2
0
mirror of https://github.com/openvswitch/ovs synced 2025-08-30 05:47:55 +00:00

17132 Commits

Author SHA1 Message Date
Yifeng Sun
581d3bec7b oss-fuzz: Fix memory leak in ofctl_parse_flow
If parse_ofp_flow_mod_str returns no error, ofputil_flow_mod.match
contains allocated memory that should be free. This patch fixes it.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11343
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-15 08:26:30 -08:00
Ben Pfaff
0f3a7416b4 docs: Fix cross-references that referred to discussions that have moved.
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-15 08:14:52 -08:00
Ben Pfaff
597177a283 pcap-file: Add support for Linux SLL formatted PCAP files.
Someone sent me one of these and OVS couldn't read it.  This fixes the
problem.

Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-15 08:14:35 -08:00
Sairam Venugopal
308a079ea9 datapath-windows: Fix invalid reference in Buffermgmt.c
OVS_BUFFER_CONTEXT gets cleared as part of NdisFreeNetBufferListContext
function call. This causes an invalid reference error.

Found while testing with driver verifier enabled.

Signed-off-by: Sairam Venugopal <vsairam@vmware.com>
Acked-by: Anand Kumar <kumaranand@vmware.com>
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
2018-11-15 16:57:27 +02:00
chrone
842ffc861b faq: Fix typo in VLAN 9 configuration examples.
Fixed typo on the VLAN 9 configuration example where the device name should
be vlan9 instead of vlan0.

Signed-off-by: Charles Alva <charlesalva@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-15 06:33:22 -08:00
Ilya Maximets
6e367a2095 coding-style: Remove redundant symbols from the examples.
Some backslashes was added while converting from .md to .rst.
These symbols are printable in both pdf and html docs and
should be removed.

CC: Stephen Finucane <stephen@that.guru>
Fixes: d124a408a4bc ("doc: Convert CodingStyle to rST")
Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-15 06:29:35 -08:00
Alin Gabriel Serdean
039cf7d4d9 Tests: Fix test bridge - add port after stopping controller on Windows
On Windows the file which is used for the named pipe connection (`punix:file`)
is not deleted when the process is closed.

Try to delete the `controller` file and fail if we can't (on Windows you can't
delete a file if there still an opened handle to it).

Also add a check to see if the `ovs-testcontroller` was successfully started.

Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Acked-by: Sairam Venugopal <vsairam@vmware.com>
2018-11-15 15:29:39 +02:00
Chris Mi
262a07956f netdev-tc-offloads: Delete ufid tc mapping in the right place
Currently, the ufid tc mapping is deleted in add_ufid_tc_mapping().
But if tc_replace_flower() failed, the old ufid tc mapping will not
be deleted. If another thread adds the same tc mapping successfully,
then there will be multiple mappings for the same ifindex, handle
and prio.

Fixes: 9116730db ("netdev-tc-offloads: Add ufid to tc/netdev map")
Signed-off-by: Chris Mi <chrism@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
2018-11-13 05:23:35 -08:00
Timothy Redaelli
81b2866095 ipsec: Install ovs-monitor-ipsec in script directory
In commit d5cc46e3d185 ("ipsec: Use @PYTHON@ directly instead of
"/usr/bin/env python"") ovs-monitor-ipsec is installed in bin directory,
but it's supposed to be installed in script directory.

This commit removes also the manual copy of "ovs-monitor-ipsec" in spec file
since it's installed directly in "make install".

Fixes: d5cc46e3d185 ("ipsec: Use @PYTHON@ directly instead of "/usr/bin/env python"")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-12 08:39:17 -08:00
Timothy Redaelli
1d81117d89 gitignore: Ignore ovs-monitor-ipsec
Commit d5cc46e3d185 ("ipsec: Use @PYTHON@ directly instead of "/usr/bin/env
python"") introduced ovs-monitor-ipsec.in that generates
ovs-monitor-ipsec.

This commit adds ovs-monitor-ipsec to ipsec/.gitignore.

Fixes: d5cc46e3d185 ("ipsec: Use @PYTHON@ directly instead of "/usr/bin/env python"")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-12 08:38:51 -08:00
Timothy Redaelli
5163902527 rhel: Rename the IPsec package as openvswitch-ipsec
Currently the split package for ipsec is named
openvswitch-openvswitch-ipsec, but it should be named openvswitch-ipsec.

This commit changes the spec file in order to have the IPsec package as
openvswitch-ipsec instead of openvswitch-openvswitch-ipsec.

CC: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Fixes: bdddc715358e ("debian and rhel: Create IPsec package.")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-12 08:37:44 -08:00
Ilya Maximets
7e0240e0c3 build: Clean up ovs-monitor-ipsec.
This fixes travis distcheck:

  ERROR: files left in build directory after distclean:
  ./ipsec/ovs-monitor-ipsec
  make[1]: *** [distcleancheck] Error 1

Acked-by: Timothy Redaelli <tredaelli@redhat.com>
Fixes: d5cc46e3d185 ("ipsec: Use @PYTHON@ directly instead of "/usr/bin/env python"")
Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-12 08:35:52 -08:00
Ilya Maximets
2b20cc51f4 pinctrl: Fix dp_packet structure leak.
Buffered packets are always packets created by 'dp_packet_clone_data()'
i.e. they are malloced. It's not enough to free the packet data,
dp_packet structure must be freed too. 'dp_packet_delete()' will take
care of that.

Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Fixes: d7abfe39cfd2 ("OVN: add buffering support for ip packets")
Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-12 08:29:47 -08:00
Ilya Maximets
0f582e4bb1 pinctrl: Fix crash on buffered packets hmap double remove.
'destroy_buffered_packets()' removes the hmap node which was
already removed by 'HMAP_FOR_EACH_POP()' producing following
crash log:

    Invalid read of size 8
        at 0x134EDB: hmap_remove (hmap.h:287)
        by 0x134EDB: destroy_buffered_packets (pinctrl.c:237)
        by 0x13AB3B: destroy_buffered_packets_map (pinctrl.c:246)
        by 0x13AB3B: pinctrl_destroy (pinctrl.c:1804)
        by 0x12C0CF: main (ovn-controller.c:916)
    Address 0x8 is not stack'd, malloc'd or (recently) free'd

Could be captured by check-valgrind on the following test:
    '2720. ovn -- IP packet buffering'

Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Fixes: d7abfe39cfd2 ("OVN: add buffering support for ip packets")
Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-12 08:27:35 -08:00
Eelco Chaudron
2d37de73c1 netdev-dpdk: Bring link down when NETDEV_UP is not set
When the netdev link flags are changed, !NETDEV_UP, the DPDK ports are not
actually going down. This is causing problems for people trying to bring
down a bond member. The bond link is no longer being used to receive or
transmit traffic, however, the other end keeps sending data as the link
remains up.

With OVS 2.6 the link was brought down, and this was changed with commit
3b1fb0779. In this commit, it's explicitly mentioned that the link down/up
DPDK APIs are not called as not all PMD devices support it.

However, this patch does call the appropriate DPDK APIs and ignoring
errors due to the PMD not supporting it. PMDs not supporting this should
be fixed in DPDK upstream.

I verified this patch is working correctly using the
ovs-appctl netdev-dpdk/set-admin-state <port> {up|down} and
ovs-ofctl mod-port <bridge> <port> {up|down} commands on a XL710
and 82599ES.

Fixes: 3b1fb0779b87 ("netdev-dpdk: Don't call rte_dev_stop() in update_flags().")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Acked-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
2018-11-12 15:45:12 +00:00
Timothy Redaelli
87c7a35deb rtnetlink: Remove executable bit from rtnetlink.h
In commit 135ee7ef362f ("rtnetlink: extend parser to include kind of master and
slave") the file mode of rtnetlink.h accidentaly changed from 0644 to 0755.

This commit restores the previous file mode (0644) on rtnetlink.h.

CC: John Hurley <john.hurley@netronome.com>
Fixes: 135ee7ef362f ("rtnetlink: extend parser to include kind of master and slave")
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-10 11:29:56 -08:00
Timothy Redaelli
00b82d6cc4 bond: Remove executable bit from bond.c
In commit 90061ea7d1dd ("bond: Fix LACP fallback to active-backup when recirc
is enabled.") the file mode of bond.c accidentaly changed from 0644 to 0755.

This commit restores the previous file mode (0644) on bond.c.

CC: Ben Pfaff <blp@ovn.org>
Fixes: 90061ea7d1dd ("bond: Fix LACP fallback to active-backup when recirc is enabled.")
Acked-by: Flavio Leitner <fbl@sysclose.org>
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-10 11:29:45 -08:00
Timothy Redaelli
d5cc46e3d1 ipsec: Use @PYTHON@ directly instead of "/usr/bin/env python"
Using "/usr/bin/env" is against Fedora Packaging Guidelines [1].

Moreover, in this specific case, it also prevent "make rpm-fedora" to
successfully complete on "Fedora Rawhide" since "#!/usr/bin/env python"
must not be used anymore [2].

[1] https://fedoraproject.org/wiki/Packaging:Guidelines#Shebang_lines
[2] https://fedoraproject.org/wiki/Changes/Make_ambiguous_python_shebangs_error

CC: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Fixes: 22c5eafb6efa ("ipsec: reintroduce IPsec support for tunneling")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-10 08:15:28 -08:00
Ben Pfaff
3d9ebcb153 MAINTAINERS: Add Ian Stokes.
Ian was elected by the Open vSwitch committers on Nov. 9.  Welcome to the
team, Ian!

Acked-by: Justin Pettit <jpettit@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 18:45:54 -08:00
Ben Pfaff
297a88c28d MAINTAINERS: Move Ethan to emeritus status.
Requested-by: Ethan J. Jackson <ejj@eecs.berkeley.edu>
Acked-by: Ethan J. Jackson <ejj@eecs.berkeley.edu>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 16:27:08 -08:00
Qiuyu Xiao
fcd8f561b6 Documentation: OVN RBAC and IPsec tutorial
This patch adds step-by-step guide for configuring OVN Role-Based Access
Control and IPsec.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 15:05:09 -08:00
Qiuyu Xiao
b1cc0dbac0 OVN: native support for tunnel encryption
This patch adds IPsec support for OVN tunnel. Basically, OVN offers a
binary option to its user for encryption configuration. If the IPsec
option is turned on, all tunnels will be encrypted. Otherwise, no tunnel
will be encrypted.

The changes are summarized as below:
1) Added a ipsec column on the NB_Global table and SB_Global table. The
value of ipsec column is propagated by ovn-northd from NB_Global to
SB_Global.

2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec
value is true, ovn-controller sets options of the tunnel interface by
specifying "options:remote_name=<remote_chassis_name>". If the ipsec
value is false, ovn-controller removes these options.

3) ovs-monitor-ipsec daemon
(https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html)
monitors the tunnel interface options and configures IKE daemon
accordingly for IPsec encryption.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 15:03:48 -08:00
Qiuyu Xiao
7b243c3089 Documentation: IPsec tunnel tutorial and documentation.
tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec
tunnel.

tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel
configuration methods and forwarding modes.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Signed-off-by: Ansis Atteka <aatteka@ovn.org>
Co-authored-by: Ansis Atteka <aatteka@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 15:03:48 -08:00
Qiuyu Xiao
bdddc71535 debian and rhel: Create IPsec package.
Added rules and files to create debian and rpm ovs-ipsec packages.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Signed-off-by: Ansis Atteka <aatteka@ovn.org>
Co-authored-by: Ansis Atteka <aatteka@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 15:03:48 -08:00
Qiuyu Xiao
22c5eafb6e ipsec: reintroduce IPsec support for tunneling
This patch reintroduces ovs-monitor-ipsec daemon that
was previously removed by commit 2b02d770 ("openvswitch:
Allow external IPsec tunnel management.")

After this patch, there are no IPsec flavored tunnels anymore.
IPsec is enabled by setting up the right values in:
1. OVSDB:Interface:options column;
2. OVSDB:Open_vSwitch:other_config column;
3. OpenFlow pipeline.

GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and
StrongSwan IKE daemons are supported. User can choose pre-shared key,
self-signed peer certificate, or CA-signed certificate as authentication
methods.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Signed-off-by: Ansis Atteka <aatteka@ovn.org>
Co-authored-by: Ansis Atteka <aatteka@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 14:45:11 -08:00
Qiuyu Xiao
d96d0b019a datapath: add transport ports in route lookup for geneve
This patch adds transport ports information for route lookup so that
IPsec can select geneve tunnel traffic to do encryption.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Tested-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 14:38:02 -08:00
Ben Pfaff
29f3e6cf65 faq: Update information on meters.
Acked-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 14:17:47 -08:00
Aaron Conole
00b8c48f6c rhel: hugetlbfs group should be added as a system group.
Reported-by: Edgar Hoch <edgar.hoch@ims.uni-stuttgart.de>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 13:36:14 -08:00
Han Zhou
8fa5a2819c ofproto.c: Handle the situation when ofp_port number exhausted.
When ofp_port number is exhausted, OFPP_NONE (65535) will be
returned by alloc_ofp_port(). In this case we should error out
instead of continue using 65535 as port number.

Using the invalid number causes unpredictable consequences:

2018-11-06T01:29:10.042Z|142103|dpif(ovs-vswitchd)|WARN|system@ovs-system: failed to add ovn-aded97-0 as port: Device or resource busy
2018-11-06T01:29:10.045Z|142104|bridge(ovs-vswitchd)|INFO|bridge br-int: added interface ovn-aded97-0 on port 65535
2018-11-06T01:29:11.479Z|142108|ofproto(ovs-vswitchd)|WARN|br-int: cannot configure bfd on nonexistent port 65535
2018-11-06T01:29:11.479Z|142109|ofproto(ovs-vswitchd)|WARN|br-int: cannot configure LLDP on nonexistent port 65535
2018-11-06T01:29:11.479Z|142110|ofproto(ovs-vswitchd)|WARN|br-int: cannot configure datapath on nonexistent port 65535
...
2018-11-06T01:29:18.783Z|142117|bfd(ovs-vswitchd)|INFO|ovn-aded97-0: BFD state change: admin_down->down "No Diagnostic"->"No Diagnostic".
2018-11-06T01:29:18.785Z|00061|bfd(monitor82)|INFO|Interface ovn-aded97-0 remote mult value 0 changed to 3
2018-11-06T01:29:18.785Z|00062|bfd(monitor82)|INFO|ovn-aded97-0: New remote min_rx.
...
2018-11-06T01:29:18.773Z|142111|bridge(ovs-vswitchd)|INFO|bridge br-int: deleted interface ovn-aded97-0 on port 65535
...
2018-11-06T01:29:18.779Z|142115|dpif(ovs-vswitchd)|WARN|system@ovs-system: failed to add ovn-aded97-0 as port: Device or resource busy
2018-11-06T01:29:18.782Z|142116|bridge(ovs-vswitchd)|INFO|bridge br-int: added interface ovn-aded97-0 on port 65535
...
2018-11-06T01:29:18.785Z|00064|bfd(monitor82)|WARN|ovn-aded97-0: Incorrect your_disc.
...

Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 13:28:49 -08:00
Han Zhou
f7fc8a30f9 ofproto.c: Fix port number leaking.
When there is an error in ofport_install(), the ofp port number is
not deallocated, which leads to port number leak. For example,
when there is an redundant tunnel port added in an OVS bridge,
ovs-vswitchd will try to add the port to ofproto whenever OVSDB
changes, which would trigger the port number leak, and over the
time there won't be any port available for valid requests.

Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 13:23:24 -08:00
Yifeng Sun
9ce4aa8ee7 dns-resolve: Improve on handling of system DNS nameserver
This patch enables OVS on windows to read system nameserver configuration.
In addition, a new environment variable OVS_RESOLV_CONF is introduced.
If set, it can be used as DNS server configuration file. This variable
is supposed to be used for sandboxing other things. It is documented
accordingly.

Suggested-by: Ben Pfaff <blp@ovn.org>
Suggested-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 13:20:06 -08:00
Yifeng Sun
ba8eb43a07 dns-resolve: Stop dns resolving if no DNS server configured
DNS resolution should fail if no DNS servers are available. This
patch fixes it.

Suggested-by: Ben Pfaff <blp@ovn.org>
Suggested-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 13:17:53 -08:00
Yifeng Sun
e297441232 ofctl_parse_target: Avoid passing invalid ofputil_protocol to ofputil_protocol_to_ofp_version
In this test, the involved ovs functions expect valid ofputil_protocol
values. Therefore, if usable_protocols is invalid, we should return.
Otherwise, ovs will abort.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11165
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 13:09:55 -08:00
Yifeng Sun
ac20d3feb1 odp-util: Set a limit for nested parse_odp_key_mask_attr call
This patch puts a limit on the nested depth in flow key string to avoid
stackoverflow. An example to show this issue is a key string contains
thousands of nested encaps. In addition, a new test is added for this fix.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11149
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 13:09:54 -08:00
Yifeng Sun
dc4be59890 actions: Enforce a maximum limit for nested action depth
If nested depth of actions is too deep, then the stack will be overflown
and ovs-vswitch crashes. This patch prevents this by adding a depth limit
to nested actions.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11237
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 13:09:50 -08:00
William Tu
da5b26ad8e faq: update the ERSPAN/GRE tunnel feature.
Add ERSPAN/GRE tunnel to datapath feature comparison table.

Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: William Tu <u9012063@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 13:07:57 -08:00
Darrell Ball
b50268e812 faq: Specify QoS support is dependent on interface type.
QoS support depends on interface type; document it.

Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 13:06:28 -08:00
Greg Rose
0277582178 vswitchd: Update documentation for legacy_l3 type packets
The documentation needs to specify that for GRE tunnels there is no
support for legacy_l3 type packets in the kernel datapath.

Acked-by: William Tu <u9012063@gmail.com>
Signed-off-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 09:30:11 -08:00
Greg Rose
d5822f4288 gre: Remove dead ipgre code
Open vSwitch uses gretap, not ipgre for gre tunneling.  Remove dead
code for ipgre type tunnels.

Acked-by: William Tu <u9012063@gmail.com>
Signed-off-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-09 09:30:07 -08:00
Lorenzo Bianconi
c814545b43 OVN: configure L2 address according to the used IP address
Configure L2 dynamic address according to used IPv4 address.
This patch allows to define a deterministic relationship between
L2 and L3 addresses when dynamic IPAM is used.
This patch allows to fix a possible L2/L3 address mismatch than can
occur when pods are created and destroyed at high rate [1] since if
there is no relation between MAC and IP addresses ARP cache can be
poisoned with a wrong correspondence

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1626217

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-06 07:37:23 -08:00
Lorenzo Bianconi
da6adacd78 OVN: assign new addresses at the end of build_ipam routine
Visit all ovn datapaths before adding new dynamic addresses to the
system in order to avoid possible L2 address duplication when
the same MAC address is configured on different ovn logical switches.
Current implementation can miss the duplicated address since macam
is cleared at each ovn run and there is no guarantee on visit order
of ovn datapath hash table

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-06 07:37:20 -08:00
Lorenzo Bianconi
282e535765 OVN: introduce mac_prefix support to IPAM
Add the possibility to specify a given mac address prefix for
dynamically generated mac address. Mac address prefix can be
specified in nbdb NB_Global table, options:mac_prefix=<mac_prefix>
This patch fix a possible issue of L2 address duplication if
multiple OVN deployments share a single broadcast domain

Acked-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-06 07:35:47 -08:00
Ben Pfaff
2345de01f8 ofproto-dpif-upcall: Don't purge ukeys while in a quiescent state.
revalidator_purge() iterates and modifies umap->cmap. This should
not happen in quiescent state, because cmap implementation based
on rcu protected variables. Let's narrow the quiescent period
to avoid possible wrong memory accesses.

CC: Joe Stringer <joe@ovn.org>
Fixes: 9fce0584a643 ("revalidator: Use 'cmap' for storing ukeys.")
Reported-by: Ilya Maximets <i.maximets@samsung.com>
Acked-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-06 07:21:42 -08:00
Ben Pfaff
90061ea7d1 bond: Fix LACP fallback to active-backup when recirc is enabled.
Reported-by: Arun Navasivasakthivelsamy <arunkum.navasiv@nutanix.com>
Tested-by: Arun Navasivasakthivelsamy <arunkum.navasiv@nutanix.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-05 18:39:20 -08:00
Bala Sankaran
64b90b3022 checkpatch: fix typographical error
A typographical error in a prompt for missing python enchant library is
identified and fixed.

Signed-off-by: Bala Sankaran <bsankara@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-05 11:44:15 -08:00
Haishuang Yan
ba78710061 erspan: fix error handling for erspan tunnel
Upstream commit:
    commit 51dc63e3911fbb1f0a7a32da2fe56253e2040ea4
    Author: Haishuang Yan<yanhaishuang@cmss.chinamobile.com>
    Date:   Mon Sep 10 22:19:48 2018 +0800

    erspan: fix error handling for erspan tunnel

    When processing icmp unreachable message for erspan tunnel, tunnel id
    should be erspan_net_id instead of ipgre_net_id.

    Fixes: 84e54fe0a5ea ("gre: introduce native tunnel support for ERSPAN")
    Cc: William Tu<u9012063@gmail.com>
    Signed-off-by: Haishuang Yan<yanhaishuang@cmss.chinamobile.com>
    Acked-by: William Tu<u9012063@gmail.com>
    Signed-off-by: David S. Miller<davem@davemloft.net>

Fixes: 8e53509c ("gre: introduce native tunnel support for ERSPAN")
Signed-off-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-05 11:27:44 -08:00
Ben Pfaff
fe62a88f5e ovn-northd: Always set nat_addresses and options in Port_Binding.
In some cases the code didn't set these columns.

Found by inspection.

Acked-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-05 07:37:01 -08:00
Yifeng Sun
2d3deb58df odp-util: Validate close-brace in scan_geneve and fix return values of san_xxx functions
This patch adds validation of close-braces in scan_geneve. An simple
example is "set(encap(tunnel(geneve({{))))". When scan_geneve returns,
(struct geneve_scan *key)->len equals to 2*sizeof(struct geneve_opt).
That seems not correct.

Found this issue while inspecting oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11153.

In addition, SCAN_TYPE expects scan_XXX functions to return 0
on errors. This patch inspects all related scan_XXX functions
and fixes their return values.

Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-05 07:13:17 -08:00
Numan Siddique
f31b8ae7a7 ovn-nbctl: Fix the ovn-nbctl test "LBs - daemon" which fails during rpm build
When 'make check' is called by the mock rpm build (which disables networking),
the test "ovn-nbctl: LBs - daemon" fails when it runs the command
"ovn-nbctl lb-add lb0 30.0.0.1a 192.168.10.10:80,192.168.10.20:80". ovn-nbctl
extracts the vip by calling the socket util function 'inet_parse_active()',
and this function blocks when libunbound function ub_resolve() is called
further down. ub_resolve() is a blocking function without timeout and all the
ovs/ovn utilities use this function.

As reported by Timothy Redaelli, the issue can also be reproduced by running
the below commands

$ sudo unshare -mn -- sh -c 'ip addr add dev lo 127.0.0.1 && \
  mount --bind /dev/null /etc/resolv.conf && runuser $SUDO_USER'
$ make sandbox SANDBOXFLAGS="--ovn"
$ ovn-nbctl -vsocket_util:off lb-add lb0 30.0.0.1a \
  192.168.10.10:80,192.168.10.20:80

To address this issue, this patch adds a new bool argument 'resolve_host' to
the function inet_parse_active() to resolve the host only if it is 'true'.

ovn-nbctl/ovn-northd will pass 'false' when it calls this function to parse
the load balancer values.

Reported-by: Timothy Redaelli <tredaelli@redhat.com>
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1641672
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-05 07:11:10 -08:00
Zak Whittington
df514c62b6 documentation: man vswitchd.conf.db(5) updated flow-restore-wait
Commit 7ed73428a changed the behavior of flow-restore-wait to
also prevent the switch from connecting to controllers in the
controller table, but failed to update the man page documentation
generated by vswitchd/vswitch.xml to reflect this.

This commit adds that documentation.

Signed-off-by: Zak Whittington <zwhitt.vmware@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
2018-11-02 16:17:33 -07:00