The set_dscp() function, until now, tried to set the DSCP as IPv4 and as
IPv6. This worked OK on Linux, where an ENOPROTOOPT error made it really
clear which one was wrong, but FreeBSD uses EINVAL instead, which has
multiple meanings and which it therefore seems somewhat risky to ignore.
Instead, this commit just tries to set the correct address family's DSCP
option.
Tested by Alex Wang on FreeBSD 9.3.
Reported-by: Atanu Ghosh <atanu@acm.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Co-authored-by: Alex Wang <alexw@nicira.com>
Signed-off-by: Alex Wang <alexw@nicira.com>
Tested-by: Alex Wang <alexw@nicira.com>
This function is really of marginal utility. This commit drops it and
makes the existing callers instead open a new pstream with the desired
dscp.
The ulterior motive here is that the set_dscp() function that actually sets
the DSCP on a socket really wants to know the address family (AF_INET vs.
AF_INET6). We could plumb that down through the stream code, and that's
one reasonable option, but I thought that simply eliminating some calls
to set_dscp() where we don't already have the address family handy was
another reasonable way to go.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>
init_clock begins with a memset of 0 of the full clock struct. This
memset at the end of a single struct member just makes extra sure that
it's set to 0, which is unnecessary.
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
The 2.3 branch has been the long-term release for a while now, but somehow
we forgot to update the FAQ.
Reported-by: Kentaro Ebisawa <ebiken.g@gmail.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>
Upstream commit:
udp: Generic functions to set checksum
Added udp_set_csum and udp6_set_csum functions to set UDP checksums
in packets. These are for simple UDP packets such as those that might
be created in UDP tunnels.
Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: af5fcba7 ("udp: Generic functions to set checksum")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Use the common udp_sock_create() for LISP, similar to what was
done for VXLAN.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Upstream commit:
vxlan: Call udp_sock_create
In vxlan driver call common function udp_sock_create to create the
listener UDP port.
Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 3ee64f39 ("vxlan: Call udp_sock_create")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Upstream commit:
udp: Add udp_sock_create for UDP tunnels to open listener socket
Added udp_tunnel.c which can contain some common functions for UDP
tunnels. The first function in this is udp_sock_create which is used
to open the listener port for a UDP tunnel.
Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 8024e028 ("udp: Add udp_sock_create for UDP tunnels to open listener socket")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
vxlan_src_port() has been replaced with the more generic
udp_flow_src_port() upstream. We already have a backport for this and
it is used everywhere where this is needed, so we can remove the
dead vxlan_src_port() function.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
VXLAN is now RFC, so we better to change the pointer to it.
Signed-off-by: Kentaro Ebisawa <ebiken.g@gmail.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
It is some times useful to leverage the sandbox facility to experiment
and explore the internals of ovs-vswitchd. Since GDB requires console
access for user inputs, this patch launch an xterm for GDB, The main
terminal continue to run the sub-shell as before. Exiting the sub-shell
will also kill the ovs-vswitchd under GDB (but not GDB itself currently)
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
The copyright dates are taken from "git log --follow ovsdb/ovsdb-doc",
considering only Nicira authors' changes. (Only one change was from
a non-Nicira author anyhow.)
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
I really can't stand nroff syntax. This makes it possible to install
nroff but write in a more sensible XML syntax.
The following commit adds the first user.
Signed-off-by: Ben Pfaff <blp@nicira.com>
A fair number of columns had been overlooked. This documents them.
The patch is smaller than it appears because this rearranges the STP and
RSTP documentation to group configuration, status, and statistics together
in the documentation for clarity.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>
The lower layers count errors but until now nothing actually reported them.
Found by inspection.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>
Update the logic used in constify() to add const to a 'char **' while
still excluding all other cases of more than one level of indirection.
This results in adding const to a parameter of a generated setter
function where we're generally passing in array of constant strings.
As a result, this patch includes the other necessary fixes to the code
base to reflect the const addition.
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Add a new section about Python code to the coding style document.
Suggest that all new Python code should adhere to the PEP 8 standard.
Also include a reference to tools that can quickly check code for
style issues.
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Ken co-authored commit add17b6945ab6 (vtep: Initial checkin of vtep
schema.) back in 2013 but I forgot to credit him in AUTHORS at the time.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Madhu reported a bug last year, mentioned in commit 639b6d9c9093
(ovsdb-server: Document RFC 7047 extensions to ovsdb <error>s.) but I
forgot to credit him in AUTHORS at the time.
Signed-off-by: Ben Pfaff <blp@nicira.com>
When updating post recirc rules, rule management requires calls to
hmap APIs, which requires proper locking to ensure mutual exclsion in
accessing the hmap internal data structure. The locking currently is
missing from the output_normal() xlate path, thus causing
a race condition.
The race condition leads to segfault crash of ovs-vswitchd, with the
following stack trace:
The crash was found by adding and deleting bond interfaces repeatedly
with on-going traffic hitting the bond interfaces. The same test was
ran over multiple days with this patch to ensure the same crash was
not seen.
The patch added the necessary lock annotation that would have caught
the bug.
Tested-by: Salvatore Cambria <salvatore.cambria@citrix.com>
Reported-by: Salvatore Cambria <salvatore.cambria@citrix.com>
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Patches that modify existing code can break expected behaviour.
Flag this by testing the patch with 'make check' prior to submission.
Furthermore, it is not sufficient to only test patches that add files
using 'make distcheck'; the compile flags for this target could change
the definition of some functions (ovs_assert, for example), altering
the outcome of some unit tests. Rather, it is preferable to use a
combination of 'make distcheck' with 'make check' to cover all bases.
Signed-off-by: Mark Kavanagh <mark.b.kavanagh@intel.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Introduces two new NXMs to represent VXLAN-GBP [0] fields.
actions=load:0x10->NXM_NX_TUN_GBP_ID[],NORMAL
tun_gbp_id=0x10,actions=drop
This enables existing VXLAN tunnels to carry security label
information such as a SELinux context to other network peers.
The values are carried to/from the datapath using the attribute
OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS.
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy-00
Signed-off-by: Madhu Challa <challa@noironetworks.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Previously, list_moved() only worked with non-empty lists, but this was a
caveat that was really easy to miss. parse_ofp_group_mod_file() had a bug
because it didn't honor that restriction. This commit fixes the problem,
by modifying the list_moved() interface to be harder to use incorrectly
and then updating the callers.
Reported-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
According to netdev-provider, this function should return
EOPNOTSUPP if not supported.
Signed-off-by: Mark D. Gray <mark.d.gray@intel.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
testsuite uses mkfifo in its job dispatcher that manages
parallel unit tests. MinGW does not have a mkfifo. This
results in unit tests running serially on Windows. Right
now it takes up to approximately 40 minutes to run all the
unit tests on Windows.
This commit provides a job dispatcher for MinGW that uses
temporary files instead of mkfifo to manage parallel jobs.
With this commit, on a Windows machine with 4 cores and with
8 parallel unit test sessions, it takes approximately 8
minutes to finish a unit test run.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Eitan Eliahu <eliahue@vmware.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Multiple weak edges between nodes at the same rank overlaps with each other in
a dot/graphviz diagram. The vswitchd.pic used in ovs-vswitchd.conf.db.5 suffers
this problem.
Removing "constraint=false" allows graphviz to rank the nodes using the weak
edages as well so that the nodes at the ends of a weak edge won't be at the
same rank and allows mutlple 'weak' edges to be visible.
Signed-off-by: Shu Shen <shu.shen@radisys.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
vxlan: Only set has-GBP bit in header if any other bits would be set
This allows for a VXLAN-GBP socket to talk to a Linux VXLAN socket by
not setting any of the bits.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: db79a621835e ("vxlan: Only set has-GBP bit in header if any other bits would be set")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
_BitScanForward() and friends are part of the Windows API and
take DWORD as parameter type. DWORD is defined to be 'unsigned long'
in Windows' header files.
We call into these functions from within lib/util.h. Currently, we
pass arguments of type uint32_t which is type defined to
'unsigned int'. This incompatiblity causes failures when we compile
the code as C++ code or with warnings enabled, when compiled as C
code.
The fix is to use 'unsigned long' rather than fixed size type.
Co-Authored-by: Linda Sun <lsun@vmware.com>
Signed-off-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Linda Sun <lsun@vmware.com>
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
OVS daemon service for Windows creates the pidfile and then
registers with the Windows services manager that the service
is running. There is a small time gap between the two steps.
So retry a few times in the test.
Also, provide a keyword for the test.
Reported-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Nithin Raju <nithin@vmware.com>
Tested-by: Nithin Raju <nithin@vmware.com>
Most of the information that timeval was reporting for long poll intervals
was comparing per-thread with per-process statistics, which yielded
nonsense a lot of the time.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>
For testing purpose, developers may want to change the NON_PMD_CORE_ID
and use a different core for non-pmd threads. Since the netdev-dpdk
module is hard-coded to assert the non-pmd threads using core 0, such
change will cause abortion of OVS.
This commit fixes the assertion and allows changing NON_PMD_CORE_ID.
Signed-off-by: Alex Wang <alexw@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
To reduce the complexity of writing kmod tests.
Suggested-by: Joe Stringer <joestringer@nicira.com>
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.comugi
Executing clean-up commands in the reverse order of their addition
seems to be better for most of the cleanup situations. For example,
in kmod tests, we should remove name spaces before remove kernel
modules.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.comugi
This patch adds support for OFPR_ACTION_SET as the packet-in reason when
a Packet-In message is triggered by an output action within an
action-set. By default reason code OFPR_ACTION_SET is enabled for async
messages when Openflow 1.4+ is used. A test case is included.
Signed-off-by: Shu Shen <shu.shen@radisys.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
With XenServer only 1 manager is configured in the pool, which may not
be the first manager returned from `get-manager` as it returns in
lexicographical order.
Signed-off-by: Jason Kölker <jason@koelker.net>
Signed-off-by: Ben Pfaff <blp@nicira.com>
The ping output can be useful. There is no down side in saving it.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Improves test failure handling. Remove name spaces that are no longer
needed so they to linger around before the next test starts.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Signed-off-by: Joe Stringer <joestringer@nicira.com>
This is mostly a style fix. The macro is used in the next patch to
add commands to the 'cleanup" file. This fix makes the 'cleanup' file
easier to read.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Those are not necessary and makes the test output file harder to read.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Remove namespaces also removes the ports in them, thus may
causing vswitch to generate warning log messages about not being
able find the port before it exits.
Remove namespaces after ovs-vswitchd exits improves test reliability.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Signed-off-by: Joe Stringer <joestringer@nicira.com>
