OVS GRE IPsec tunnel support has multiple issues, Therefore
it was deprecated in OVS 2.6.
Following patch removes support for GRE IPsec and allows external
IPsec tunnel management for any type of tunnel not just GRE.
e.g. user can encrypt Geneve or VxLan traffic.
It can be done by using openflow pipeline to set skb-mark
and using IPsec keying daemons to implement IPsec tunnels.
This packet can be matched for the skb-mark to encrypt
selective tunnel traffic.
VMware-BZ: 1710701
Signed-off-by: Pravin B Shelar <pshelar@ovn.org>
Acked-by: Ansis Atteka <aatteka@ovn.org>
OVS IPsec tunnel support has issues:
1. It only works for GRE.
2. only works on Debian.
3. It does not allow user to match on packet-mark
on packet received on tunnel ports.
This patch deprecates support for IPsec tunnel port.
Signed-off-by: Pravin B Shelar <pshelar@ovn.org>
Acked-by: Ansis Atteka <aatteka@ovn.org>
Found by flake8.
Fixes: 19cd0a8782 ("ipsec: Do not allow ipsec_gre tunnel traffic to exit unencrypted")
Signed-off-by: Amitabha Biswas <abiswas@us.ibm.com>
Acked-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
If ipsec_gre tunnel configuration is changed in OVSDB,
then GRE packets may sometimes exit unencrypted until
per-tunnel IPsec policies are installed by ovs-monitor-ipsec
daemon.
This patch fixes this issue by installing single, low
priority IPsec block policy that drops all GRE packets
coming out from ipsec_gre tunnels that do not have yet
their own IPsec policies installed.
This patch depends on to two other recently committed
patches:
1. 574ff4aa (tunneling: get skb marking to work
properly with tunnels)
2. ca3574d5 (IPsec: refactor out some code in
OVS_MONITOR_IPSEC_START macro)
Signed-off-by: Ansis Atteka <aatteka@ovn.org>
Reported-by: Steffen Birkeland <Steffefb@stud.ntnu.no>
Acked-by: Jesse Gross <jesse@kernel.org>
Having a separate debian package for deploying
the ovn-controller-vtep binary enables the ability
to assign specific nodes the role of communicating
with VTEP enabled TORs.
Change-Id: Ia36aea7d89bd011a57918820b2a9f6e3469b3e04
Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This commit adds the conntrack module.
It is a connection tracker that resides entirely in userspace. Its
primary user will be the dpif-netdev datapath.
The module main goal is to provide conntrack_execute(), which offers a
convenient interface to implement the datapath ct() action.
The conntrack module uses two submodules to deal with the l4 protocol
details (conntrack-other for UDP and ICMP, conntrack-tcp for TCP).
The conntrack-tcp submodule implementation is adapted from FreeBSD's pf
subsystem, therefore it's BSD licensed. It has been slightly altered to
match the OVS coding style and to allow the pickup of already
established connections.
Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>
Acked-by: Antonio Fischetti <antonio.fischetti@intel.com>
Acked-by: Joe Stringer <joe@ovn.org>
python-openvswitch uses the python "six" library, add a dependency for
this to the debian package.
VMware-BZ: #1700259
Reported-by: Devang Doshi <ddoshi@vmware.com>
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
Commit 0dcc739e7a ("debian: Move ovs-lib to openvswitch-common.")
shifted a file between debian packages, but didn't update the
destination package annotations to indicate that it replaces a file
from earlier versions of the source package.
As a result, if one installs openvswitch-switch-2.5* (or earlier) and
then tries to upgrade to openvswitch-{switch,common}-2.5.90+, the
install of openvswitch-common will fail like the following:
dpkg: error processing archive
/tmp/openvswitch-common_2.5.90-1_amd64.deb (--install):
trying to overwrite '/usr/share/openvswitch/scripts/ovs-lib', which is
also in package openvswitch-switch 2.5.0-1
Fix the issue by adding "Replaces" and "Breaks" tags to the new
openvswitch-common section of debian/control.
Fixes: 0dcc739e7a ("debian: Move ovs-lib to openvswitch-common.")
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
This doesn't seem to have been necessary since ovsdbmonitor was removed
in commit 7868fbc6c9 ("ovsdbmonitor: Remove."). Drop the dependency.
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
After running: `fakeroot debian/rules binary`.
These files are left uncommitted to the source tree and should be ignored.
Signed-off-by: Aaron Rosen <aaronorosen@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Compile and package ovs shared libraries and create new header
package for debian (openvswitch-dev) and rhel (openvswitch-devel).
VMware-BZ: #1556299
Signed-off-by: Edwin Chiu <echiu@vmware.com>
Co-authored-by: Harold Lim <haroldl@vmware.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
The Debian Policy Manual
(https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version)
says that the upstream_version may contain only alphanumerics and the
characters . + - : ~ (full stop, plus, hyphen, colon, tilde) and should
start with a digit.
Currently, the upstream_version is defined in the debian/rules file:
DEB_UPSTREAM_VERSION=$(shell dpkg-parsechangelog | sed -rne 's,^Version: ([0-9]:)*([^-]+).*,\2,p')
The version number is taken from the dpkg-parsechangelog printout then the
first part of the version number which does not contain hyphen is filtered
out with sed. However the Debian Policy Manual says that hyphen is allowed
in the upstream_version.
This is not a problem with current vanilla OVS debian version. But, if a
postfix string including a hyphen is added to the upstream_version then
installation of datapath-dkms package will fail.
Reported-by: Zoltán Balogh <zoltan.balogh@ericsson.com>
Tested-by: Zoltán Balogh <zoltan.balogh@ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Enable support for Stateful Firewall in Hyper-V by adding a Connection
Tracking module. The module has been ported over from the userspace
implementation patch of a similar name.
The current version of the module supports ct - zone, mark and label for
TCP packets. Support for other packet formats will be added in subsequent
patches.
The conntrack-tcp module is adapted from FreeBSD's pf subsystem and hence
the BSD license. It has been ported over to match OVS Hyper-V coding
style.
Signed-off-by: Sairam Venugopal <vsairam@vmware.com>
Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>
Co-Authored-by: Daniele Di Proietto <diproiettod@vmware.com>
Acked-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Move ovn-nb and ovn-sb man pages to ovn-common so that the man pages for
these DB schemas are always available with the corresponding command
line utilities, ovn-nbctl and ovn-sbctl.
Signed-off-by: Russell Bryant <russell@ovn.org>
Tested-by: Simon Horman <simon.horman@netronome.com>
Acked-by: Gurucharan Shetty <guru@ovn.org>
OVN NB & SB DB's should be run in separate ovsdb-server processes
and should run with ovn-ctl start_northd / stop_northd. This patch
includes changes to unit tests, tutorial and debian scripts to remain
self-consistent.
Signed-off-by: RYAN D. MOATS <rmoats@us.ibm.com>
Signed-off-by: Michael Arnaldi <arnaldimichael@gmail.com>
Co-authored-by: Michael Arnaldi <arnaldimichael@gmail.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
OVS 1.7 was released in July 2012, so by the time current OVS is released,
it will be almost four years old. I think that this is long enough to
remove special upgrade code.
It's almost impossible to do this upgrade in any case since there is
no overlap in the base kernel versions supported by the out of tree
modules in the two versions (the only possibility is running the new
version of OVS on the upstream module from Linux 3.3).
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jesse Gross <jesse@kernel.org>
A lot of packaging was doing this already, so this simplifies their
implementation.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Andy Zhou <azhou@ovn.org>
This utility was completely broken and no one noticed for the time of a
full release, so I think that's a safe sign that we should remove it.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
Python 3 removed support for "old-style classes". Classes should always
inherit from object to get consistent behavior between Python 2 and 3.
Enable a flake8 warning to help prevent regressions in the future.
Signed-off-by: Russell Bryant <russell@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
In Python 2, dict.items(), dict.keys(), and dict.values() returned a
list. dict.iteritems(), dict.iterkeys(), and dict.itervalues() returned
an iterator.
As of Python 3, dict.iteritems(), dict.itervalues(), and dict.iterkeys()
are gone. items(), keys(), and values() now return an iterator.
In the case where we want an iterator, we now use the six.iter*()
helpers. If we want a list, we explicitly create a list from the
iterator.
Signed-off-by: Russell Bryant <russell@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
Octal constants must be written as 0o077 instead of 0077 to be
compatible with both Python 2 and 3.
Signed-off-by: Russell Bryant <russell@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
Python 2 had range() and xrange(). xrange() is more efficient, but
behaves differently so range() was retained for compatibility. Python 3
only has range() and it behaves like Python 2's xrange().
Remove explicit use of xrange() and use six.moves.range() to
make sure we're using xrange() from Python 2 or range() from Python 3.
Signed-off-by: Russell Bryant <russell@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
Fix imports of xmlrpclib to be compatible with Python 3. Python 2 had
xmlrpclib (client) and SimpleXMLRPCServer (server). In Python 3, these
have been renamed to xmlrpc.client and xmlrpc.server.
The solution implemented here is to use the six library. It may seem
excessive for this particular issue, but the six library provides
helpers for Python 2 and 3 compatibility for many different issues.
This is just the first of many uses of the six library.
Signed-off-by: Russell Bryant <russell@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
Python 3 dropped exception handlers of the deprecated form:
except Exception, e:
You must use the newer syntax of:
except Exception as e:
This patch also enables a flake8 warning for this.
H231 Python 3.x incompatible 'except x,y:' construct
Signed-off-by: Russell Bryant <russell@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
Resolve pep8 errors:
E711 comparison to None should be 'if cond is None:'
The reason comparing against None with "is None" is preferred over
"== None" is because a class can define its own equality operator and
produce bizarre unexpected behavior. Using "is None" has a very
explicit meaning that can not be overridden.
E721 do not compare types, use 'isinstance()'
This one is actually a mistake by the tool in most cases.
'from ovs.db import types' looks just like types from the Python stdlib.
In those cases, use the full ovs.db.types name. Fix one case where it
actually was types from the stdlib.
Signed-off-by: Russell Bryant <russell@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
This resolves the following flake8 error types:
F841 local variable 'e' is assigned to but never used
F401 'exceptions' imported but unused
Signed-off-by: Russell Bryant <russell@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
If flake8 is installed, run it at build time. Similar to most Makefile
targets, run it once and then only run again if the files change.
flake8 is set to ignore all error and warning types that currently occur.
Future patches will remove items from the ignore list as they are
resolved.
Signed-off-by: Russell Bryant <russell@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
The latest Open vSwitch kernel module from Upstream linux does not
list "version". During debian package installation, we would see
a non-harmful error in the log. This patch suppresses it.
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
ovs-lib is used by both ovs-ctl and ovn-ctl. So it
is useful to move it to openvswitch-common
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
Open vSwitch 1.3 and older was creating certificates and private
key in /usr/share/openvswitch/pki. However, since PKI directory
is mutable, then this was considered a bug and PKI directory was
moved to /var directory in Open vSwitch 1.4 Commit 14bd2d51 (debian:
Move PKI directory to FHS-compliant location.)
Note, that Ubuntu 12.04 already was shipping with Open vSwitch 1.4
and should have created (in case of fresh install) or moved (in
case of upgrade from Open vSwitch 1.3) this directory to the right
location.
So I am inclined to remove this code because the only reason for it
to exist would be, if someone would be upgrading from Open vSwitch
1.3 or older version directly to 2.5 without using any intermediary
upgrade releases.
Signed-Off-By: Ansis Atteka <aatteka@nicira.com>
Acked-by: Ben Pfaff <blp@ovn.org>
After some experimentation on Ubuntu15.04, I see the
following behavior.
1. If you install openvswitch-switch with 'apt-get install',
then you automatically get a upstart and systemd config files
for openvswitch. The integration with 'interfaces' fails
because both the upstart and systemd jobs do not have logic
to handle it.
The above behavior will likely get fixed soon in upstream
Ubuntu.
2. If you install openvswitch-switch via the packages
created from the openvswitch repo, there is no systemd or
upstart conf files installed. But systemd notices this
and creates a runtime openvswitch conf file which does
nothing but call back the sysv startup script.
In the above case when you call
"/etc/init.d/openvswitch-switch start", it inturn calls
"/bin/systemctl start openvswitch-switch.service" and
that inturn again calls "/etc/init.d/openvswitch-switch start".
But the above for some reason simply hangs. It looks like a call
to ifup when invoked in this manner does not return.
I am not sure why this is happening.
We can avoid the above behavior completely by skipping the
systemctl redirect as done in this commit. This should fix
both 1. and 2. above.
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
On NetBSD, a typical path of python interpreter is /usr/pkg/bin/python.
Signed-off-by: YAMAMOTO Takashi <yamamoto@midokura.com>
Acked-by: Ben Pfaff <blp@ovn.org>
On Ubuntu depmod's search priority is configured in /etc/depmod to be
updates and then the kernel built-in directory.
$ cat /etc/depmod.d/ubuntu.conf
search updates ubuntu built-in
Thus change the placement of openvswitch.ko under updates/ not kernel/updates.
Acked-by: Ansis Atteka <aatteka@nicira.com>
Signed-off-by: Saurabh Mohan <saurabh@cplanenetworks.com>
GRE64 was introduced to extend gre key from 32-bit to 64-bit using
gre-key and sequence number field. But GRE64 is not standard
protocol. There are not many users of this protocol. Therefore we
have decided to remove it.
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Newer debhelper versions support overrides, making rules files simpler and
easier to extend.
Requires some changes in how files are installed (_debian build folder
dropped).
Signed-off-by: James Page <james.page@ubuntu.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Wrap long lines and sort items in the Debian packaging files.
Signed-off-by: James Page <james.page@ubuntu.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
