When a NetFlow record is to be sent for a flow that had more than 2^32
bytes, we used to set the byte count to UINT32_MAX. With this change,
we will send out multiple records to account for all the traffic.
net/udp.h is currently included indirectly via linux/ipv6.h which is
in turn included indirectly via linux/ip.h. However, this breaks down
if CONFIG_IPV6 is not set, leading to a number of build errors.
Signed-off-by: Simon Horman <horms@verge.net.au>
[Jesse: shortened commit message]
Signed-off-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Simon Horman <horms@verge.net.au>
[Jesse: Added missing pr_fmt in vport-gre.c and dp_sysfs_dp.c]
Signed-off-by: Jesse Gross <jesse@nicira.com>
In the earliest kernels that we support this family of macros
wasn't defined at all. Later they were defined but did not include
the module name. Finally, pr_warn was made a synonym for pr_warning.
This harmonizes the behavior across all kernels.
Signed-off-by: Jesse Gross <jesse@nicira.com>
For a while the Debian packages were not well maintained or regularly used,
but we at Nicira use them all the time now. We now aim to have them
accepted into Debian downstream, so we should at least not discourage
users from trying them out.
Signed-off-by: Ben Pfaff <blp@nicira.com>
This package was never used by many users, has not worked properly for a
while, and causes lintian warnings, so remove it.
CC: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Some of the flow actions that modify skbuff data did not check that the
skbuff was long enough before doing so. This commit fixes that problem.
Previously, the strategy for avoiding this was to only indicate the layer-3
nw_proto field in the flow if the corresponding layer-4 header was fully
present, so that if, for example, nw_proto was IPPROTO_TCP, this meant
that a TCP header was present. The original motivation for this patch was
to add corresponding code to only indicate a layer-2 dl_type if the
corresponding layer-3 header was fully present. But I'm now convinced that
this approach is conceptually wrong, because the meaning of a layer-N
header should not be affected by the meaning of a layer-(N+1) header.
This commit switches to a new approach. Now, when a header is missing, its
fields in the flow are simply zeroed and have no effect on the "type" field
for the outer header. Responsibility for ensuring that a header is fully
present is now shifted to the actions that wish to modify that header.
Signed-off-by: Ben Pfaff <blp@nicira.com>
This commit started out as simply better documenting flow_extract(),
but then I realized that nothing cares about transport_header in the
non-IP case, so don't bother with it at all.
Signed-off-by: Ben Pfaff <blp@nicira.com>
These calls to pskb_may_pull() can be reduced to checks on skb->len because
in these contexts those headers will already have been pulled into the
skb linear area if it is there at all.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Until now flow_extract() has simply returned a bogus flow when memory
allocation errors occurred. This fixes the problem by propagating the
error to the caller.
Signed-off-by: Ben Pfaff <blp@nicira.com>
It seems best to ignore "packet_in"s caused by OFPP_CONTROLLER actions in
learning-switch, since someone might be experimenting and it's best not
to interfere with that.
This additionally optimizes the common case of the first packet of a flow
that consists only of an OFPAT_CONTROLLER action, by avoiding an
ofpbuf_clone() call along that path.
When an OpenFlow flow says to send packets to the controller, until now
ofproto has executed that using dpif_execute(), which passes the packet up
to the kernel. The kernel queues the packet into its "action" queue, and
then later ofproto pulls the packet back down from the kernel and sends it
to the controller.
However, this is unnecessary. Open vSwitch can just recognize in advance
that it will get the packet back and handle it directly, skipping the round
trip. This commit implements this optimization.
This generally affects only the first packet in a flow, since generally the
rest come directly down from the kernel. It only optimizes the "easy" case
where the first action in a flow is to send the packet to the controller,
since this seems to be the common case in the flows that I'm looking at
now.
vswitch.xml was updated to describe system-id and xs-system-uuid but the
implementation of this update was incomplete.
CC: Justin Pettit <jpettit@nicira.com>
CC: Jeremy Stribling <strib@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Years ago some users had broken OpenSSL libraries that didn't actually
work, so we disabled OpenSSL by default. By now, I hope that those users
have fixed their systems.
"ARP spoofing" is when a host claims an incorrect association between an
IP address and a MAC address for deceptive purposes. OpenFlow by itself
can prevent a host from sending out ARP replies from an incorrect MAC
address in the Ethernet L2 header, but it cannot control the MAC addresses
inside the ARP L3 packet. This commit adds a new action that can be used
to drop these spoofed packets.
CC: Paul Ingram <paul@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
The current date in milliseconds since the epoch is ~1,282,841,552,000,
which is greater than LONG_MAX of 4,294,967,295 on 32-bit systems, so
no matter what was stored into bond_next_fake_iface_update, it would always
appear to be expired. It really needs to be a 64-bit number. (This was
just a typo really.)
Since XenServer 5.5 requires --fake-proc-net, this probably fixes an
important bug there.
Reported-by: Luiz Henrique Ozaki <luiz.ozaki@gmail.com>
flow_extract() can fail due to memory allocation errors in pskb_may_pull().
Currently it doesn't return those properly, instead just reporting a bogus
flow to the caller. But its return value is currently in use for reporting
whether the packet was an IPv4 fragment. This commit switches to reporting
that in the skb itself so that the return value can be reused to report
errors.
Signed-off-by: Ben Pfaff <blp@nicira.com>
The monitor-external-ids daemon monitors the external_ids columns of the
Bridge and Interface OVSDB tables. Its primary responsibility is to
set the "bridge-id" and "iface-id" keys in the Bridge and Interface
tables, respectively. It also looks for the use of "network-uuids" in
the Bridge table and duplicates its value to the preferred
"xs-network-uuids".
Signed-off-by: Justin Pettit <jpettit@nicira.com>
The configuration schema defines the system-type and system-version
external-ids for the Open_vSwitch table. This commit adds support for
reporting them on XenServer.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
As we move to new platforms, not all external identifiers will be
universally unique, but the "-uuid" suffix seemingly prevents their use.
Create new identifiers without the "-uuid" suffix. Change the existing
XenServer-specific external identifiers to contain a "xs-" prefix. This
also allows a XenServer integrator to define identifiers different from
the XenServer UUIDs, but still leave them in the config database to be
used by other programs.
The previous commit dropped usage of simplejson from the Python
code in the tree, because it did not provide adequate features to
support the JSON-RPC engine. In particular simplejson is not a
"push parser"--you can't give it a byte or a character at a time
and have it tell you when it has read a whole JSON value.
These initial bindings pass a few hundred of the corresponding tests
for C implementations of various bits of the Open vSwitch library API.
The poorest part of them is actually the Python IDL interface in
ovs.db.idl, which has not received enough attention yet. It appears
to work, but it doesn't yet support writes (transactions) and it is
difficult to use. I hope to improve it as it becomes clear what
semantics Python applications actually want from an IDL.
All streams and all vconns are "active", so there's no point in noting that
requirement in comments. (A long time ago, active and passive vconns were
conflated instead of having passive vconns broken out as pvconns. But
active and passive streams have always been distinct.)
