Under Linux, at least, bind and fchmod interact for Unix sockets in a way
that surprised me. Calling fchmod() on a Unix socket successfully sets the
permissions for the socket's own inode. But that has no effect on any
inode that has already been created in the file system by bind(), because
that inode is not the same as the one for the Unix socket itself.
However, if you bind() *after* calling fchmod(), then the bind() takes the
permissions for the new inode from the Unix socket inode, which has the
desired effect.
This also adds a more portable fallback for non-Linux systems.
Reported-by: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Static analyzers hate strncpy(). This new function shares its property of
initializing an entire buffer, without its nasty habit of failing to
null-terminate long strings.
Coverity #10697,10696,10695,10694,10693,10692,10691,10690.
Provides ability to match over IPv6 traffic in the same manner as IPv4.
Currently, the matching fields include:
- IPv6 source and destination addresses (ipv6_src and ipv6_dst)
- Traffic Class (nw_tos)
- Next Header (nw_proto)
- ICMPv6 Type and Code (icmp_type and icmp_code)
- TCP and UDP Ports over IPv6 (tp_src and tp_dst)
When defining IPv6 rules, the Nicira Extensible Match (NXM) extension to
OVS must be used.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Many Open vSwitch tests fail on Debian's automatic build machines because
the builds occur in deeply nested directories with long names. OVS tries
to bind and connect to Unix domain sockets using absolute path names, which
in combination with long directory names means that the socket's name
exceeds the limit for Unix domain socket names (108 bytes on Linux).
This commit works around the problem on Linux by indirecting through
/proc/self/fd/<dirfd>/<basename> when names exceed the maximum that can be
used directly.
Reported-by: Hector Oron <hector.oron@gmail.com>
Reported-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reported-by: Roger Leigh <rleigh@codelibre.net>
Debian bug #602891.
Debian bug #602911.
Adding a macro to define the vlog module in use adds a level of
indirection, which makes it easier to change how the vlog module must be
defined. A followup commit needs to do that, so getting these widespread
changes out of the way first should make that commit easier to review.
The test-vconn program binds a socket to a nonspecific port number. To
add SSL support to this program, it needs to be able to use SSL, and the
stream library is the easiest way to do that. But the stream library
can't bind to a nonspecific port. This commit adds that feature, by adding
it to the function that the stream SSL library uses as a building block.
make_unix_socket() can return EAGAIN in rare circumstances, e.g. when the
server's socket listen queue is full. A lot of OVS callers interpret
EAGAIN as a "try again" error code, but in this case it means that the
attempt to create the socket failed. So munge EAGAIN into another error
code to prevent that misinterpretation.
The tcp_open_active() and tcp_open_passive() functions don't really have
any strong dependencies on TCP. With a couple of simple changes they
can be used for UDP also. Since this is useful for Netflow, this commit
does so.
Until now, tcp_open_active() and tcp_open_passive() have only been used
in situations where there is a reasonable default port, e.g. OFP_TCP_PORT.
But for NetFlow there is no universal default, so enhance these functions
so that they can require the user to specify a port explicitly.
Crossported from the 'db' branch, where this is useful for JSON-RPC, which
also has no widely known port.
Until now, setting a netflow collector to a DNS name would cause
secchan to attempt to resolve that DNS name each time that the set of
netflow collectors is re-set. For the vswitch, this is every time that
the vswitch reconfigures itself.
Unfortunately, DNS lookup within secchan cannot work as currently
implemented, because it needs both an asynchronous DNS resolver library
and in-band control updates. Currently we have neither. Attempting to
look up DNS anyway just hangs.
This commit disables DNS lookup entirely, and updates the documentation to
change user expectations. DNS still won't work, but at least it won't
hang.
Bug #1609.
The TCP and SSL vconn implementations had a lot of common code to make
and accept TCP connections, which this commit factors out into common
functions in socket-util.c.
Also adds the ability to bind ptcp and pssl vconns to a particular IP
address instead of the wildcard address.
