit will be used by default.
- DPDK:
* Add support for DPDK 23.11.

--------------------
- OVSDB:
* Changed format in which ovsdb schema conversion operations are stored in
clustered database files. Such operations are now allowed to contain
the bare schema (without data). This allows to significantly improve
the schema conversion performance.
New ovsdb-server process will be able to read old database format, but
old processes will *fail* to read database created by the new one, if
conversion operation is present. For the cluster service model follow
upgrade instructions in 'Upgrading from version 3.1 and earlier to 3.2
and later' section of ovsdb(7).
* When ovsdb-server is running in relay mode, the probe interval is
now configurable via 'ovsdb-server/set-relay-source-probe-interval'
unixctl command.
- IPFIX template and statistics intervals can now be configured through two
new options in the IPFIX table: 'template_interval' and 'stats_interval'.
- Linux kernel datapath:
* OVS now collects per-interface upcall statistics that can be obtained
via 'ovs-appctl dpctl/show -s' or the interface's statistics column
in OVSDB. Available with upstream kernel 6.2+.
- OVS route table in userspace now takes into account preferred source
address from cached kernel routes.
- ovs-appctl:
* Add support for selecting the source address with the
'ovs-appctl ovs/route/add' command.
* New commands "dpctl/{ct-get-sweep-interval,ct-set-sweep-interval}" that
allow to get and set, for the userspace datapath, the sweep interval
for the conntrack garbage collector.
* New commands "dpctl/dump-conntrack-exp" that allows to dump
conntrack's expectations for the userspace datapath.
- ovs-ctl:
* Added new options --[ovsdb-server|ovs-vswitchd]-umask=MODE to set umask
value when starting OVS daemons. E.g., use --ovsdb-server-umask=0002
in order to create OVSDB sockets with access mode of 0770.
- QoS:
* Added new configuration option 'jitter' for a linux-netem QoS type.
* 'linux-htb' QoS type now supports rates higher than 34 Gbps.
- Ingress Policing:
* Ingress policing byte rates can now be configured higher than 34 Gbps.
- DPDK:
* ovs-vswitchd will keep the CAP_SYS_RAWIO capability when started
with the --hw-rawio-access command line option. This allows the
process extra privileges when mapping physical interconnect memory.
* New experimental "rx-steering=rss+<protocol>" option to redirect
certain protocols (for now, only LACP) to a dedicated hardware queue
using the rte_flow API.
- SRv6 Tunnel Protocol
* Added support for userspace datapath (only).
- Userspace datapath:
* Connection tracking now supports extraction of SCTP L4 information.
* Implementation of OpenFlow meters is now lockless allowing for better
multi-thread scalability.
* IP and L4 checksum offload support is now enabled by default for
interfaces that support it. See the 'status' column in the 'interface'
table to check the status.
* 'pmd-maxsleep' other_config was renamed to 'pmd-sleep-max'.
'pmd-maxsleep' is deprecated and will be removed in a future release.
* 'ovs-appctl dpif-netdev/pmd-sleep-show' command was added to get the
max sleep configuration of PMD thread cores.
* Removed experimental tag from PMD load based sleeping.
- Linux TC offload:
* Add support for offloading VXLAN tunnels with the GBP extensions.
- Python
* Added async DNS support.
* Dropped support for Python < 3.6.

--------------------
- ovs-vswitchd now detects changes in CPU affinity and adjusts the number
of handler and revalidator threads if necessary.
- AF_XDP:
* Added support for building with libxdp and libbpf >= 0.7.
* Support for AF_XDP is now enabled by default if all dependencies are
available at the build time. Use --disable-afxdp to disable.
Use --enable-afxdp to fail the build if dependencies are not present.
- ovs-appctl:
* "ovs-appctl ofproto/trace" command can now display port names with the
"--names" option.
- OVSDB-IDL:
* Add the support to specify the persistent uuid for row insert in both
C and Python IDLs.
- Windows:
* Conntrack IPv6 fragment support.
- DPDK:
* Add support for DPDK 22.11.1.
- For the QoS max-rate and STP/RSTP path-cost configuration OVS now assumes
10 Gbps link speed by default in case the actual link speed cannot be
determined. Previously it was 10 Mbps. Values can still be overridden
by specifying 'max-rate' or '[r]stp-path-cost' accordingly.
- OpenFlow:
* New OpenFlow extension NXT_CT_FLUSH to flush connections matching
the specified fields.
- ovs-ctl:
* New option '--dump-hugepages' to include hugepages in core dumps. This
can assist with postmortem analysis involving DPDK, but may also produce
significantly larger core dump files.
- ovs-dpctl and 'ovs-appctl dpctl/' commands:
* 'flush-conntrack' is now capable of handling partial 5-tuple,
with additional optional parameter to specify the reply direction.
- ovs-ofctl:
* New command 'flush-conntrack' that accepts zone and 5-tuple (or partial
5-tuple) for both directions.
- Support for travis-ci.org based continuous integration builds has been
dropped.
- Userspace datapath:
* Add '-secs' argument to appctl 'dpif-netdev/pmd-rxq-show' to show
the pmd usage of an Rx queue over a configurable time period.
* Add new experimental PMD load based sleeping feature. PMD threads can
request to sleep up to a user configured 'pmd-maxsleep' value under
low load conditions.

--------------------
- libopenvswitch API change:
* To fix the Undefined Behavior issue causing the compiler to incorrectly
optimize important parts of code, container iteration macros (e.g.,
LIST_FOR_EACH) have been re-implemented in a UB-safe way.
* Backwards compatibility has mostly been preserved, however the
user-provided pointer is now set to NULL after the loop (unless it
exited via "break;")
* Users of libopenvswitch will need to double-check the use of such loop
macros before compiling with a new version.
* Since the change is limited to the definitions within the headers, the
ABI is not affected.
- OVSDB:
* 'relay' service model now supports transaction history, i.e. honors the
'last-txn-id' field in 'monitor_cond_since' requests from clients.
* New unixctl command 'ovsdb-server/tlog-set DB:TABLE on|off".
If turned on, ovsdb-server will log (at level INFO and rate limited)
all operations that are committed to table TABLE in the DB database.
* New Local_Config schema added to support Connections (--remote)
configuration in a clustered databse independently for each server.
E.g. for listening on unique addresses. See the ovsdb.local-config.5
manpage for schema details.
* Returning unused memory to the OS after the database compaction is now
enabled by default. Use 'ovsdb-server/memory-trim-on-compaction off'
unixctl command to disable.
* Most of the work for the automatic database compaction in clustered
mode has been moved to a separate thread to avoid blocking the process.
- OVSDB-IDL:
* New monitor mode flag, OVSDB_IDL_WRITE_CHANGED_ONLY, allowing
applications to relax atomicity requirements when dealing with
columns whose value has been rewritten (but not changed).
- OpenFlow:
* Extended Flow Monitoring support for all supported OpenFlow versions:
OpenFlow versions 1.0-1.2 with Nicira Extensions
OpenFlow versions 1.3 with Open Network Foundation extension
OpenFlow versions 1.4+, as defined in the OpenFlow specification
- Python:
* Added a new flow parsing library ovs.flow capable of parsing
both OpenFlow and datapath flows.
- IPsec:
* Added support for custom per-tunnel options via 'options:ipsec_*' knobs.
See Documentation/tutorials/ipsec.rst for details.
- Windows:
* Conntrack support for TCPv6, UDPv6, ICMPv6, FTPv6.
* IPv6 Geneve tunnel support.
- DPDK:
* OVS validated with DPDK 21.11.1. It is recommended to use this version
until further releases.
* Delay creating or reusing a mempool for vhost ports until the VM
is started. A failure to create a mempool will now be logged only
when the VM is started.
* New configuration knob 'other_config:shared-mempool-config' to set MTU
that shared mempool mbuf size is based on. This allows interfaces with
different MTU sizes to share mempools.
- Userspace datapath:
* Improved multi-thread scalability of the userspace connection tracking.
* 'dpif-netdev/subtable-lookup-prio-get' appctl command renamed to
'dpif-netdev/subtable-lookup-info-get' to better reflect its purpose.
The old variant is kept for backward compatibility.
* Add actions auto-validator function to compare different actions
implementations against default implementation.
* Add command line option to switch between different actions
implementations available at run time.
* Add build time configure command to enable auto-validator as default
actions implementation at build time.
* Add AVX512 implementation of actions.
- Debian packaging updated to be on par with package source in Debian/Ubuntu.
* Provided an openvswitch-switch-dpdk package that integrates with the
dpdk package in the distributions so that end users can opt into a
DPDK-enabled Open vSwitch binary.
* Provided systemd service files.
* Provided openvswitch-source package for reproducible integrated build of
for example OVN.
* Shared library and subsequently libopenvswitch and libopenvswitch-dev
binary packages are no longer built.
- Linux TC offload:
* Add support for offloading meters via tc police.
* Add support for offloading the check_pkt_len action.
- New configuration knob 'other_config:all-members-active' for
balance-slb bonds.
- Previously deprecated Linux kernel module is now fully removed from
the OVS source tree. The version provided with the Linux kernel
should be used instead.
- XenServer: Support for integration with XenServer has been removed due to
lack of maintenance and bitrot.