tunnels: Enable UDP checksum computation for Geneve and VXLAN.

The kernel module can already support outer UDP checksums for
Geneve and VXLAN using the standard checksum flag in tunnel
metadata. This makes userspace aware of the capability so that
users can enable it on tunnel ports.

There is a complication in that there is no way for userspace to
probe or detect if the kernel does not support this capability
in order to warn the user. In this case, connectivity will appear
to function normally but packets will not be checksum protected.
This is mainly an issue for VXLAN which has existed in the kernel
for a some time without checksum support - while there are also
a few kernel versions that support Geneve only without checksums,
they are much less common.

There isn't a particularly good solution to the compatibility
issue without introducing a larger capabilities structure. However,
UDP checksums are likely to be used only rarely at this point in
time and the VXLAN spec (where the main problem lies) recommends
against them. Therefore, this is considered to be an advanced user
feature and we settle for just documenting the issue.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Pritesh Kothari <pritesh.kothari@cisco.com>

diff --git a/FAQ.md b/FAQ.md
index b112dfb..21d4e7a 100644 (file)
--- a/FAQ.md
+++ b/FAQ.md
@@ -207,6 +207,7 @@ A: Support for tunnels was added to the upstream Linux kernel module
 |:--------:|:-------------:
 | GRE      |    3.11
 | VXLAN    |    3.12
+| Geneve   |    3.18
 | LISP     | <not upstream>
 
    If you are using a version of the kernel that is older than the one
@@ -216,6 +217,14 @@ A: Support for tunnels was added to the upstream Linux kernel module
    persist after doing this, check to make sure that the module that is
    loaded is the one you expect.
 
+### Q: Why are UDP tunnel checksums not computed for VXLAN or Geneve?
+
+A: Generating outer UDP checksums requires kernel support that was not
+   part of the initial implementation of these protocols. If using the
+   upstream Linux Open vSwitch module, you must use kernel 4.0 or
+   newer. The out-of-tree modules from Open vSwitch release 2.4 and later
+   support UDP checksums.
+
 ### Q: What features are not available when using the userspace datapath?
 
 A: Tunnel virtual ports are not supported, as described in the

diff --git a/NEWS b/NEWS
index b8ddc19..9f9dc4c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -76,6 +76,7 @@ Post-v2.3.0
    - The default OpenFlow and OVSDB ports are now the IANA-assigned
      numbers.  OpenFlow is 6653 and OVSDB is 6640.
    - Support for DPDK vHost.
+   - Support for outer UDP checksums in Geneve and VXLAN.
 
 
 v2.3.0 - 14 Aug 2014

diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c
index 8e1b542..954ab9b 100644 (file)
--- a/lib/netdev-vport.c
+++ b/lib/netdev-vport.c
@@ -426,7 +426,8 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args)
     struct netdev_tunnel_config tnl_cfg;
     struct smap_node *node;
 
-    has_csum = strstr(type, "gre");
+    has_csum = strstr(type, "gre") || strstr(type, "geneve") ||
+               strstr(type, "vxlan");
     ipsec_mech_set = false;
     memset(&tnl_cfg, 0, sizeof tnl_cfg);
 

diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
index e04aefc..81e8b3f 100644 (file)
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@@ -2057,24 +2057,28 @@
 
          </group>
 
-      <group title="Tunnel Options: gre and ipsec_gre only">
+      <group title="Tunnel Options: gre, ipsec_gre, geneve, and vxlan">
         <p>
-          Only <code>gre</code> and <code>ipsec_gre</code> interfaces support
-          these options.
+          <code>gre</code>, <code>ipsec_gre</code>, <code>geneve</code>, and
+          <code>vxlan</code> interfaces support these options.
         </p>
 
         <column name="options" key="csum" type='{"type": "boolean"}'>
           <p>
-            Optional.  Compute GRE checksums on outgoing packets.  Default is
-            disabled, set to <code>true</code> to enable.  Checksums present on
-            incoming packets will be validated regardless of this setting.
+            Optional.  Compute encapsulation header (either GRE or UDP) 
+            checksums on outgoing packets.  Default is disabled, set to
+            <code>true</code> to enable.  Checksums present on incoming
+            packets will be validated regardless of this setting.
          </p>
 
-         <p>
-           GRE checksums impose a significant performance penalty because they
-           cover the entire packet.  The encapsulated L3, L4, and L7 packet
-           contents typically have their own checksums, so this additional
-           checksum only adds value for the GRE and encapsulated L2 headers.
+          <p>
+            When using the upstream Linux kernel module, computation of
+            checksums for <code>geneve</code> and <code>vxlan</code> requires
+            Linux kernel version 4.0 or higher. <code>gre</code> supports
+            checksums for all versions of Open vSwitch that support GRE.
+            The out of tree kernel module distributed as part of OVS
+            can compute all tunnel checksums on any kernel version that it
+            is compatible with.
           </p>
 
           <p>