mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-31 14:25:26 +00:00
Code Issues Releases Wiki Activity

DNS: Add basic support for asynchronous DNS resolving

Browse Source 
This patch is a simple implementation for the proposal discussed in
https://mail.openvswitch.org/pipermail/ovs-dev/2017-August/337038.html and
https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/340013.html.

It enables ovs-vswitchd and other utilities to use DNS names when specifying
OpenFlow and OVSDB remotes.

Below are some of the features and limitations of this patch:
    - Resolving is asynchornous in daemon context, avoiding blocking main loop;
    - Resolving is synchronous in general utility context;
    - Both IPv4 and IPv6 are supported;
    - The resolving API is thread-safe;
    - Depends on the unbound library;
    - When multiple ip addresses are returned, only the first one is used;
    - /etc/nsswitch.conf isn't respected as unbound library doesn't look at it;
    - For async-resolving, caller need to retry later; there is no callback.

Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This commit is contained in:
Yifeng Sun
2018-06-26 14:06:21 -07:00
committed by Ben Pfaff
parent def5b366a3
commit 771680d96f
25 changed files with 604 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@@ -19,6 +19,8 @@ addons:
- python-sphinx
- libelf-dev
- selinux-policy-dev
- libunbound-dev
- libunbound-dev:i386
before_install: ./.travis/${TRAVIS_OS_NAME}-prepare.sh

4
Documentation/intro/install/general.rst
View File

@@ -93,6 +93,10 @@ need the following software:
- Python 2.7. You must also have the Python ``six`` library version 1.4.0
or later.
- Unbound library, from http://www.unbound.net, is optional but recommended if
you want to enable ovs-vswitchd and other utilities to use DNS names when
specifying OpenFlow and OVSDB remotes. If unbound library is already
installed, then Open vSwitch will automatically build with support for it.
On Linux, you may choose to compile the kernel module that comes with the Open
vSwitch distribution or to use the kernel module built into the Linux kernel

14
Documentation/ref/ovsdb.7.rst
View File

@@ -379,11 +379,11 @@ the opposite arrangement as well.
OVSDB supports the following active connection methods:
ssl:<ip>:<port>
The specified SSL or TLS <port> on the host at the given <ip>.
ssl:<host>:<port>
The specified SSL or TLS <port> on the given <host>.
tcp:<ip>:<port>
The specified TCP <port> on the host at the given <ip>.
tcp:<host>:<port>
The specified TCP <port> on the given <host>.
unix:<file>
On Unix-like systems, connect to the Unix domain server socket named
@@ -427,9 +427,9 @@ All IP-based connection methods accept IPv4 and IPv6 addresses. To specify an
IPv6 address, wrap it in square brackets, e.g. ``ssl:[::1]:6640``. Passive
IP-based connection methods by default listen for IPv4 connections only; use
``[::]`` as the address to accept both IPv4 and IPv6 connections,
e.g. ``pssl:6640:[::]``. DNS names are not accepted. On Linux, use
``%<device>`` to designate a scope for IPv6 link-level addresses,
e.g. ``ssl:[fe80::1234%eth0]:6653``.
e.g. ``pssl:6640:[::]``. DNS names are also accepted if built with unbound
library. On Linux, use ``%<device>`` to designate a scope for IPv6 link-level
addresses, e.g. ``ssl:[fe80::1234%eth0]:6653``.
The <port> may be omitted from connection methods that use a port number. The
default <port> for TCP-based connection methods is 6640, e.g. ``pssl:`` is

2
NEWS
View File

@@ -1,5 +1,7 @@
Post-v2.9.0
--------------------
- ovs-vswitchd and utilities now support DNS names in OpenFlow and
OVSDB remotes.
- ovs-vswitchd:
* New options --l7 and --l7-len to "ofproto/trace" command.
* Previous versions gave OpenFlow tables default names of the form

1
configure.ac
View File

@@ -135,6 +135,7 @@ OVS_CHECK_LINUX_HOST
OVS_LIBTOOL_VERSIONS
OVS_CHECK_CXX
AX_FUNC_POSIX_MEMALIGN
OVS_CHECK_UNBOUND
OVS_CHECK_INCLUDE_NEXT([stdio.h string.h])
AC_CONFIG_FILES([

4
debian/control vendored
View File

@@ -16,7 +16,8 @@ Build-Depends: graphviz,
python-all (>= 2.7),
python-twisted-conch,
python-zopeinterface,
python-six
python-six,
libunbound-dev
Standards-Version: 3.9.3
Homepage: http://openvswitch.org/
@@ -307,6 +308,7 @@ Multi-Arch: same
Depends:
libopenvswitch (>= ${binary:Version}),
libssl-dev,
libunbound-dev,
${misc:Depends}
Conflicts: openvswitch-dev
Replaces: openvswitch-dev

7
lib/automake.mk
View File

@@ -465,6 +465,13 @@ else
lib_libopenvswitch_la_SOURCES += lib/stream-nossl.c
endif
lib_libopenvswitch_la_SOURCES += lib/dns-resolve.h
if HAVE_UNBOUND
lib_libopenvswitch_la_SOURCES += lib/dns-resolve.c
else
lib_libopenvswitch_la_SOURCES += lib/dns-resolve-stub.c
endif
pkgconfig_DATA += \
lib/libopenvswitch.pc \
lib/libsflow.pc

36
lib/dns-resolve-stub.c Normal file
View File

@@ -0,0 +1,36 @@
/*
* Copyright (c) 2017, 2018 Nicira, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <config.h>
#include "dns-resolve.h"
#include "compiler.h"
void
dns_resolve_init(void)
{
}
bool
dns_resolve(const char *name OVS_UNUSED, char **addr)
{
*addr = NULL;
return false;
}
void
dns_resolve_destroy(void)
{
}

310
lib/dns-resolve.c Normal file
View File

@@ -0,0 +1,310 @@
/*
* Copyright (c) 2017, 2018 Nicira, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <config.h>
#include "dns-resolve.h"
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <errno.h>
#include <string.h>
#include <unbound.h>
#include "hash.h"
#include "openvswitch/hmap.h"
#include "openvswitch/vlog.h"
#include "timeval.h"
VLOG_DEFINE_THIS_MODULE(dns_resolve);
/* Guard all_reqs__ and resolve_state of each request. */
static struct ovs_mutex dns_mutex__ = OVS_MUTEX_INITIALIZER;
static struct hmap all_reqs__;
static struct ub_ctx *ub_ctx__;
static bool thread_is_daemon;
static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
enum resolve_state {
RESOLVE_INVALID,
RESOLVE_PENDING,
RESOLVE_GOOD,
RESOLVE_ERROR
};
struct resolve_request {
struct hmap_node hmap_node; /* node for all_reqs__ */
char *name; /* the domain name to be resolved */
char *addr; /* the resolved ip address */
enum resolve_state state; /* state of this request */
time_t time; /* resolving time */
struct ub_result *ub_result; /* the stored unbound result */
};
static struct resolve_request *resolve_find_or_new__(const char *name)
OVS_REQUIRES(dns_mutex__);
static bool resolve_check_expire__(struct resolve_request *req)
OVS_REQUIRES(dns_mutex__);
static bool resolve_check_valid__(struct resolve_request *req)
OVS_REQUIRES(dns_mutex__);
static bool resolve_async__(struct resolve_request *req, int qtype)
OVS_REQUIRES(dns_mutex__);
static void resolve_callback__(void *req, int err, struct ub_result *)
OVS_REQUIRES(dns_mutex__);
static bool resolve_result_to_addr__(struct ub_result *result, char **addr);
static bool dns_resolve_sync__(const char *name, char **addr);
/* Pass a true 'is_daemon' if you don't want the DNS-resolving to block the
* running thread.
*/
void
dns_resolve_init(bool is_daemon)
{
ub_ctx__ = ub_ctx_create();
if (ub_ctx__ == NULL) {
VLOG_ERR_RL(&rl, "Failed to create libunbound context, "
"so asynchronous DNS resolving is disabled.");
return;
}
int retval;
#ifdef __linux__
retval = ub_ctx_resolvconf(ub_ctx__, "/etc/resolv.conf");
if (retval != 0) {
VLOG_WARN_RL(&rl, "Failed to read /etc/resolv.conf: %s",
ub_strerror(retval));
}
#endif
/* Handles '/etc/hosts' on Linux and 'WINDIR/etc/hosts' on Windows. */
retval = ub_ctx_hosts(ub_ctx__, NULL);
if (retval != 0) {
VLOG_WARN_RL(&rl, "Failed to read etc/hosts: %s",
ub_strerror(retval));
}
ub_ctx_async(ub_ctx__, true);
hmap_init(&all_reqs__);
thread_is_daemon = is_daemon;
}
/* Returns true on success. Otherwise, returns false and the error information
* can be found in logs. If there is no error information, then the resolving
* is in process and the caller should call again later. The value of '*addr'
* is always nullified if false is returned. If this function is called under
* daemon-context, the resolving will undergo asynchronously. Otherwise, a
* synchronouse resolving will take place.
*
* This function is thread-safe.
*
* The caller is responsible for freeing the returned '*addr'.
*/
bool
dns_resolve(const char *name, char **addr)
OVS_EXCLUDED(dns_mutex__)
{
bool success = false;
if (!thread_is_daemon) {
return dns_resolve_sync__(name, addr);
}
*addr = NULL;
ovs_mutex_lock(&dns_mutex__);
if (ub_ctx__ == NULL) {
goto unlock;
}
/* ub_process is inside lock as it invokes resolve_callback__. */
int retval = ub_process(ub_ctx__);
if (retval != 0) {
VLOG_ERR_RL(&rl, "dns-resolve error: %s", ub_strerror(retval));
goto unlock;
}
struct resolve_request *req;
req = resolve_find_or_new__(name);
if (resolve_check_valid__(req)) {
*addr = xstrdup(req->addr);
success = true;
} else if (req->state != RESOLVE_PENDING) {
success = resolve_async__(req, ns_t_a);
}
unlock:
ovs_mutex_unlock(&dns_mutex__);
return success;
}
void
dns_resolve_destroy(void)
{
if (ub_ctx__ != NULL) {
/* Outstanding requests will be killed. */
ub_ctx_delete(ub_ctx__);
ub_ctx__ = NULL;
struct resolve_request *req;
HMAP_FOR_EACH(req, hmap_node, &all_reqs__) {
ub_resolve_free(req->ub_result);
free(req->addr);
free(req->name);
free(req);
}
hmap_destroy(&all_reqs__);
}
}
static struct resolve_request *
resolve_find_or_new__(const char *name)
OVS_REQUIRES(dns_mutex__)
{
struct resolve_request *req;
HMAP_FOR_EACH_IN_BUCKET(req, hmap_node, hash_string(name, 0),
&all_reqs__) {
if (!strcmp(name, req->name)) {
return req;
}
}
req = xzalloc(sizeof *req);
req->name = xstrdup(name);
req->state = RESOLVE_INVALID;
hmap_insert(&all_reqs__, &req->hmap_node, hash_string(req->name, 0));
return req;
}
static bool
resolve_check_expire__(struct resolve_request *req)
OVS_REQUIRES(dns_mutex__)
{
return time_now() > req->time + req->ub_result->ttl;
}
static bool
resolve_check_valid__(struct resolve_request *req)
OVS_REQUIRES(dns_mutex__)
{
return (req != NULL
&& req->state == RESOLVE_GOOD
&& !resolve_check_expire__(req));
}
static bool
resolve_async__(struct resolve_request *req, int qtype)
OVS_REQUIRES(dns_mutex__)
{
if (qtype == ns_t_a || qtype == ns_t_aaaa) {
int retval;
retval = ub_resolve_async(ub_ctx__, req->name,
qtype, ns_c_in, req,
resolve_callback__, NULL);
if (retval != 0) {
req->state = RESOLVE_ERROR;
return false;
} else {
req->state = RESOLVE_PENDING;
return true;
}
}
return false;
}
static void
resolve_callback__(void *req_, int err, struct ub_result *result)
OVS_REQUIRES(dns_mutex__)
{
struct resolve_request *req = req_;
if (err != 0 || (result->qtype == ns_t_aaaa && !result->havedata)) {
req->state = RESOLVE_ERROR;
VLOG_ERR_RL(&rl, "%s: failed to resolve", req->name);
return;
}
/* IPv4 address is empty, try IPv6. */
if (result->qtype == ns_t_a && !result->havedata) {
ub_resolve_free(result);
resolve_async__(req, ns_t_aaaa);
return;
}
char *addr;
if (!resolve_result_to_addr__(result, &addr)) {
req->state = RESOLVE_ERROR;
VLOG_ERR_RL(&rl, "%s: failed to resolve", req->name);
return;
}
ub_resolve_free(req->ub_result);
free(req->addr);
req->ub_result = result;
req->addr = addr;
req->state = RESOLVE_GOOD;
req->time = time_now();
}
static bool
resolve_result_to_addr__(struct ub_result *result, char **addr)
{
int af = result->qtype == ns_t_a ? AF_INET : AF_INET6;
char buffer[INET6_ADDRSTRLEN];
/* XXX: only the first returned IP is used. */
if (inet_ntop(af, result->data[0], buffer, sizeof buffer)) {
*addr = xstrdup(buffer);
} else {
*addr = NULL;
}
return (*addr != NULL);
}
static bool
dns_resolve_sync__(const char *name, char **addr)
{
*addr = NULL;
if (ub_ctx__ == NULL) {
dns_resolve_init(false);
if (ub_ctx__ == NULL) {
return false;
}
}
struct ub_result *result;
int retval = ub_resolve(ub_ctx__, name, ns_t_a, ns_c_in, &result);
if (retval != 0) {
return false;
} else if (!result->havedata) {
ub_resolve_free(result);
retval = ub_resolve(ub_ctx__, name, ns_t_aaaa, ns_c_in, &result);
if (retval != 0) {
return false;
} else if (!result->havedata) {
ub_resolve_free(result);
return false;
}
}
bool success = resolve_result_to_addr__(result, addr);
ub_resolve_free(result);
return success;
}

26
lib/dns-resolve.h Normal file
View File

@@ -0,0 +1,26 @@
/*
* Copyright (c) 2017, 2018 Nicira, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef DNS_RESOLVE_H
#define DNS_RESOLVE_H 1
#include <stdbool.h>
void dns_resolve_init(bool is_daemon);
bool dns_resolve(const char *name, char **addr);
void dns_resolve_destroy(void);
#endif /* dns-resolve.h */

48
lib/socket-util.c
View File

@@ -48,6 +48,7 @@
#include "netlink-protocol.h"
#include "netlink-socket.h"
#endif
#include "dns-resolve.h"
VLOG_DEFINE_THIS_MODULE(socket_util);
@@ -56,6 +57,12 @@ static int getsockopt_int(int fd, int level, int option, const char *optname,
static struct sockaddr_in *sin_cast(const struct sockaddr *);
static struct sockaddr_in6 *sin6_cast(const struct sockaddr *);
static const struct sockaddr *sa_cast(const struct sockaddr_storage *);
static bool parse_sockaddr_components(struct sockaddr_storage *ss,
char *host_s,
const char *port_s,
uint16_t default_port,
const char *s,
bool resolve_host);
/* Sets 'fd' to non-blocking mode. Returns 0 if successful, otherwise a
* positive errno value. */
@@ -419,11 +426,31 @@ inet_parse_port_host_tokens(char *s, char **portp, char **hostp)
inet_parse_tokens__(s, 1, hostp, portp);
}
static bool
parse_sockaddr_components_dns(struct sockaddr_storage *ss OVS_UNUSED,
char *host_s,
const char *port_s OVS_UNUSED,
uint16_t default_port OVS_UNUSED,
const char *s OVS_UNUSED)
{
char *tmp_host_s;
dns_resolve(host_s, &tmp_host_s);
if (tmp_host_s != NULL) {
parse_sockaddr_components(ss, tmp_host_s, port_s,
default_port, s, false);
free(tmp_host_s);
return true;
}
return false;
}
static bool
parse_sockaddr_components(struct sockaddr_storage *ss,
char *host_s,
const char *port_s, uint16_t default_port,
const char *s)
const char *s,
bool resolve_host)
{
struct sockaddr_in *sin = sin_cast(sa_cast(ss));
int port;
@@ -445,7 +472,6 @@ parse_sockaddr_components(struct sockaddr_storage *ss,
sin6->sin6_family = AF_INET6;
sin6->sin6_port = htons(port);
if (!addr || !*addr || !ipv6_parse(addr, &sin6->sin6_addr)) {
VLOG_ERR("%s: bad IPv6 address \"%s\"", s, addr ? addr : "");
goto exit;
}
@@ -468,13 +494,19 @@ parse_sockaddr_components(struct sockaddr_storage *ss,
sin->sin_family = AF_INET;
sin->sin_port = htons(port);
if (host_s && !ip_parse(host_s, &sin->sin_addr.s_addr)) {
VLOG_ERR("%s: bad IPv4 address \"%s\"", s, host_s);
goto exit;
goto resolve;
}
}
return true;
resolve:
if (resolve_host && parse_sockaddr_components_dns(ss, host_s, port_s,
default_port, s)) {
return true;
} else if (!resolve_host) {
VLOG_ERR("%s: bad IP address \"%s\"", s, host_s);
}
exit:
memset(ss, 0, sizeof *ss);
return false;
@@ -505,7 +537,8 @@ inet_parse_active(const char *target_, int default_port,
VLOG_ERR("%s: port must be specified", target_);
ok = false;
} else {
ok = parse_sockaddr_components(ss, host, port, default_port, target_);
ok = parse_sockaddr_components(ss, host, port, default_port,
target_, true);
}
if (!ok) {
memset(ss, 0, sizeof *ss);
@@ -625,7 +658,8 @@ inet_parse_passive(const char *target_, int default_port,
VLOG_ERR("%s: port must be specified", target_);
ok = false;
} else {
ok = parse_sockaddr_components(ss, host, port, default_port, target_);
ok = parse_sockaddr_components(ss, host, port, default_port,
target_, true);
}
if (!ok) {
memset(ss, 0, sizeof *ss);
@@ -747,7 +781,7 @@ inet_parse_address(const char *target_, struct sockaddr_storage *ss)
{
char *target = xstrdup(target_);
char *host = unbracket(target);
bool ok = parse_sockaddr_components(ss, host, NULL, 0, target_);
bool ok = parse_sockaddr_components(ss, host, NULL, 0, target_, false);
if (!ok) {
memset(ss, 0, sizeof *ss);
}

8
lib/stream.c
View File

@@ -126,11 +126,11 @@ stream_usage(const char *name, bool active, bool passive,
printf("\n");
if (active) {
printf("Active %s connection methods:\n", name);
printf(" tcp:IP:PORT "
"PORT at remote IP\n");
printf(" tcp:HOST:PORT "
"PORT at remote HOST\n");
#ifdef HAVE_OPENSSL
printf(" ssl:IP:PORT "
"SSL PORT at remote IP\n");
printf(" ssl:HOST:PORT "
"SSL PORT at remote HOST\n");
#endif
printf(" unix:FILE "
"Unix domain socket named FILE\n");

14
lib/vconn-active.man
View File

@@ -1,10 +1,10 @@
.IP "\fBssl:\fIip\fR[\fB:\fIport\fR]"
.IQ "\fBtcp:\fIip\fR[\fB:\fIport\fR]"
The specified \fIport\fR on the host at the given \fIip\fR, which must
be expressed as an IP address (not a DNS name) in IPv4 or IPv6 address
format. Wrap IPv6 addresses in square brackets,
e.g. \fBtcp:[::1]:6653\fR. On Linux, use \fB%\fIdevice\fR to
designate a scope for IPv6 link-level addresses,
.IP "\fBssl:\fIhost\fR[\fB:\fIport\fR]"
.IQ "\fBtcp:\fIhost\fR[\fB:\fIport\fR]"
The specified \fIport\fR on the given \fIhost\fR, which can
be expressed either as a DNS name (if built with unbound library)
or an IP address in IPv4 or IPv6 address format. Wrap IPv6 addresses
in square brackets, e.g. \fBtcp:[::1]:6653\fR. On Linux, use
\fB%\fIdevice\fR to designate a scope for IPv6 link-level addresses,
e.g. \fBtcp:[fe80::1234%eth0]:6653\fR. For \fBssl\fR, the
\fB\-\-private\-key\fR, \fB\-\-certificate\fR, and \fB\-\-ca\-cert\fR
options are mandatory.

10
lib/vconn-passive.man
View File

@@ -1,12 +1,12 @@
.IP "\fBpssl:\fR[\fIport\fR][\fB:\fIip\fR]"
.IQ "\fBptcp:\fR[\fIport\fR][\fB:\fIip\fR]"
.IP "\fBpssl:\fR[\fIport\fR][\fB:\fIhost\fR]"
.IQ "\fBptcp:\fR[\fIport\fR][\fB:\fIhost\fR]"
Listens for OpenFlow connections on \fIport\fR. The default
\fIport\fR is 6653. By default, connections are allowed from any IPv4
address. Specify \fIip\fR as an IPv4 address or a bracketed IPv6
address. Specify \fIhost\fR as an IPv4 address or a bracketed IPv6
address (e.g. \fBptcp:6653:[::1]\fR). On Linux, use \fB%\fIdevice\fR
to designate a scope for IPv6 link-level addresses,
e.g. \fBptcp:6653:[fe80::1234%eth0]\fR. DNS names may
not be used. For \fBpssl\fR, the
e.g. \fBptcp:6653:[fe80::1234%eth0]\fR. DNS names can
be used if built with unbound library. For \fBpssl\fR, the
\fB\-\-private\-key\fR,\fB\-\-certificate\fR, and \fB\-\-ca\-cert\fR
options are mandatory.
.IP

8
lib/vconn.c
View File

@@ -139,11 +139,11 @@ vconn_usage(bool active, bool passive, bool bootstrap OVS_UNUSED)
printf("\n");
if (active) {
printf("Active OpenFlow connection methods:\n");
printf(" tcp:IP[:PORT] "
"PORT (default: %d) at remote IP\n", OFP_PORT);
printf(" tcp:HOST[:PORT] "
"PORT (default: %d) at remote HOST\n", OFP_PORT);
#ifdef HAVE_OPENSSL
printf(" ssl:IP[:PORT] "
"SSL PORT (default: %d) at remote IP\n", OFP_PORT);
printf(" ssl:HOST[:PORT] "
"SSL PORT (default: %d) at remote HOST\n", OFP_PORT);
#endif
printf(" unix:FILE Unix domain socket named FILE\n");
}

10
m4/openvswitch.m4
View File

@@ -669,3 +669,13 @@ AC_DEFUN([OVS_CHECK_CXX],
enable_cxx=false
fi
AM_CONDITIONAL([HAVE_CXX], [$enable_cxx])])
dnl Checks for unbound library.
AC_DEFUN([OVS_CHECK_UNBOUND],
[AC_CHECK_LIB(unbound, ub_ctx_create, [HAVE_UNBOUND=yes])
if test "$HAVE_UNBOUND" = yes; then
AC_DEFINE([HAVE_UNBOUND], [1], [Define to 1 if unbound is detected.])
LIBS="$LIBS -lunbound"
fi
AM_CONDITIONAL([HAVE_UNBOUND], [test "$HAVE_UNBOUND" = yes])
AC_SUBST([HAVE_UNBOUND])])

28
ovn/controller-vtep/ovn-controller-vtep.8.xml
View File

@@ -39,28 +39,28 @@
<ul>
<li>
<p>
<code>ssl:<var>ip</var>:<var>port</var></code>
<code>ssl:<var>host</var>:<var>port</var></code>
</p>
<p>
The specified SSL <var>port</var> on the host at the given
<var>ip</var>, which must be expressed as an IP address (not a DNS
name) in IPv4 or IPv6 address format. If <var>ip</var> is an IPv6
address, then wrap <var>ip</var> with square brackets, e.g.:
<code>ssl:[::1]:6640</code>. The <code>--private-key</code>,
<code>--certificate</code> and either of <code>--ca-cert</code>
or <code>--bootstrap-ca-cert</code> options are mandatory when this
form is used.
The specified SSL <var>port</var> on the give <var>host</var>, which
can either be a DNS name (if built with unbound library) or an IP
address (IPv4 or IPv6). If <var>host</var> is an IPv6 address, then
wrap <var>host</var> with square brackets, e.g.: <code>ssl:[::1]:6640</code>.
The <code>--private-key</code>, <code>--certificate</code> and either
of <code>--ca-cert</code> or <code>--bootstrap-ca-cert</code> options
are mandatory when this form is used.
</p>
</li>
<li>
<p>
<code>tcp:<var>ip</var>:<var>port</var></code>
<code>tcp:<var>host</var>:<var>port</var></code>
</p>
<p>
Connect to the given TCP <var>port</var> on <var>ip</var>, where
<var>ip</var> can be IPv4 or IPv6 address. If <var>ip</var> is an
IPv6 address, then wrap <var>ip</var> with square brackets, e.g.:
<code>tcp:[::1]:6640</code>.
Connect to the given TCP <var>port</var> on <var>host</var>, where
<var>host</var> can be a DNS name (if built with unbound library) or
IP address (IPv4 or IPv6). If <var>host</var> is an IPv6 address,
then wrap <var>host</var> with square brackets,
e.g.: <code>tcp:[::1]:6640</code>.
</p>
</li>
<li>

47
ovn/ovn-nb.xml
View File

@@ -2062,14 +2062,14 @@
The following connection methods are currently supported:
</p>
<dl>
<dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified SSL <var>port</var> on the host at the given
<var>ip</var>, which must be expressed as an IP address
(not a DNS name). A valid SSL configuration must be provided
when this form is used, this configuration can be specified
via command-line options or the <ref table="SSL"/> table.
<var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address. A valid SSL configuration must
be provided when this form is used, this configuration can be
specified via command-line options or the <ref table="SSL"/> table.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
@@ -2080,30 +2080,29 @@
</p>
</dd>
<dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified TCP <var>port</var> on the host at the given
<var>ip</var>, which must be expressed as an IP address (not a
DNS name), where <var>ip</var> can be IPv4 or IPv6 address. If
<var>ip</var> is an IPv6 address, wrap it in square brackets,
e.g. <code>tcp:[::1]:6640</code>.
<var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address. If <var>host</var> is an IPv6
address, wrap it in square brackets, e.g. <code>tcp:[::1]:6640</code>.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
</dd>
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>ip</var>, which must be
expressed as an IP address (not a DNS name), is specified, then
connections are restricted to the specified local IP address
(either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
address, wrap in square brackets,
e.g. <code>pssl:6640:[::1]</code>. If <var>ip</var> is not
choose an available port. If <var>host</var>, which can either
be a DNS name (if built with unbound library) or an IP address,
is specified, then connections are restricted to the resolved or
specified local IPaddress (either IPv4 or IPv6 address). If
<var>host</var> is an IPv6 address, wrap in square brackets,
e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 (but not IPv6) addresses.
A valid SSL configuration must be provided when this form is used,
this can be specified either via command-line options or the
@@ -2117,17 +2116,17 @@
part of Open vSwitch.
</p>
</dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>ip</var>, which must be
expressed as an IP address (not a DNS name), is specified, then
connections are restricted to the specified local IP address
(either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
address, wrap it in square brackets,
e.g. <code>ptcp:6640:[::1]</code>. If <var>ip</var> is not
choose an available port. If <var>host</var>, which can either
be a DNS name (if built with unbound library) or an IP address,
is specified, then connections are restricted to the resolved or
specified local IP address (either IPv4 or IPv6 address). If
<var>host</var> is an IPv6 address, wrap it in square brackets,
e.g. <code>ptcp:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 addresses.
</p>
<p>

51
ovn/ovn-sb.xml
View File

@@ -2840,14 +2840,14 @@ tcp.flags = RST;
The following connection methods are currently supported:
</p>
<dl>
<dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified SSL <var>port</var> on the host at the given
<var>ip</var>, which must be expressed as an IP address
(not a DNS name). A valid SSL configuration must be provided
when this form is used, this configuration can be specified
via command-line options or the <ref table="SSL"/> table.
The specified SSL <var>port</var> on the given <var>host</var>,
which can either be a DNS name (if built with unbound library) or
an IP address. A valid SSL configuration must be provided when
this form is used, this configuration can be specified via
command-line options or the <ref table="SSL"/> table.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
@@ -2858,30 +2858,29 @@ tcp.flags = RST;
</p>
</dd>
<dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified TCP <var>port</var> on the host at the given
<var>ip</var>, which must be expressed as an IP address (not a
DNS name), where <var>ip</var> can be IPv4 or IPv6 address. If
<var>ip</var> is an IPv6 address, wrap it in square brackets,
e.g. <code>tcp:[::1]:6640</code>.
The specified TCP <var>port</var> on the given <var>host</var>,
which can either be a DNS name (if built with unbound library) or
an IP address (IPv4 or IPv6). If <var>host</var> is an IPv6
address, wrap it in square brackets, e.g. <code>tcp:[::1]:6640</code>.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
</dd>
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>ip</var>, which must be
expressed as an IP address (not a DNS name), is specified, then
connections are restricted to the specified local IP address
(either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
address, wrap in square brackets,
e.g. <code>pssl:6640:[::1]</code>. If <var>ip</var> is not
choose an available port. If <var>host</var>, which can either
be a DNS name (if built with unbound library) or an IP address,
is specified, then connections are restricted to the resolved or
specified local IP address (either IPv4 or IPv6 address). If
<var>host</var> is an IPv6 address, wrap in square brackets,
e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 (but not IPv6) addresses.
A valid SSL configuration must be provided when this form is used,
this can be specified either via command-line options or the
@@ -2895,17 +2894,17 @@ tcp.flags = RST;
part of Open vSwitch.
</p>
</dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>ip</var>, which must be
expressed as an IP address (not a DNS name), is specified, then
connections are restricted to the specified local IP address
(either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
address, wrap it in square brackets,
e.g. <code>ptcp:6640:[::1]</code>. If <var>ip</var> is not
choose an available port. If <var>host</var>, which can either
be a DNS name (if built with unbound library) or an IP address,
is specified, then connections are restricted to the resolved or
specified local IP address (either IPv4 or IPv6 address). If
<var>host</var> is an IPv6 address, wrap it in square brackets,
e.g. <code>ptcp:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 addresses.
</p>
<p>

4
python/ovs/stream.py
View File

@@ -702,8 +702,8 @@ def usage(name):
return """
Active %s connection methods:
unix:FILE Unix domain socket named FILE
tcp:IP:PORT TCP socket to IP with port no of PORT
ssl:IP:PORT SSL socket to IP with port no of PORT
tcp:HOST:PORT TCP socket to HOST with port no of PORT
ssl:HOST:PORT SSL socket to HOST with port no of PORT
Passive %s connection methods:
punix:FILE Listen on Unix domain socket FILE""" % (name, name)

3
rhel/openvswitch-fedora.spec.in
View File

@@ -87,8 +87,9 @@ BuildRequires: libpcap-devel numactl-devel
BuildRequires: dpdk-devel >= 17.05.1
Provides: %{name}-dpdk = %{version}-%{release}
%endif
BuildRequires: unbound unbound-devel
Requires: openssl hostname iproute module-init-tools
Requires: openssl hostname iproute module-init-tools unbound
#Upstream kernel commit 4f647e0a3c37b8d5086214128614a136064110c3
#Requires: kernel >= 3.15.0-0

1
rhel/openvswitch.spec.in
View File

@@ -38,6 +38,7 @@ BuildRequires: openssl-devel
BuildRequires: checkpolicy, selinux-policy-devel
BuildRequires: autoconf, automake, libtool
BuildRequires: python-sphinx
BuildRequires: unbound-devel
%bcond_without check
%bcond_with check_datapath_kernel

3
vswitchd/ovs-vswitchd.c
View File

@@ -51,6 +51,7 @@
#include "openvswitch/vconn.h"
#include "openvswitch/vlog.h"
#include "lib/vswitch-idl.h"
#include "lib/dns-resolve.h"
VLOG_DEFINE_THIS_MODULE(vswitchd);
@@ -81,6 +82,7 @@ main(int argc, char *argv[])
set_program_name(argv[0]);
ovsthread_id_init();
dns_resolve_init(true);
ovs_cmdl_proctitle_init(argc, argv);
service_start(&argc, &argv);
remote = parse_options(argc, argv, &unixctl_path);
@@ -141,6 +143,7 @@ main(int argc, char *argv[])
service_stop();
vlog_disable_async();
ovsrcu_exit();
dns_resolve_destroy();
return 0;
}

94
vswitchd/vswitch.xml
View File

@@ -4431,26 +4431,25 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
controllers:
</p>
<dl>
<dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>The specified SSL <var>port</var> on the host at the
given <var>ip</var>, which must be expressed as an IP
address (not a DNS name). The <ref table="Open_vSwitch"
column="ssl"/> column in the <ref table="Open_vSwitch"/>
table must point to a valid SSL configuration when this form
is used.</p>
given <var>host</var>, which can either be a DNS name (if built
with unbound library) or an IP address. The <ref table="Open_vSwitch"
column="ssl"/> column in the <ref table="Open_vSwitch"/> table must
point to a valid SSL configuration when this form is used.</p>
<p>If <var>port</var> is not specified, it defaults to 6653.</p>
<p>SSL support is an optional feature that is not always built as
part of Open vSwitch.</p>
</dd>
<dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified TCP <var>port</var> on the host at the given
<var>ip</var>, which must be expressed as an IP address (not a
DNS name), where <var>ip</var> can be IPv4 or IPv6 address. If
<var>ip</var> is an IPv6 address, wrap it in square brackets,
e.g. <code>tcp:[::1]:6653</code>.
<var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address (IPv4 or IPv6). If <var>host</var>
is an IPv6 address, wrap it in square brackets, e.g.
<code>tcp:[::1]:6653</code>.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6653.
@@ -4462,19 +4461,19 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
controllers:
</p>
<dl>
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>.
If <var>ip</var>, which must be expressed as an IP address (not a
DNS name), is specified, then connections are restricted to the
specified local IP address (either IPv4 or IPv6). If
<var>ip</var> is an IPv6 address, wrap it in square brackets,
e.g. <code>pssl:6653:[::1]</code>.
If <var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address, is specified, then connections
are restricted to the resolved or specified local IP address
(either IPv4 or IPv6). If <var>host</var> is an IPv6 address,
wrap it in square brackets, e.g. <code>pssl:6653:[::1]</code>.
</p>
<p>
If <var>port</var> is not specified, it defaults to
6653. If <var>ip</var> is not specified then it listens only on
6653. If <var>host</var> is not specified then it listens only on
IPv4 (but not IPv6) addresses. The
<ref table="Open_vSwitch" column="ssl"/>
column in the <ref table="Open_vSwitch"/> table must point to a
@@ -4488,16 +4487,17 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
part of Open vSwitch.
</p>
</dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for connections on the specified TCP <var>port</var>. If
<var>ip</var>, which must be expressed as an IP address (not a
DNS name), is specified, then connections are restricted to the
specified local IP address (either IPv4 or IPv6). If
<var>ip</var> is an IPv6 address, wrap it in square brackets,
e.g. <code>ptcp:6653:[::1]</code>. If <var>ip</var> is not
specified then it listens only on IPv4 addresses.
<var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address, is specified, then connections
are restricted to the resolved or specified local IP address
(either IPv4 or IPv6). If <var>host</var> is an IPv6 address, wrap
it in square brackets, e.g. <code>ptcp:6653:[::1]</code>. If
<var>host</var> is not specified then it listens only on IPv4
addresses.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6653.
@@ -4834,12 +4834,12 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
The following connection methods are currently supported:
</p>
<dl>
<dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified SSL <var>port</var> on the host at the given
<var>ip</var>, which must be expressed as an IP address
(not a DNS name). The <ref table="Open_vSwitch"
<var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address. The <ref table="Open_vSwitch"
column="ssl"/> column in the <ref table="Open_vSwitch"/>
table must point to a valid SSL configuration when this
form is used.
@@ -4853,30 +4853,30 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
</p>
</dd>
<dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified TCP <var>port</var> on the host at the given
<var>ip</var>, which must be expressed as an IP address (not a
DNS name), where <var>ip</var> can be IPv4 or IPv6 address. If
<var>ip</var> is an IPv6 address, wrap it in square brackets,
e.g. <code>tcp:[::1]:6640</code>.
<var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address (IPv4 or IPv6). If <var>host</var>
is an IPv6 address, wrap it in square brackets, e.g.
<code>tcp:[::1]:6640</code>.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
</dd>
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>ip</var>, which must be
expressed as an IP address (not a DNS name), is specified, then
connections are restricted to the specified local IP address
(either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
address, wrap in square brackets,
e.g. <code>pssl:6640:[::1]</code>. If <var>ip</var> is not
choose an available port. If <var>host</var>, which can either
be a DNS name (if built with unbound library) or an IP address,
is specified, then connections are restricted to the resolved or
specified local IP address (either IPv4 or IPv6 address). If
<var>host</var> is an IPv6 address, wrap in square brackets,
e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 (but not IPv6) addresses.
The <ref table="Open_vSwitch" column="ssl"/> column in the <ref
table="Open_vSwitch"/> table must point to a valid SSL
@@ -4890,17 +4890,17 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
part of Open vSwitch.
</p>
</dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>ip</var>, which must be
expressed as an IP address (not a DNS name), is specified, then
connections are restricted to the specified local IP address
(either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
address, wrap it in square brackets,
e.g. <code>ptcp:6640:[::1]</code>. If <var>ip</var> is not
choose an available port. If <var>host</var>, which can either
be a DNS name (if built with unbound library) or an IP address,
is specified, then connections are restricted to the resolved or
specified local IP address (either IPv4 or IPv6 address). If
<var>host</var> is an IPv6 address, wrap it in square brackets,
e.g. <code>ptcp:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 addresses.
</p>
<p>

34
vtep/vtep.xml
View File

@@ -116,12 +116,12 @@
The following connection methods are currently supported:
</p>
<dl>
<dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified SSL <var>port</var> (default: 6640) on the host at
the given <var>ip</var>, which must be expressed as an IP address
(not a DNS name).
The specified SSL <var>port</var> (default: 6640) on the given
<var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address.
</p>
<p>
SSL key and certificate configuration happens outside the
@@ -129,27 +129,29 @@
</p>
</dd>
<dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
The specified TCP <var>port</var> (default: 6640) on the host at
the given <var>ip</var>, which must be expressed as an IP address
(not a DNS name).
The specified TCP <var>port</var> (default: 6640) on the given
<var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address.
</dd>
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>
(default: 6640). If <var>ip</var>, which must be expressed as an
IP address (not a DNS name), is specified, then connections are
restricted to the specified local IP address.
(default: 6640). If <var>host</var>, which can either be a DNS
name (if built with unbound library) or an IP address, is
specified, then connections are restricted to the resolved or
specified local IP address.
</p>
</dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
Listens for connections on the specified TCP <var>port</var>
(default: 6640). If <var>ip</var>, which must be expressed as an
IP address (not a DNS name), is specified, then connections are
restricted to the specified local IP address.
(default: 6640). If <var>host</var>, which can either be a DNS
name (if built with unbound library) or an IP address, is
specified, then connections are restricted to the resolved or
specified local IP address.
</dd>
</dl>
</column>