dpif-linux: Prevent a single port from monopolizing upcalls.

Currently it is possible for a client on a single port to generate
a huge number of packets that miss in the kernel flow table and
monopolize the userspace/kernel communication path.  This
effectively DoS's the machine because no new flow setups can take
place.  This adds some additional fairness by separating each upcall
type for each object in the datapath onto a separate socket, each
with its own queue.  Userspace then reads round-robin from each
socket so other flow setups can still succeed.

Since the number of objects can potentially be large, we don't always
have a unique socket for each.  Instead, we create 16 sockets and
spread the load around them in a round robin fashion.  It's theoretically
possible to do better than this with some kind of active load balancing
scheme but this seems like a good place to start.

Feature #6485

Author: jessegross

NEWS

@@ -15,6 +15,9 @@ Post-v1.2.0
     - CAPWAP tunneling now supports an extension to transport a 64-key.  By
       default it remains compatible with the old version and other
       standards-based implementations.
+    - Flow setups are now processed in a round-robin manner across ports
+      to prevent any single client from monopolizing the CPU and conducting
+      a denial of service attack.
 
 v1.2.0 - 03 Aug 2011
 ------------------------