pinctrl_handle_put_dhcpv6_opts() and pinctrl_handle_dns_lookup() were not
checking that a full UDP header was present before reading its udp_len
field. This patch fixes the problem.
I don't think that the system as a whole, as normally installed, was
exploitable. This is because pinctrl processes a packet sent to it from
ovs-vswitchd. ovs-vswitchd only sends it UDPv6 DHCPv6 packets. To
determine that the packets are DHCPv6, ovs-vswitchd has to see its UDP port
numbers are those for DHCPv6, and it's only going to see that if an entire
UDP header is present. Therefore, this part of pinctrl will only ever
process a packet for which udp_len is there.
I believe that pinctrl_handle_dns_lookup() is similar.
Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Greg Rose <gvrose8192@gmail.com>
msg->size isn't the relevant measurement here because we're only supposed
to read 'len' bytes. Reading more than that causes 'len' to underflow to a
large number at the end of the loop.
Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Greg Rose <gvrose8192@gmail.com>
Many standard library functions are wrapped in OVS, so check for usage
of the original versions and suggest that authors replace them with the
OVS versions.
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
Acked-by: Ben Pfaff <blp@ovn.org>
This patch adds the new make target 'datapath_windows_analyze' (static
analysis over the windows datapath code) to the appveyor build.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Acked-by: Anand Kumar <kumaranand@vmware.com>
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Add two new build targets: 'Win8Analyze' and 'Win8.1Analyze'.
The new build targets have the static code analyzer (built in Visual
Studio feature).
This patch also introduces a new make target ('datapath_windows_analyze')
this can be added to the CI jobs to get a list warnings/errors issued
by the code analyzer.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Acked-by: Anand Kumar <kumaranand@vmware.com>
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
The removal is mandatory to use the VStudio 2013 static code analyzer.
The only function that was used from the include is: 'StringCbLengthA'.
We were not checking the result of that function, nor will the
'vportGet->name' exceed the 'OVS_MAX_PORT_NAME_LENGTH' limitation.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Acked-By: Anand Kumar <kumaranand@vmware.com>
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
The vport_type_to_kind() call at the top of dpif_netlink_rtnl_verify()
ensures that these cases can never be hit, so use OVS_NOT_REACHED()
instead of setting the err to EOPNOTSUPP.
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Greg Rose <gvrose8192@gmail.com>
Acked-by: Eric Garver <e@erig.me>
The calls here were duplicated across each tunnel protocol.
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Greg Rose <gvrose8192@gmail.com>
Acked-by: Eric Garver <e@erig.me>
Update the key used by the actions which follow up defragmentation, with
no fragment set in the IP header.
Found while testing OVN with two VMs on the same host.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Acked-by: Anand Kumar kumaranand@vmware.com
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
When a conntrack action is applied over an IP fragment we pend the fragment
which will be consumed later. This should be transparent to the userspace.
Report that the action was applied successfully so it does not spam
the ovs-vswitchd log.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Acked-by: Anand Kumar <kumaranand@vmware.com>
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Found by inspection.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Acked-by: Anand Kumar <kumaranand at vmware.com>
'multiple bridges share a controller' hangs on windows because it is
lacking the exit information (it will hang when the test has finished)
Introduce a pidfile to 'ovs-testcontroller' and end it on exit based on
the pidfile.
Signed-off-by: Alin Gabriel Serdean <aserdean@cloudbasesolutions.com>
Acked-by: Andy Zhou <azhou@ovn.org>
Signed-off-by: Andy Zhou <azhou@ovn.org>
Centos provides pyOpenSSL version pyOpenSSL-0.13.1-3.el7.x86_64.
There are 2 issues using this version, which this patch fixes
- The test case "simple idl verify notify - SSL" is skipped.
This is because "python -m OpenSSL.SSL" is used to detect the
presence of pyOpenSSL package. pyOpenSSL v0.13 has C python
modules because of which the above command returns 1.
So this patch fixes this by using 'python -c "import OpenSSL.SSL"'.
- The SSL.Context class does not have the function "set_session_cache_mode"
defined. Our usage here was only relevant for server-side connections,
(pssl), which is not yet supported by python-ovs, so just remove the
usage of this function. The default cache mode (server) will just
be ignored.
I have not tested with older versions (< 0.13) of pyOpenSSL.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Acked-by: Lance Richardson <lrichard@redhat.com>
Tested-by: Marcin Mirecki <mmirecki@redhat.com>
Signed-off-by: Russell Bryant <rbryant@redhat.com>
When '--ovn-manage-ovsdb=no' is passed to "ovn-ctl start_northd", it
doesn't start ovsdb-servers, but it expects the ovsdb-servers to be
running. If the ovsdb-servers are not running, ovn-ctl exits without
starting ovn-northd. This could create problems when ovn-northd and
ovsdb-servers are managed separately, for example when pacemaker is
used to manage ocf:ovndb-servers and ovn-northd as separate resources.
In the cases where a slave is promoted as master, it is possible that
pacemaker might start ovn-northd service before starting
ovsdb-servers.
This patch addresses this issue by not checking the status of
ovsdb-server pids when ovn-manage-ovsdb is set to true when
'start_northd' is called. ovn-northd will eventually connect to the
ovsdb-servers when they are started. So there is no harm in removing
this check.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Andy Zhou <azhou@ovn.org>
start action returns OCF_RUNNING_MASTER in certain scenarios.
But as per the OCF guidelines, status code OCF_RUNNING_MASTER shoud
be returned only in monitor action [1].
Whenever the start action returns OCF_RUNNING_MASTER, it is observed
in the testing that, pacemaker stops the ovsdb-server ocf resource
in that node. This patch fixes this issue by returning OCF_SUCESS in
such cases.
stop action returns OCF_RUNNING_MASTER if the ovsdb-servers are
running as master. But as per the OCF guidelines [2], stop action
should only return OCF_SUCCESS. If any other code is returned,
pacemaker cluster would block that resource in that node.
This patch fixes this issue by stopping the ovsdb-servers when they
are running as masters (which is the expected case) and returns
OCF_SUCCESS.
[1] - http://www.linux-ha.org/doc/dev-guides/_literal_ocf_running_master_literal_8.html
[2] - http://www.linux-ha.org/doc/dev-guides/_literal_stop_literal_action.html
CC: Andy Zhou <azhou@ovn.org>
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Andy Zhou <azhou@ovn.org>
This patch implements support for per-flow TCP IPFIX counters. It's based on RFC
5102, section 5.10.
Signed-off-by: Przemyslaw Szczerbik <przemyslawx.szczerbik@intel.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
xmalloc checks if the size is valid before allocating
memory, and also if the allocation was successful.
Signed-off-by: Shashank Ram <rams@vmware.com>
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
On dpif init, probe for whether tunnels are created using in-tree
(upstream linux) or out-of-tree (OVS). This is done by probing for the
existence of "ovs_geneve" via rtnetlink. This is used to determine how
to create the tunnel devices.
For out-of-tree tunnels, only try genetlink/compat.
For in-tree kernel tunnels, try rtnetlink then fallback to genetlink.
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Joe Stringer <joe@ovn.org>
Creates GENEVE devices using rtnetlink and tunnel metadata.
Co-Authored-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Joe Stringer <joe@ovn.org>
Creates GRE devices using rtnetlink and tunnel metadata.
Co-Authored-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Joe Stringer <joe@ovn.org>
Creates VXLAN devices using rtnetlink and tunnel metadata.
Co-Authored-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Joe Stringer <joe@ovn.org>
In order to be able to add those tunnels, we need to add code to create
the tunnels and add them as NETDEV vports. And when there is no support
to create them, we need to fallback to compatibility code and add them
as tunnel vports.
When removing those tunnels, we need to remove the interfaces as well,
and detecting the right type might be important, at least to distinguish
the tunnel vports that we should remove and the interfaces that we
shouldn't.
Co-authored-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Joe Stringer <joe@ovn.org>
This breaks up creating compat ports so we can reuse some of the code to
create ports with rtnetlink.
Co-authored-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Joe Stringer <joe@ovn.org>
If the device name uses a vport prefix, then use that vport type.
Since these names are reserved, we can assume this is the right type.
This is important when we are querying the datapath right after vswitch has
started and using the right type will be even more important when we add support
to creating tunnel ports with rtnetlink.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Joe Stringer <joe@ovn.org>
The very long function compose_output_action__() has been re-factored to make
the different cases for output to patch-port, native tunnel port, kernel tunnel
port, recirculation, or termination of a native tunnel at output to LOCAL port
clearer. Larger, self-contained blocks have been split out into separate
functions.
Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com>
Co-authored-by: Zoltan Balogh <zoltan.balogh@ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
ovs-appctl bfd/show command printout
shows negative time lag from now for upcoming events:
Detect Time: now -2632ms
Next TX Time: now -800ms
and positive time lag from now for past event:
Last TX Time: now +150ms
The fix negates the signs.
Signed-off-by: Gábor Szűcs <gabor.sz.cs@ericsson.com>
Co-authored-by: Csaba Ihllye <csaba.ihllye@ericsson.com>
Signed-off-by: Csaba Ihllye <csaba.ihllye@ericsson.com>
Signed-off-by: Andy Zhou <azhou@ovn.org>
This is the equivalent change of 2f4f43bfdd ("rhel: fix the fedora
spec") for the regular openvswitch.spec. From that patch:
When commit d0c961a99f ("lib/automake.mk: don't install runtime
directories") landed, it broke RPM based builds since the requisite
directories were no longer available. This commit adds those
directories back when making RPMs so that the packagemanager can see
them.
Fixes: d0c961a99f ("lib/automake.mk: don't install runtime directories")
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Greg Rose <gvrose8192@gmail.com>
All these entries are going to be roughly the same, with only two key
differences. Clarify things by focusing on those differences.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Signed-off-by: Ben Pfaff <blp@ovn.org>
The "ovs-appctl dpif-netdev/pmd-rxq-show" and "ovs-appctl
dpif-netdev/pmd-stats-show" commands show their output per core_id,
sorted on the hash location. My OCD was kicking in when using these
commands, hence this change to display them in natural core_id order.
In addition I had to change a test case that would fail if the cores
where not in order in the hash list. This is due to OVS assigning
queues to cores based on the order in the hash list. The test case now
checks if any core has the set of queues in the given order.
Manually tested this on my setup, and ran clang-analyze.
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
daemon.man is meant to have a heading above it, but in a few manpages its
text was running directly into the previous documentation because this had
been overlooked.
By adding .PP to daemon.man, we make this problem less severe if the
heading is similarly omitted in future manpages, since at least it will
then have its own paragraph instead of running into the previous one.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Andy Zhou <azhou@ovn.org>
This change avoids the following "sparse" warnings:
/usr/include/inttypes.h:105:10: warning: preprocessor token PRIu64 redefined
/usr/include/openssl/e_os2.h:275:12: this was the original definition
With this change, the build is again "sparse" clean.
I did not look into the details of this particular issue. However, the
upshot is that including <inttypes.h> before any OpenSSL header avoids the
warning and the opposite order provokes it.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Darrell Ball <dlu998@gmail.com>
This patch enables already implemented ifInMulticastPkts counter in sFlow for
DPDK interfaces. Metric is retrieved from DPDK by using extended statistic API
and stored in 'multicast' member of netdev_stats structure, which represents
number of incoming packets that were addressed to a multicast address.
Signed-off-by: Przemyslaw Szczerbik <przemyslawx.szczerbik@intel.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
The sorted subtable ranking patch introduced a classifier instance per
ingress port with its subtables ranked on the frequency of hits. The PMD
thread can have more classifier instances now and solely depends on the
number of ingress ports currently handled by the pmd thread.
Fixes: 3453b4d62a ("dpif-netdev: dpcls per in_port with sorted subtables")
Signed-off-by: Bhanuprakash Bodireddy <bhanuprakash.bodireddy@intel.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
'emc_insert_min' variable is made to align on a 64-byte boundary and this
introduces a 24 byte hole.
This patch moves the emc_insert_min member variable slightly higher in
the order to remove the hole and thus saves a cache line with the new
ordering.
Signed-off-by: Bhanuprakash Bodireddy <bhanuprakash.bodireddy@intel.com>
CC: Ciara Loftus <ciara.loftus@intel.com>
CC: Georg Schmuecking <georg.schmuecking@ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
Conditional EMC insert patch gives the flexibility to configure the
probability of flow insertion in to EMC. This also allows an option to
entirely disable EMC by setting 'emc-insert-inv-prob=0' which can be
useful at large number of parallel flows.
This patch skips EMC lookup when EMC is disabled. This is useful to
avoid wasting CPU cycles and also improve performance considerably.
Signed-off-by: Bhanuprakash Bodireddy <bhanuprakash.bodireddy@intel.com>
CC: Ciara Loftus <ciara.loftus@intel.com>
CC: Georg Schmuecking <georg.schmuecking@ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
Acked-by: Darrell Ball dlu998@gmail.com
Fix line lengths to be <= 79 as per coding style and so that checkpatch
will not show up existing warnings on these files.
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
In current implementation port_id is used as an ifindex for all netdev-dpdk
interfaces.
For physical DPDK interfaces using port_id as ifindex causes that '0' is set as
ifindex for 'dpdk0' interface, '1' for 'dpdk1' and so on. For the DPDK vHost
interfaces ifindexes are not even assigned (0 is used by default) due to the
fact that vHost ports don't use port_id field from the DPDK library.
This causes multiple negative side-effects. First of all 0 is an invalid
ifindex value. The other issue is possible overlapping of 'dpdkX' interfaces
ifindex values with the ifindexes of kernel space interfaces which may cause
problems in any external tools that use those values. Neither 'dpdk0', nor any
DPDK vHost interfaces are visible in sFlow collector tools, as all interfaces
with ifindexes smaller than 1 are ignored.
Proposed solution to these issues is to calculate a hash of interface's name
and use calculated value as an ifindex. This way interfaces keep their
ifindexes during OVS-DPDK restarts, ports re-initialization events, etc., show
up in sFlow collectors and meet RFC 2863 specification regarding re-using
ifindex values by the same virtual interfaces and maximum ifindex value.
Signed-off-by: Przemyslaw Lal <przemyslawx.lal@intel.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked by: Darrell Ball <dlu998@gmail.com>
3.18 and 3.12 have been EOLed, 4.11 is new, and there are some minor
revisions to other kernels. Update the list.
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Greg Rose <gvrose8192@gmail.com>
Since commit f12e09b7b2 ("libopenvswitch: Rename to libfoo-X.Y."), the
CURRENT libtool number is no longer derived from the OVS MINOR (from
vMAJOR.MINOR.MICRO) version, so it can be reset to 0.
Developers should attempt to avoid introducing ABI-breaking changes
within a particular OVS-X.Y release series. Occasionally due to the
nature of a particular bug, this is not possible. In such a case,
developers must update the libtool CURRENT version to indicate this
breakage to library users.
In most OVS library releases, this is expected to remain 0.
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
