2
0
mirror of https://github.com/openvswitch/ovs synced 2025-08-30 05:47:55 +00:00

1150 Commits

Author SHA1 Message Date
Ben Pfaff
3fbe1d307e Make ovs-appctl easier to use and synchronize its interface with ovs-vsctl.
It is inconvenient to type the whole path to the Unix daemon socket when
using ovs-appctl.  Allow the name of the daemon to be used instead when
a pidfile exists in the default location, and contact ovs-vswitchd by
default.

Also, the various options for manipulating vlog were invented before the
general-purpose command mechanism existed.  Get rid of all of the action
options in favor of just specifying the command to be executed as
non-option arguments.

Finally, there simply wasn't much value in allowing multiple targets or
options to be specified; these variations were never used in practice.  So
simplify the interface by making it one target, one action per invocation.

Also, make ovs-vsctl use the same syntax for its --target option.

Based on work by Justin Pettit.
2009-11-09 14:46:38 -08:00
Ben Pfaff
2886875a38 Fix incorrect printf format specifiers.
GCC reported these during a 64-bit build.
2009-11-09 10:30:10 -08:00
Jean Tourrilhes
ae602adc43 Revert "ovs-ofctl: Fix use-after-free error in del-flows command."
This reverts commit cae7a4b90a55cbfd4cfd23c06f9f09cd429ab4c0.

This commit forced the user to specify an action when deleting a flow,
which is not desirable.  The change was not actually needed, as the
buffer is never passed to str_to_flow() in the original code.
2009-11-04 23:43:22 -08:00
Ben Pfaff
675febfa2f Factor out common code from utilities that multiplex commands.
An upcoming commit will add yet another such utility and the code
redundancy was getting to be a bit much.
2009-11-04 15:24:40 -08:00
Jean Tourrilhes
cae7a4b90a ovs-ofctl: Fix use-after-free error in del-flows command. 2009-11-04 13:21:07 -08:00
Ben Pfaff
d6fbec6de0 Spell verb form of "set up" correctly throughout the tree. 2009-10-26 14:41:32 -07:00
Ben Pfaff
3f355f47f8 Merge "citrix" into "master".
This merge took a little bit of care due to two issues:

    - Crossport of "interface-reconfigure" fixes from master back to
      citrix that had happened and needed to be canceled out of the merge.

    - New script "refresh-xs-network-uuids" added on citrix branch that
      needed to be moved from /root/vswitch/scripts to
      /usr/share/vswitch/scripts.
2009-10-22 17:43:28 -07:00
Ben Pfaff
4d14e30f80 ovs-vsctl: Add the ability to perform multiple operations in a single run.
CC: Ian Campbell <Ian.Campbell@citrix.com>
2009-10-16 09:42:21 -07:00
Ben Pfaff
2792c2ad6d ovs-vsctl: Refactor internals to increase flexibility.
This changes the interface of each of the command implementations, making
them take the configuration as an argument and return the output.  This
will make it easier to support alternate output formats and to execute more
than one command per invocation (both happening in upcoming commits).
2009-10-16 09:36:25 -07:00
Ben Pfaff
3d1b9636b2 ovs-vsctl: Allow bridge name to be omitted from del-port command.
The 'bridge' argument to ovs-vsctl's del-port command is only supplied as
a form of error checking.  Sometimes the name of the bridge isn't readily
available, so for such situations this commit allows the user to omit the
name of the bridge entirely.

CC: Ian Campbell <Ian.Campbell@citrix.com>
2009-10-16 09:26:22 -07:00
Ben Pfaff
37c84020e9 ovs-vsctl: Log changes to configuration file to syslog.
This feature, which has been in ovs-cfg-mod for some time as the "-c"
option, makes it much easier to see what changes ovs-vsctl actually makes
to ovs-vswitchd.conf.

CC: <Ian.Campbell@citrix.com>
2009-10-16 09:26:20 -07:00
Jean Tourrilhes
6a5d4138d6 ovs-ofctl: Fix use-after-free error in mod-flows command. 2009-10-08 10:42:14 -07:00
Ben Pfaff
576e26d7b4 Merge citrix branch into master. 2009-09-22 10:17:44 -07:00
Justin Pettit
d4260cb4ee ovs-appctl: Correct "target" option synopsis in man page
The synopsis section of the man page for ovs-appctl incorrectly stated
that the target option takes "pid" as an argument.  This commit corrects
that to say "socket".
2009-09-17 13:42:54 -07:00
Ben Pfaff
7778bd15da secchan: Better tolerate failing controller admission control in fail-open.
When the switch is configured to connect to a controller that accepts
connections, waits a few seconds, and then disconnects without setting up
flows, currently this causes "fail-open" to flush the flow table and
stop setting up new flows during the connection duration.  This is OK if
it happens once, but it can easily happen every 8 seconds with typical
backoff settings, and that isn't so great.

This commit changes fail-open to only flush the flow table once the switch
appears to have been admitted by the controller, which prevents these
frequent network interruptions.

Thanks to Jesse Gross for especially valuable feedback.

QA notes: Behavior in fail-open and especially behavior with a controller
that rejects the switch after it connects needs to be re-tested.  The
ovs-controller --mute switch added by this commit is one simple way to
create such a controller.

CC: Peter Balland <peter@nicira.com>

Bug #1695.  Bug #2055.
2009-09-16 15:12:27 -07:00
Ben Pfaff
72aa493e2f ovs-pki: Extend validity of generated CA certificates from 3 to 6 years.
Dan requested this change to make it less likely that a user encounter a
CA certificate expiring.

For the "citrix" branch instead of "master" in case a customer upgrades
(without generating new CA certificates) away from the beta.

CC: Dan Wendlandt <dan@nicira.com>
2009-09-16 14:09:29 -07:00
Ian Campbell
9d6122026b ovs-vsctl: /var/run/ovs-vswitchd.*.ctl is a Unix domain socket
Currently ov-vsctl tries to treat /var/run/ovs-vswitchd.*.ctl as a
file/pipe when it is actually a Unix domain socket:

        # ovs-vsctl add-br TEST
        Traceback (most recent call last):
          File "/usr/bin/ovs-vsctl", line 498, in ?
            main()
          File "/usr/bin/ovs-vsctl", line 493, in main
            function(*args)
          File "/usr/bin/ovs-vsctl", line 345, in cmd_add_br
            cfg_save(cfg, VSWITCHD_CONF)
          File "/usr/bin/ovs-vsctl", line 142, in cfg_save
            cfg_reload()
          File "/usr/bin/ovs-vsctl", line 126, in cfg_reload
            f = open(target, "r+")
        IOError: [Errno 6] No such device or address: ' '
        # ls -l /var/run/ovs-vswitchd.4173.ctl
        srw------- 1 root root 0 Sep 14 12:25 /var/run/ovs-vswitchd.4173.ctl

From strace:
        open("/var/run/ovs-vswitchd.4173.ctl", O_RDWR|O_LARGEFILE) = -1 ENXIO (No such device or address)
2009-09-15 09:27:08 -07:00
Ben Pfaff
8e58fa9a79 ovs-vsctl: Add test suite, documentation for br-to-vlan, br-to-parent.
CC: Ian Campbell <Ian.Campbell@citrix.com>
2009-09-15 09:27:08 -07:00
Ian Campbell
2e44e26d10 ovs-vsctl: additional commands for querying VLAN fake bridges.
Our test automation needs to be able to validate that a VLAN bridge and
for this I needed two new operations in ovs-vsctl:
      * The ability to query the VLAN tag for a bridge.
      * The ability to query the 'parent' of a bridge. The parent is the
        non-VLAN/untagged bridge with the same physical devices and
        could be a bond.

So given xenbr0 (containing eth0) + xapi2 (VLAN 42 on eth0) and xapi1
(containing bond0 == eth2+eth3) + xapi3 (VLAN 23 on the bonded
interface):

[root@warlock ~]# ovs-vsctl br-to-vlan xapi2
42
[root@warlock ~]# ovs-vsctl br-to-vlan xapi3
23
[root@warlock ~]# ovs-vsctl br-to-parent xapi2
xenbr0
[root@warlock ~]# ovs-vsctl br-to-parent xapi3
xapi1
2009-09-14 11:27:42 -07:00
Ben Pfaff
3b135da329 New utility ovs-vsctl. 2009-09-14 10:05:13 -07:00
Ben Pfaff
8fef8c7121 Merge citrix into master.
This was a somewhat difficult merge since there was a fair amount of
superficially divergent development on the two branches, especially in the
datapath.

This has been build-tested against XenServer 5.5.0 and XenServer 5.7.0
build 15122.  It has been booted and connected to XenCenter on 5.5.0.

The merge revealed a couple of outstanding bugs, which will be fixed on
citrix and then merged back into master.
2009-08-19 13:03:46 -07:00
Justin Pettit
496d0fe536 ovs-pki: Add uniqueness to CA certs
When ovs-pki is used for CA cert generation, it generates certificates
that are identical except for the public key.  If multiple controllers are
their own certificate authorities, the switch will receive multiple CA
certs that are identical other than their key.  Unfortunately, OpenSSL
cannot distinguish between them.  This is an excerpt of the
SSL_CTX_load_verify_locations function used by vconn-ssl:

    Certificate matching is done based on the subject name, the key
    identifier (if present), and the serial number as taken from the
    certificate to be verified. If these data do not match, the next
    certificate will be tried. If a first certificate matching the
    parameters is found, the verification process will be performed; no
    other certificates for the same parameters will be searched in case of
    failure.

To work around this, we add a bit of uniqueness to each certificate.  In
this commit, we add the generation time to the subject name.  Please note
that the CN field is limited to 64 bytes, so a bit of name compression
needed to take place in order to fit the time.

Bug #1782
2009-08-13 15:58:38 -07:00
Justin Pettit
a20d2466fc ovs-pki: Add uniqueness to CA certs
When ovs-pki is used for CA cert generation, it generates certificates
that are identical except for the public key.  If multiple controllers are
their own certificate authorities, the switch will receive multiple CA
certs that are identical other than their key.  Unfortunately, OpenSSL
cannot distinguish between them.  This is an excerpt of the
SSL_CTX_load_verify_locations function used by vconn-ssl:

    Certificate matching is done based on the subject name, the key
    identifier (if present), and the serial number as taken from the
    certificate to be verified. If these data do not match, the next
    certificate will be tried. If a first certificate matching the
    parameters is found, the verification process will be performed; no
    other certificates for the same parameters will be searched in case of
    failure.

To work around this, we add a bit of uniqueness to each certificate.  In
this commit, we add the generation time to the subject name.  Please note
that the CN field is limited to 64 bytes, so a bit of name compression
needed to take place in order to fit the time.

Bug #1782
2009-08-13 15:27:19 -07:00
Justin Pettit
e7bd7d78b1 daemon: Remove short options from daemon library
The daemon library provides a few short options, but these then take
away their availability from programs that wish to use the library.
Since the daemon options are generally going to be called from a script
(which doesn't care how much typing is involved), we'll only provide
long options.
2009-08-06 18:04:36 -07:00
Justin Pettit
c4fca56af2 ovs-dpctl: Remove UNUSED attributed in do_show
The do_show() function declared the argc argument as UNUSED, but it
always is.
2009-08-06 18:04:36 -07:00
Justin Pettit
b566902b59 ovs-dpctl: Add dump-dps command
The "dump-dps" command prints the name of each datapath on a separate
line.
2009-08-06 18:04:36 -07:00
Justin Pettit
110d69af04 vswitchd: Initialize cfg properly and check return values
A previous checkin added the cfg_init() function, so we now call it.  We
also check the return value of the initial call to cfg_read(), since if
it fails, there's not much point in continuing.
2009-08-03 11:24:23 -07:00
Ben Pfaff
8b61709d5e netdev: Implement an abstract interface to network devices.
This new abstraction layer allows multiple implementations of network
devices in a single running process.  This will be useful, for example, to
support network devices that are simulated entirely in the running process
or that communicate with other processes over Unix domain sockets, etc.

The reimplemented tap device support in this commit has not been tested.
2009-07-30 16:07:14 -07:00
Justin Pettit
a5e54d9b6f Merge commit 'origin/citrix'
Conflicts:

	configure.ac
2009-07-28 22:16:50 -07:00
Ben Pfaff
2b35e1475e Do not try to resolve DNS for OpenFlow controllers or netflow collectors.
Until now, setting a netflow collector to a DNS name would cause
secchan to attempt to resolve that DNS name each time that the set of
netflow collectors is re-set.  For the vswitch, this is every time that
the vswitch reconfigures itself.

Unfortunately, DNS lookup within secchan cannot work as currently
implemented, because it needs both an asynchronous DNS resolver library
and in-band control updates.  Currently we have neither.  Attempting to
look up DNS anyway just hangs.

This commit disables DNS lookup entirely, and updates the documentation to
change user expectations.  DNS still won't work, but at least it won't
hang.

Bug #1609.
2009-07-21 09:49:57 -07:00
Ben Pfaff
3b01baa397 Merge citrix branch into master. 2009-07-16 11:54:37 -07:00
Ben Pfaff
eaa7133434 Add macros for parsing MAC addresses from strings. 2009-07-16 09:17:06 -07:00
Ben Pfaff
080ec396fd ovs-ofctl: Use 65535 instead of 0 for OFPP_CONTROLLER max_len.
OpenFlow 0.9 will change the interpretation of a max_len of 0 in an
OFPP_CONTROLLER output action from "send entire packet" to "send 0 bytes
of packet", but ovs-ofctl documents that specifying no argument or "ALL"
as the argument to a CONTROLLER output action sends the whole packet, so
we need to make that happen.
2009-07-15 13:25:11 -07:00
Justin Pettit
cae40bbd0c Fix small typo in ovs-ofctl man page. 2009-07-10 17:33:41 -07:00
Ben Pfaff
8cd4882fd5 Rename "secchan" to "ofproto" (library) and "ovs-openflowd" (program).
These names are more meaningful, so we prefer them.
2009-07-08 10:30:42 -07:00
Ben Pfaff
9ee3ae3e0d datapath: Make the datapath responsible for choosing port numbers.
Soon we will allow for multiple datapath implementations.  By allowing
the datapath to choose the port numbers, we possibly simplify some datapath
implementations, and the datapath's clients don't have to guess (or to
check) what port numbers are free, so this seems like a better way to go.
2009-07-06 09:07:24 -07:00
Ben Pfaff
bb8a9a2b0e dpif: Change dpif_port_group_get() semantics.
This function is easier for callers to use if they do not have to guess
how many ports are in the group.  Since it's not performance critical at
all, introduce these easier semantics.
2009-07-06 09:07:24 -07:00
Ben Pfaff
f7ef6533d8 dpif: Remove obsolete support for datapaths whose names begin with "nl:".
The use of "nl:" as a prefix for datapath names has been deprecated for
months.  That should be long enough for users to update their scripts.
2009-07-06 09:07:24 -07:00
Ben Pfaff
c228a3649a dpif: Hide the contents of struct dpif.
This helps prepare for multiple dpif implementations, and ensures that
code outside dpif.c does not depend on its internals.
2009-07-06 09:07:23 -07:00
Ben Pfaff
b29ba12809 dpif: Replace dpif_id() by dpif_name().
dpif_id() is often used in error messages, e.g. "dp%u: screwed up".  But
soon we will be generalizing the concept of a datapath, so it is better
to have a function that returns a full name, e.g. "%s: screwed up".
Accordingly, this commit replaces dpif_id() by a new function dpif_name()
that does so.
2009-07-06 09:07:23 -07:00
Ben Pfaff
335562c0b9 dpif: Rename dpif_get_name() to dpif_port_get_name(), update interface.
With multiple kinds of datapaths, code should not just use
"dp%u" along with dpif_minor() to print a datapath name, because not all
datapaths can sensibly be named that way.  We want to use a function
with a name like dpif_get_name() to retrieve a datapath name for printing
to the user, in which case the existing dpif_get_name() function would be
confusing.  So rename the existing one to something more explicit.
2009-07-06 09:07:23 -07:00
Justin Pettit
f30f26bef4 Remove references to Open vSwitch being a "virtual" switch
The Open vSwitch system is not limted to being a virtual switch.  This
commit removes these references.  We are now a "versatile" switch!
2009-06-23 14:18:43 -07:00
Ben Pfaff
34e63086ed Merge changes from citrix branch into master. 2009-06-15 16:04:54 -07:00
Ben Pfaff
a14bc59fb8 Update primary code license to Apache 2.0. 2009-06-15 15:11:30 -07:00
Ben Pfaff
78ff02708b vconn: Factor out common code from TCP and SSL vconns.
The TCP and SSL vconn implementations had a lot of common code to make
and accept TCP connections, which this commit factors out into common
functions in socket-util.c.

Also adds the ability to bind ptcp and pssl vconns to a particular IP
address instead of the wildcard address.
2009-06-12 17:05:51 -07:00
Ben Pfaff
12fb742b6f Don't accept unix: connections, etc. in OpenFlow controller discovery.
The controller discovery code has always had the capability to whitelist
only certain types of controller locations.  Until now, we have only taken
advantage of this when SSL is enabled (so that all OpenFlow connections are
authenticated with SSL if SSL is configured).

However, it occurs to me that making the section of connections entirely
unrestricted is too permissive.  An attacker could make the vswitch connect
to an arbitrary Unix domain socket, for example.  I don't have a
description of how this is an exploitable security vulnerability, but it
seems entirely too lax.

So: this commit changes the default to allowing only TCP connections to
controller in the non-SSL case.
2009-06-11 13:02:33 -07:00
Ben Pfaff
e50097d233 Fix glibc 2.7 strtok_r() bug in a more permanent fashion.
The glibc 2.7 headers contain a bug that causes strtok_r() to segfault
in some circumstances.  Until now, we have been working around this
problem at each invocation, but this depends on the programmer to remember
to do so each time.

This commit instead adds a shim that adds a work-around to the string.h
header itself, so that it is much more difficult to miss the workaround.
2009-06-10 15:31:20 -07:00
Ben Pfaff
c8ab937586 ovs-pki: Improve readability of manpage. 2009-06-09 13:01:04 -07:00
Ben Pfaff
8b8308289c ovs-pki: Fix formatting errors in manpage. 2009-06-09 13:01:04 -07:00
Ben Pfaff
064af42167 Import from old repository commit 61ef2b42a9c4ba8e1600f15bb0236765edc2ad45. 2009-07-08 13:19:16 -07:00