The log message for a send operation should refer to "send", not "recv".
Looks like an old cut-and-paste error.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
These functions had no callers, so remove them and the data maintained
just to implement them.
Found by inspection.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Otherwise if a service connection (which does not have buffers) attempts
to use buffers, '*bufferp' will be uninitialized, which can cause a
segfault in the caller.
Found using OFtest configured to use service (active rather than passive)
connections.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Add 'test_ovs_kmod' provision. Command:
# vagrant provision --provision-with=test_ovs_kmod
will run "make check-kmod" in the vagrant launched VM.
It turns out to be more convenient to test within as root. Switch
Vagrantfile provisions to run as root user. However, vagrant can
still be launched as normal user.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
This patch adds a basic infrastructure for developing and running
kernel module unit tests. Currently OVS contains thousands
of useful unit tests for user space programs. It is desirable to
have corresponding kernel module unit tests.
This commit adds basic framework for adding kernel module tests. Like
user space unit tests, Kmod tests are based autotest framework, thus
are similar to existing unit tests. For references, kmod-traffic.at
contains a simple ping test.
"make check-kmod" can be invoked on any build machine as a root
user. Since kernel testing can potentially crash the kernel, it is
not recommended to run those tests directly on a development machine,
but rather a testing VM, such as ones can be launched by vagrant.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Visual studio supports zero-size array within a struct or union,
but has to be the last element. GCC does not have this restriction.
icmp headers got included inside 'struct ovs_nd_msg' through
commit e60e935b1f (Implement set-field for IPv6 ND fields (nd_target,
nd_sll,and nd_tll). This causes compilation error while using MSVC.
Since icmp[6]_data in the icmp[6]_header is not used anywhere, just remove
them.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Automake defaults to the 'v7' legacy tar format in GNU tar, through
passing of the '-o' parameter to GNU tar. Enabling this option results
in errors for users with 32 bit UIDs:
$ make dist
...
tardir=openvswitch-2.3.90 && ${TAR-tar} chof - "$tardir" | GZIP=--best gzip -c >openvswitch-2.3.90.tar.gz
tar: value 12345678 out of uid_t range 0..2097151
tar: Exiting with failure status due to previous errors
make[1]: Leaving directory `/development/ovs'
...
The 'tar-pax' format is a 2001 POSIX standard that allow longer file
names and other niceties. Its use is a configuration option in Automake
1.9+. Enable this option.
Signed-off-by: Stephen Finucane <stephen.finucane@intel.com>
Reviewed-by: Mark D. Gray <mark.d.gray@intel.com>
Cc: Panu Matilainen <pmatilai@laiskiainen.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Suppress the following warning:
> cc1: warnings being treated as errors
> In file included from ../lib/dpif.h:394:0,
> from ../lib/netdev.c:28:
> ../lib/ovs-numa.h: In function 'ovs_numa_dump_cores_on_numa':
> ../lib/ovs-numa.h:150:33: error: unused parameter 'numa_id'
The problem was introduced by
commit 9da2564e2bfa4ffc5a05552630ce2aca00a521c9.
("ovs-numa: Refine the module.")
Signed-off-by: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Acked-by: Ben Pfaff <blp@nicira.com>
User space is currently sending a OVS_FLOW_ATTR_PROBE for both flow
and packet messages. This leads to an out-of-bounds access in
ovs_packet_cmd_execute() because OVS_FLOW_ATTR_PROBE >
OVS_PACKET_ATTR_MAX.
Introduce a new OVS_PACKET_ATTR_PROBE with the same numeric value
as OVS_FLOW_ATTR_PROBE to grow the range of accepted packet attributes
while maintaining binary compatibility with existing OVS binaries.
Fixes: 9233ce ("datapath: Add support for OVS_FLOW_ATTR_PROBE.")
Reported-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Conjunction actions shouldn't normally get executed, so it's worth
logging if it happens.
Suggested-by: Jarno Rajahalme <jrajahalme@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Retry routing requests as the routing socket is unreliable.
Also, add some error checks and logs.
Signed-off-by: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Acked-by: Ben Pfaff <blp@nicira.com>
When the test suite is run on an OS with 1 core (e.g., a VM with one
core assigned to it), some of the atomic memory model tests take a
long time, with the effect that the test seems stuck.
This patch stops these tests after one second and only fails the test
if there has not been any significant progress, allowing the test to
pass also when running only with one core.
Reported-by: Motonori Shindo <motonori@shin.do>
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
This patch adds set-field operations for nd_target, nd_sll, and nd_tll
fields, with and without masks, using Nicira extensions and OpenFlow 1.2
protocol.
Signed-off-by: Randall A Sharo <randall.sharo at navy.mil>
Signed-off-by: Ben Pfaff <blp@nicira.com>
IPv6 Flow Label is currently read only. This patch adds support
to allow actions like actions=set_field:0x12345->ipv6_label.
The change to mf_set_flow_value() is a bug fix, but the bug was
not visible before the flow label was modifiable.
Signed-off-by: Pritesh Kothari <pritesh.kothari@cisco.com>
[blp@nicira.com added an item to NEWS]
Signed-off-by: Ben Pfaff <blp@nicira.com>
Add bit about reporting vulns with GPG.
Add generalised rules for vulnerabilties.
Signed-off-by: Andrew Kampjes <a.kampjes@gmail.com>
[blp@nicira.com edited and removed text about not using public lists]
Signed-off-by: Ben Pfaff <blp@nicira.com>
This patch fixes a bug when pushing vlans. It causes vlans to be transmitted with
the TPID instead of the tci on the inner vlan.
Signed-off-by: Thomas F Herbert <thomasfherbert@entpnt.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
CFLAGS follows OVS_CFLAGS in the compiler command line, and should, so that
the user can override any automatically determined compiler options. That
means that the -O0 that the code here added to OVS_CFLAGS didn't really
have any effect since CFLAGS by default includes "-O2". However, we do
really want to disable optimizations (because the coverage reports are hard
to interpret with optimizations), so this commit changes the configure
script to edit out -O2 from CFLAGS, leaving any other default or
user-specified options.
Reported-by: Mijo Safradin <mijo@linux.vnet.ibm.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Cflags in pkg-config files sets the include path to $PREFIX/openflow,
$PREFIX/openvswitch. This makes the including source files use the files
like
include <util.h>
instead of
include <openvswitch/util.h>
Signed-off-by: Amit Bose <bose@noironetworks.com>
A packet sent to a Netlink datapath has to fit within a Netlink attribute.
Until now, this was only checked in an assertion inside the Netlink code,
which meant that trying to send a too-large packet (approximate 64 kB or
larger) would assert-fail. It's better to just drop those packets, which
this commit does.
Reported-by: Shuping Cui <scui@redhat.com>
Reported-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Until now the Netlink code has considered an attribute to exceed the
maximum length if the *padded* size of the attribute exceeds 65535 bytes.
For example, an attribute with a 65529-byte payload, together with 4-byte
header and 3 bytes of padding, takes up 65536 bytes and therefore the
existing code rejected it.
However, the restriction on Netlink attribute sizes is to ensure that the
length fits in the 16-bit nla_len field. This field includes the 4-byte
header but not the padding, so a 65529-byte payload is acceptable because,
with the header but not the padding, it comes to only 65533 bytes.
Thus, this commit relaxes the restriction on Netlink attribute sizes by
omitting padding from size checks. It also changes one piece of code that
inlined a size check to use the central function nl_attr_oversized().
This change should fix an assertion failure when OVS userspace passes a
maximum-size (65529+ byte) packet back to the kernel.
Reported-by: Shuping Cui <scui@redhat.com>
Reported-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
A "conjunctive match" allows higher-level matches in the flow table, such
as set membership matches, without causing a cross-product explosion for
multidimensional matches. Please refer to the documentation that this
commit adds to ovs-ofctl(8) for a better explanation, including an example.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
An upcoming commit will make classifier_lookup() sometimes modify its
'flow' argument temporarily during the lookup.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
---
v2: New patch.
v2.1: Rebase.
v3: Rebase.
Installs the kernel-devel package of the currently running kernel and
builds the kmod RPM in the "install_rpm" phase.
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Andy Zhou <azhou@nicira.com>
The order of execution in Vagrantfile is "outside-in" meaning that
all commands in outer scope are executed first and then the commands
in inner scope. Because of this ordering, "configure_ovs" is executed
before "bootstrap_fedora", resulting in "configure_ovs" to fail as
it is not bootsrapped yet. This change fixes this problem by removing
the nested scope in Vagrant.configure block. Multi-machine is not used
so we don't need config.vm.define block.
Signed-off-by: Motonori Shindo <motonori@shin.do>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Vagrant shared folder, at least on the default virtual box, does not
support the creation of the socket files. If one were to build OVS
under /vagrant, 'make check' would not work.
Out of tree builds can be used to work around this issue.
See Install.md for instructions.
Since out of tree builds requires a clean source tree, Vagrantfile can
not be a generated file. This commit removes Vagrantfile.in, commit
Vagrantfile instead.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
In OVS, we currently use the term 'facility' to mean the place
where we log (syslog, console or file). In Linux's syslog() and
rfc5424, the term 'facility' is used to specify what type of program
is logging the message (e.g: LOG_DAEMON). This causes confusion
while reading vlog's code. This commit changes the term 'facility'
to 'destination'.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Before this patch, dp_netdev_flow_add() inserted newly minted flows in
the "flow_table" cmap before inserting them into the per core "dpcls"
classifier. Since dpcls_insert() initializes 'flow->cr.mask', there's
a brief window where the flow is accessible from the cmap, but has a
bogus mask value.
In my testing, under rare instances (i.e. once every 20 minutes with a
very specific flow table and traffic pattern), revalidators core dump
when they call dpif_netdev_flow_dump_next(), which accesses this bogus
mask value from dp_netdev_flow_to_dpif_flow().
By inserting into the per core classifier before the cmap, all the
values are guaranteed to be initialized during flow dumps. With this
patch, I can no longer reproduce the crash.
Signed-off-by: Ethan Jackson <ethan@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Otherwise compiling with -msse4.2 (or -march=native on a SSE4.2
capable CPU) will produce a test failure due to the CRC32-based hash
function being different from mhash.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
The release cycle is in order of months currently, so when a
security fix is applied to LTS (long-term support) branches,
it is recommended to release a new version.
The idea is to keep the latest LTS tarball less vulnerable.
Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Stakeholders might need extra time to provide the update,
so let's leave it open to negotiate case by case with the
final word on the Open vSwitch security team's hands. A
default policy is provided as a reference.
Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
There is no point in having the special process if a
contributor refuses or doesn't agree with the
confidentiality terms.
Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
There are other parts of the document that needs to
reference some building steps. Instead of copying
and explaining again, this patch splits the building
section in three sections that can be referenced.
Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
The upstream commit 359a0ea
("vxlan: Add support for UDP checksums (v4 sending, v6 zero csums)")
has introduced a new flags argument to vxlan_sock_add().
OVS does not pass any flags at this point, thus specyfing 0 will be
compatible with both the old ipv6 bool and the new u32 flags argument.
Upstream: 359a0ea ("vxlan: Add support for UDP checksums (v4 sending, v6 zero csums)")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
This patch effectively reverts commit 500f80872645 ("net: ovs: use CRC32
accelerated flow hash if available"), and other remaining arch_fast_hash()
users such as from nfsd via commit 6282cd565553 ("NFSD: Don't hand out
delegations for 30 seconds after recalling them.") where it has been used
as a hash function for bloom filtering.
While we think that these users are actually not much of concern, it has
been requested to remove the arch_fast_hash() library bits that arose
from [1] entirely as per recent discussion [2]. The main argument is that
using it as a hash may introduce bias due to its linearity (see avalanche
criterion) and thus makes it less clear (though we tried to document that)
when this security/performance trade-off is actually acceptable for a
general purpose library function.
Lets therefore avoid any further confusion on this matter and remove it to
prevent any future accidental misuse of it. For the time being, this is
going to make hashing of flow keys a bit more expensive in the ovs case,
but future work could reevaluate a different hashing discipline.
[1] https://patchwork.ozlabs.org/patch/299369/
[2] https://patchwork.ozlabs.org/patch/418756/
Upstream: 8754589 ("net: replace remaining users of arch_fast_hash with jhash")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
This stub now allows userspace to see IFLA_INFO_KIND for ovs master and
IFLA_INFO_SLAVE_KIND for slave.
Upstream: 5b9e7e16 ("openvswitch: introduce rtnl ops stub")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
So it can be used from out of openvswitch code.
Did couple of cosmetic changes on the way, namely variable naming and
adding support for 8021AD proto.
Note on backwards compatability:
Unlike the upstream version, the backport of skb_vlan_push() does not
support translating a hardware accelerated 8021AD tag to software.
This is not a problem though as it preserves existing behaviour.
Upstream: 93515d53 ("net: move vlan pop/push functions into common code")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
note that skb_make_writable already exists in net/netfilter/core.c
but does something slightly different.
Upstream: e219512 ("net: move make_writable helper into common code")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Since older kernels do not have skb->vlan_proto, it is assumed that
kernels which don't provide their own __vlan_insert_tag() will also
not have skb->vlan_proto. The backwards compat function therefore
only supports ETH_P_8021Q as the protocol type.
Upstream: 15255a43 ("vlan: introduce __vlan_insert_tag helper which does not free skb")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
__vlan_put_tag() was renamed to vlan_insert_tag_set_proto() with
the argument list kept intact.
Upstream: 62749e ("vlan: rename __vlan_put_tag to vlan_insert_tag_set_proto")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Open vSwitch needs some kind of process for handling vulnerabilities. So
far, we've been pretty lucky that way, but it can't last forever, and I
think we'll be better off if we have at least the outline of an established
process whenever a significant vulnerability comes along. Here's my draft
of a process based on the documentation of the OpenStack process at
https://wiki.openstack.org/wiki/Vulnerability_Management.
I don't have a lot of experience with this kind of thing myself, so I'd
appreciate critical review from anyone who does.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Reviewed-by: Flavio Leitner <fbl@redhat.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
