- python-sphinx
- libelf-dev
- selinux-policy-dev
+ - libunbound-dev
+ - libunbound-dev:i386
before_install: ./.travis/${TRAVIS_OS_NAME}-prepare.sh
- Python 2.7. You must also have the Python ``six`` library version 1.4.0
or later.
+- Unbound library, from http://www.unbound.net, is optional but recommended if
+ you want to enable ovs-vswitchd and other utilities to use DNS names when
+ specifying OpenFlow and OVSDB remotes. If unbound library is already
+ installed, then Open vSwitch will automatically build with support for it.
On Linux, you may choose to compile the kernel module that comes with the Open
vSwitch distribution or to use the kernel module built into the Linux kernel
OVSDB supports the following active connection methods:
- The specified SSL or TLS <port> on the host at the given <ip>.
+ The specified SSL or TLS <port> on the given <host>.
- The specified TCP <port> on the host at the given <ip>.
+ The specified TCP <port> on the given <host>.
unix:<file>
On Unix-like systems, connect to the Unix domain server socket named
IPv6 address, wrap it in square brackets, e.g. ``ssl:[::1]:6640``. Passive
IP-based connection methods by default listen for IPv4 connections only; use
``[::]`` as the address to accept both IPv4 and IPv6 connections,
-e.g. ``pssl:6640:[::]``. DNS names are not accepted. On Linux, use
-``%<device>`` to designate a scope for IPv6 link-level addresses,
-e.g. ``ssl:[fe80::1234%eth0]:6653``.
+e.g. ``pssl:6640:[::]``. DNS names are also accepted if built with unbound
+library. On Linux, use ``%<device>`` to designate a scope for IPv6 link-level
+addresses, e.g. ``ssl:[fe80::1234%eth0]:6653``.
The <port> may be omitted from connection methods that use a port number. The
default <port> for TCP-based connection methods is 6640, e.g. ``pssl:`` is
Post-v2.9.0
--------------------
+ - ovs-vswitchd and utilities now support DNS names in OpenFlow and
+ OVSDB remotes.
- ovs-vswitchd:
* New options --l7 and --l7-len to "ofproto/trace" command.
* Previous versions gave OpenFlow tables default names of the form
OVS_LIBTOOL_VERSIONS
OVS_CHECK_CXX
AX_FUNC_POSIX_MEMALIGN
+OVS_CHECK_UNBOUND
OVS_CHECK_INCLUDE_NEXT([stdio.h string.h])
AC_CONFIG_FILES([
python-all (>= 2.7),
python-twisted-conch,
python-zopeinterface,
- python-six
+ python-six,
+ libunbound-dev
Standards-Version: 3.9.3
Homepage: http://openvswitch.org/
Depends:
libopenvswitch (>= ${binary:Version}),
libssl-dev,
+ libunbound-dev,
${misc:Depends}
Conflicts: openvswitch-dev
Replaces: openvswitch-dev
lib_libopenvswitch_la_SOURCES += lib/stream-nossl.c
endif
+lib_libopenvswitch_la_SOURCES += lib/dns-resolve.h
+if HAVE_UNBOUND
+lib_libopenvswitch_la_SOURCES += lib/dns-resolve.c
+else
+lib_libopenvswitch_la_SOURCES += lib/dns-resolve-stub.c
+endif
+
pkgconfig_DATA += \
lib/libopenvswitch.pc \
lib/libsflow.pc
--- /dev/null
+/*
+ * Copyright (c) 2017, 2018 Nicira, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <config.h>
+#include "dns-resolve.h"
+#include "compiler.h"
+
+void
+dns_resolve_init(void)
+{
+}
+
+bool
+dns_resolve(const char *name OVS_UNUSED, char **addr)
+{
+ *addr = NULL;
+ return false;
+}
+
+void
+dns_resolve_destroy(void)
+{
+}
--- /dev/null
+/*
+ * Copyright (c) 2017, 2018 Nicira, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <config.h>
+#include "dns-resolve.h"
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <errno.h>
+#include <string.h>
+#include <unbound.h>
+#include "hash.h"
+#include "openvswitch/hmap.h"
+#include "openvswitch/vlog.h"
+#include "timeval.h"
+
+VLOG_DEFINE_THIS_MODULE(dns_resolve);
+
+/* Guard all_reqs__ and resolve_state of each request. */
+static struct ovs_mutex dns_mutex__ = OVS_MUTEX_INITIALIZER;
+static struct hmap all_reqs__;
+static struct ub_ctx *ub_ctx__;
+
+static bool thread_is_daemon;
+
+static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
+
+enum resolve_state {
+ RESOLVE_INVALID,
+ RESOLVE_PENDING,
+ RESOLVE_GOOD,
+ RESOLVE_ERROR
+};
+
+struct resolve_request {
+ struct hmap_node hmap_node; /* node for all_reqs__ */
+ char *name; /* the domain name to be resolved */
+ char *addr; /* the resolved ip address */
+ enum resolve_state state; /* state of this request */
+ time_t time; /* resolving time */
+ struct ub_result *ub_result; /* the stored unbound result */
+};
+
+static struct resolve_request *resolve_find_or_new__(const char *name)
+ OVS_REQUIRES(dns_mutex__);
+static bool resolve_check_expire__(struct resolve_request *req)
+ OVS_REQUIRES(dns_mutex__);
+static bool resolve_check_valid__(struct resolve_request *req)
+ OVS_REQUIRES(dns_mutex__);
+static bool resolve_async__(struct resolve_request *req, int qtype)
+ OVS_REQUIRES(dns_mutex__);
+static void resolve_callback__(void *req, int err, struct ub_result *)
+ OVS_REQUIRES(dns_mutex__);
+static bool resolve_result_to_addr__(struct ub_result *result, char **addr);
+static bool dns_resolve_sync__(const char *name, char **addr);
+
+/* Pass a true 'is_daemon' if you don't want the DNS-resolving to block the
+ * running thread.
+ */
+void
+dns_resolve_init(bool is_daemon)
+{
+ ub_ctx__ = ub_ctx_create();
+ if (ub_ctx__ == NULL) {
+ VLOG_ERR_RL(&rl, "Failed to create libunbound context, "
+ "so asynchronous DNS resolving is disabled.");
+ return;
+ }
+
+ int retval;
+#ifdef __linux__
+ retval = ub_ctx_resolvconf(ub_ctx__, "/etc/resolv.conf");
+ if (retval != 0) {
+ VLOG_WARN_RL(&rl, "Failed to read /etc/resolv.conf: %s",
+ ub_strerror(retval));
+ }
+#endif
+
+ /* Handles '/etc/hosts' on Linux and 'WINDIR/etc/hosts' on Windows. */
+ retval = ub_ctx_hosts(ub_ctx__, NULL);
+ if (retval != 0) {
+ VLOG_WARN_RL(&rl, "Failed to read etc/hosts: %s",
+ ub_strerror(retval));
+ }
+
+ ub_ctx_async(ub_ctx__, true);
+ hmap_init(&all_reqs__);
+ thread_is_daemon = is_daemon;
+}
+
+/* Returns true on success. Otherwise, returns false and the error information
+ * can be found in logs. If there is no error information, then the resolving
+ * is in process and the caller should call again later. The value of '*addr'
+ * is always nullified if false is returned. If this function is called under
+ * daemon-context, the resolving will undergo asynchronously. Otherwise, a
+ * synchronouse resolving will take place.
+ *
+ * This function is thread-safe.
+ *
+ * The caller is responsible for freeing the returned '*addr'.
+ */
+bool
+dns_resolve(const char *name, char **addr)
+ OVS_EXCLUDED(dns_mutex__)
+{
+ bool success = false;
+
+ if (!thread_is_daemon) {
+ return dns_resolve_sync__(name, addr);
+ }
+
+ *addr = NULL;
+ ovs_mutex_lock(&dns_mutex__);
+
+ if (ub_ctx__ == NULL) {
+ goto unlock;
+ }
+
+ /* ub_process is inside lock as it invokes resolve_callback__. */
+ int retval = ub_process(ub_ctx__);
+ if (retval != 0) {
+ VLOG_ERR_RL(&rl, "dns-resolve error: %s", ub_strerror(retval));
+ goto unlock;
+ }
+
+ struct resolve_request *req;
+ req = resolve_find_or_new__(name);
+ if (resolve_check_valid__(req)) {
+ *addr = xstrdup(req->addr);
+ success = true;
+ } else if (req->state != RESOLVE_PENDING) {
+ success = resolve_async__(req, ns_t_a);
+ }
+unlock:
+ ovs_mutex_unlock(&dns_mutex__);
+ return success;
+}
+
+void
+dns_resolve_destroy(void)
+{
+ if (ub_ctx__ != NULL) {
+ /* Outstanding requests will be killed. */
+ ub_ctx_delete(ub_ctx__);
+ ub_ctx__ = NULL;
+
+ struct resolve_request *req;
+ HMAP_FOR_EACH(req, hmap_node, &all_reqs__) {
+ ub_resolve_free(req->ub_result);
+ free(req->addr);
+ free(req->name);
+ free(req);
+ }
+ hmap_destroy(&all_reqs__);
+ }
+}
+
+static struct resolve_request *
+resolve_find_or_new__(const char *name)
+ OVS_REQUIRES(dns_mutex__)
+{
+ struct resolve_request *req;
+
+ HMAP_FOR_EACH_IN_BUCKET(req, hmap_node, hash_string(name, 0),
+ &all_reqs__) {
+ if (!strcmp(name, req->name)) {
+ return req;
+ }
+ }
+
+ req = xzalloc(sizeof *req);
+ req->name = xstrdup(name);
+ req->state = RESOLVE_INVALID;
+ hmap_insert(&all_reqs__, &req->hmap_node, hash_string(req->name, 0));
+ return req;
+}
+
+static bool
+resolve_check_expire__(struct resolve_request *req)
+ OVS_REQUIRES(dns_mutex__)
+{
+ return time_now() > req->time + req->ub_result->ttl;
+}
+
+static bool
+resolve_check_valid__(struct resolve_request *req)
+ OVS_REQUIRES(dns_mutex__)
+{
+ return (req != NULL
+ && req->state == RESOLVE_GOOD
+ && !resolve_check_expire__(req));
+}
+
+static bool
+resolve_async__(struct resolve_request *req, int qtype)
+ OVS_REQUIRES(dns_mutex__)
+{
+ if (qtype == ns_t_a || qtype == ns_t_aaaa) {
+ int retval;
+ retval = ub_resolve_async(ub_ctx__, req->name,
+ qtype, ns_c_in, req,
+ resolve_callback__, NULL);
+ if (retval != 0) {
+ req->state = RESOLVE_ERROR;
+ return false;
+ } else {
+ req->state = RESOLVE_PENDING;
+ return true;
+ }
+ }
+ return false;
+}
+
+static void
+resolve_callback__(void *req_, int err, struct ub_result *result)
+ OVS_REQUIRES(dns_mutex__)
+{
+ struct resolve_request *req = req_;
+
+ if (err != 0 || (result->qtype == ns_t_aaaa && !result->havedata)) {
+ req->state = RESOLVE_ERROR;
+ VLOG_ERR_RL(&rl, "%s: failed to resolve", req->name);
+ return;
+ }
+
+ /* IPv4 address is empty, try IPv6. */
+ if (result->qtype == ns_t_a && !result->havedata) {
+ ub_resolve_free(result);
+ resolve_async__(req, ns_t_aaaa);
+ return;
+ }
+
+ char *addr;
+ if (!resolve_result_to_addr__(result, &addr)) {
+ req->state = RESOLVE_ERROR;
+ VLOG_ERR_RL(&rl, "%s: failed to resolve", req->name);
+ return;
+ }
+
+ ub_resolve_free(req->ub_result);
+ free(req->addr);
+
+ req->ub_result = result;
+ req->addr = addr;
+ req->state = RESOLVE_GOOD;
+ req->time = time_now();
+}
+
+static bool
+resolve_result_to_addr__(struct ub_result *result, char **addr)
+{
+ int af = result->qtype == ns_t_a ? AF_INET : AF_INET6;
+ char buffer[INET6_ADDRSTRLEN];
+
+ /* XXX: only the first returned IP is used. */
+ if (inet_ntop(af, result->data[0], buffer, sizeof buffer)) {
+ *addr = xstrdup(buffer);
+ } else {
+ *addr = NULL;
+ }
+
+ return (*addr != NULL);
+}
+
+static bool
+dns_resolve_sync__(const char *name, char **addr)
+{
+ *addr = NULL;
+
+ if (ub_ctx__ == NULL) {
+ dns_resolve_init(false);
+ if (ub_ctx__ == NULL) {
+ return false;
+ }
+ }
+
+ struct ub_result *result;
+ int retval = ub_resolve(ub_ctx__, name, ns_t_a, ns_c_in, &result);
+ if (retval != 0) {
+ return false;
+ } else if (!result->havedata) {
+ ub_resolve_free(result);
+
+ retval = ub_resolve(ub_ctx__, name, ns_t_aaaa, ns_c_in, &result);
+ if (retval != 0) {
+ return false;
+ } else if (!result->havedata) {
+ ub_resolve_free(result);
+ return false;
+ }
+ }
+
+ bool success = resolve_result_to_addr__(result, addr);
+ ub_resolve_free(result);
+ return success;
+}
--- /dev/null
+/*
+ * Copyright (c) 2017, 2018 Nicira, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef DNS_RESOLVE_H
+#define DNS_RESOLVE_H 1
+
+#include <stdbool.h>
+
+void dns_resolve_init(bool is_daemon);
+bool dns_resolve(const char *name, char **addr);
+void dns_resolve_destroy(void);
+
+#endif /* dns-resolve.h */
#include "netlink-protocol.h"
#include "netlink-socket.h"
#endif
+#include "dns-resolve.h"
VLOG_DEFINE_THIS_MODULE(socket_util);
static struct sockaddr_in *sin_cast(const struct sockaddr *);
static struct sockaddr_in6 *sin6_cast(const struct sockaddr *);
static const struct sockaddr *sa_cast(const struct sockaddr_storage *);
+static bool parse_sockaddr_components(struct sockaddr_storage *ss,
+ char *host_s,
+ const char *port_s,
+ uint16_t default_port,
+ const char *s,
+ bool resolve_host);
/* Sets 'fd' to non-blocking mode. Returns 0 if successful, otherwise a
* positive errno value. */
inet_parse_tokens__(s, 1, hostp, portp);
}
+static bool
+parse_sockaddr_components_dns(struct sockaddr_storage *ss OVS_UNUSED,
+ char *host_s,
+ const char *port_s OVS_UNUSED,
+ uint16_t default_port OVS_UNUSED,
+ const char *s OVS_UNUSED)
+{
+ char *tmp_host_s;
+
+ dns_resolve(host_s, &tmp_host_s);
+ if (tmp_host_s != NULL) {
+ parse_sockaddr_components(ss, tmp_host_s, port_s,
+ default_port, s, false);
+ free(tmp_host_s);
+ return true;
+ }
+ return false;
+}
+
static bool
parse_sockaddr_components(struct sockaddr_storage *ss,
char *host_s,
const char *port_s, uint16_t default_port,
- const char *s)
+ const char *s,
+ bool resolve_host)
{
struct sockaddr_in *sin = sin_cast(sa_cast(ss));
int port;
sin6->sin6_family = AF_INET6;
sin6->sin6_port = htons(port);
if (!addr || !*addr || !ipv6_parse(addr, &sin6->sin6_addr)) {
- VLOG_ERR("%s: bad IPv6 address \"%s\"", s, addr ? addr : "");
goto exit;
}
sin->sin_family = AF_INET;
sin->sin_port = htons(port);
if (host_s && !ip_parse(host_s, &sin->sin_addr.s_addr)) {
- VLOG_ERR("%s: bad IPv4 address \"%s\"", s, host_s);
- goto exit;
+ goto resolve;
}
}
return true;
+resolve:
+ if (resolve_host && parse_sockaddr_components_dns(ss, host_s, port_s,
+ default_port, s)) {
+ return true;
+ } else if (!resolve_host) {
+ VLOG_ERR("%s: bad IP address \"%s\"", s, host_s);
+ }
exit:
memset(ss, 0, sizeof *ss);
return false;
VLOG_ERR("%s: port must be specified", target_);
ok = false;
} else {
- ok = parse_sockaddr_components(ss, host, port, default_port, target_);
+ ok = parse_sockaddr_components(ss, host, port, default_port,
+ target_, true);
}
if (!ok) {
memset(ss, 0, sizeof *ss);
VLOG_ERR("%s: port must be specified", target_);
ok = false;
} else {
- ok = parse_sockaddr_components(ss, host, port, default_port, target_);
+ ok = parse_sockaddr_components(ss, host, port, default_port,
+ target_, true);
}
if (!ok) {
memset(ss, 0, sizeof *ss);
{
char *target = xstrdup(target_);
char *host = unbracket(target);
- bool ok = parse_sockaddr_components(ss, host, NULL, 0, target_);
+ bool ok = parse_sockaddr_components(ss, host, NULL, 0, target_, false);
if (!ok) {
memset(ss, 0, sizeof *ss);
}
printf("\n");
if (active) {
printf("Active %s connection methods:\n", name);
- printf(" tcp:IP:PORT "
- "PORT at remote IP\n");
+ printf(" tcp:HOST:PORT "
+ "PORT at remote HOST\n");
#ifdef HAVE_OPENSSL
- printf(" ssl:IP:PORT "
- "SSL PORT at remote IP\n");
+ printf(" ssl:HOST:PORT "
+ "SSL PORT at remote HOST\n");
#endif
printf(" unix:FILE "
"Unix domain socket named FILE\n");
-.IP "\fBssl:\fIip\fR[\fB:\fIport\fR]"
-.IQ "\fBtcp:\fIip\fR[\fB:\fIport\fR]"
-The specified \fIport\fR on the host at the given \fIip\fR, which must
-be expressed as an IP address (not a DNS name) in IPv4 or IPv6 address
-format. Wrap IPv6 addresses in square brackets,
-e.g. \fBtcp:[::1]:6653\fR. On Linux, use \fB%\fIdevice\fR to
-designate a scope for IPv6 link-level addresses,
+.IP "\fBssl:\fIhost\fR[\fB:\fIport\fR]"
+.IQ "\fBtcp:\fIhost\fR[\fB:\fIport\fR]"
+The specified \fIport\fR on the given \fIhost\fR, which can
+be expressed either as a DNS name (if built with unbound library)
+or an IP address in IPv4 or IPv6 address format. Wrap IPv6 addresses
+in square brackets, e.g. \fBtcp:[::1]:6653\fR. On Linux, use
+\fB%\fIdevice\fR to designate a scope for IPv6 link-level addresses,
e.g. \fBtcp:[fe80::1234%eth0]:6653\fR. For \fBssl\fR, the
\fB\-\-private\-key\fR, \fB\-\-certificate\fR, and \fB\-\-ca\-cert\fR
options are mandatory.
-.IP "\fBpssl:\fR[\fIport\fR][\fB:\fIip\fR]"
-.IQ "\fBptcp:\fR[\fIport\fR][\fB:\fIip\fR]"
+.IP "\fBpssl:\fR[\fIport\fR][\fB:\fIhost\fR]"
+.IQ "\fBptcp:\fR[\fIport\fR][\fB:\fIhost\fR]"
Listens for OpenFlow connections on \fIport\fR. The default
\fIport\fR is 6653. By default, connections are allowed from any IPv4
-address. Specify \fIip\fR as an IPv4 address or a bracketed IPv6
+address. Specify \fIhost\fR as an IPv4 address or a bracketed IPv6
address (e.g. \fBptcp:6653:[::1]\fR). On Linux, use \fB%\fIdevice\fR
to designate a scope for IPv6 link-level addresses,
-e.g. \fBptcp:6653:[fe80::1234%eth0]\fR. DNS names may
-not be used. For \fBpssl\fR, the
+e.g. \fBptcp:6653:[fe80::1234%eth0]\fR. DNS names can
+be used if built with unbound library. For \fBpssl\fR, the
\fB\-\-private\-key\fR,\fB\-\-certificate\fR, and \fB\-\-ca\-cert\fR
options are mandatory.
.IP
printf("\n");
if (active) {
printf("Active OpenFlow connection methods:\n");
- printf(" tcp:IP[:PORT] "
- "PORT (default: %d) at remote IP\n", OFP_PORT);
+ printf(" tcp:HOST[:PORT] "
+ "PORT (default: %d) at remote HOST\n", OFP_PORT);
#ifdef HAVE_OPENSSL
- printf(" ssl:IP[:PORT] "
- "SSL PORT (default: %d) at remote IP\n", OFP_PORT);
+ printf(" ssl:HOST[:PORT] "
+ "SSL PORT (default: %d) at remote HOST\n", OFP_PORT);
#endif
printf(" unix:FILE Unix domain socket named FILE\n");
}
enable_cxx=false
fi
AM_CONDITIONAL([HAVE_CXX], [$enable_cxx])])
+
+dnl Checks for unbound library.
+AC_DEFUN([OVS_CHECK_UNBOUND],
+ [AC_CHECK_LIB(unbound, ub_ctx_create, [HAVE_UNBOUND=yes])
+ if test "$HAVE_UNBOUND" = yes; then
+ AC_DEFINE([HAVE_UNBOUND], [1], [Define to 1 if unbound is detected.])
+ LIBS="$LIBS -lunbound"
+ fi
+ AM_CONDITIONAL([HAVE_UNBOUND], [test "$HAVE_UNBOUND" = yes])
+ AC_SUBST([HAVE_UNBOUND])])
<ul>
<li>
<p>
- <code>ssl:<var>ip</var>:<var>port</var></code>
+ <code>ssl:<var>host</var>:<var>port</var></code>
</p>
<p>
- The specified SSL <var>port</var> on the host at the given
- <var>ip</var>, which must be expressed as an IP address (not a DNS
- name) in IPv4 or IPv6 address format. If <var>ip</var> is an IPv6
- address, then wrap <var>ip</var> with square brackets, e.g.:
- <code>ssl:[::1]:6640</code>. The <code>--private-key</code>,
- <code>--certificate</code> and either of <code>--ca-cert</code>
- or <code>--bootstrap-ca-cert</code> options are mandatory when this
- form is used.
+ The specified SSL <var>port</var> on the give <var>host</var>, which
+ can either be a DNS name (if built with unbound library) or an IP
+ address (IPv4 or IPv6). If <var>host</var> is an IPv6 address, then
+ wrap <var>host</var> with square brackets, e.g.: <code>ssl:[::1]:6640</code>.
+ The <code>--private-key</code>, <code>--certificate</code> and either
+ of <code>--ca-cert</code> or <code>--bootstrap-ca-cert</code> options
+ are mandatory when this form is used.
</p>
</li>
<li>
<p>
- <code>tcp:<var>ip</var>:<var>port</var></code>
+ <code>tcp:<var>host</var>:<var>port</var></code>
</p>
<p>
- Connect to the given TCP <var>port</var> on <var>ip</var>, where
- <var>ip</var> can be IPv4 or IPv6 address. If <var>ip</var> is an
- IPv6 address, then wrap <var>ip</var> with square brackets, e.g.:
- <code>tcp:[::1]:6640</code>.
+ Connect to the given TCP <var>port</var> on <var>host</var>, where
+ <var>host</var> can be a DNS name (if built with unbound library) or
+ IP address (IPv4 or IPv6). If <var>host</var> is an IPv6 address,
+ then wrap <var>host</var> with square brackets,
+ e.g.: <code>tcp:[::1]:6640</code>.
</p>
</li>
<li>
The following connection methods are currently supported:
</p>
<dl>
- <dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
+ <dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified SSL <var>port</var> on the host at the given
- <var>ip</var>, which must be expressed as an IP address
- (not a DNS name). A valid SSL configuration must be provided
- when this form is used, this configuration can be specified
- via command-line options or the <ref table="SSL"/> table.
+ <var>host</var>, which can either be a DNS name (if built with
+ unbound library) or an IP address. A valid SSL configuration must
+ be provided when this form is used, this configuration can be
+ specified via command-line options or the <ref table="SSL"/> table.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
</dd>
- <dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
+ <dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified TCP <var>port</var> on the host at the given
- <var>ip</var>, which must be expressed as an IP address (not a
- DNS name), where <var>ip</var> can be IPv4 or IPv6 address. If
- <var>ip</var> is an IPv6 address, wrap it in square brackets,
- e.g. <code>tcp:[::1]:6640</code>.
+ <var>host</var>, which can either be a DNS name (if built with
+ unbound library) or an IP address. If <var>host</var> is an IPv6
+ address, wrap it in square brackets, e.g. <code>tcp:[::1]:6640</code>.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
</dd>
- <dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
+ <dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
- choose an available port. If <var>ip</var>, which must be
- expressed as an IP address (not a DNS name), is specified, then
- connections are restricted to the specified local IP address
- (either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
- address, wrap in square brackets,
- e.g. <code>pssl:6640:[::1]</code>. If <var>ip</var> is not
+ choose an available port. If <var>host</var>, which can either
+ be a DNS name (if built with unbound library) or an IP address,
+ is specified, then connections are restricted to the resolved or
+ specified local IPaddress (either IPv4 or IPv6 address). If
+ <var>host</var> is an IPv6 address, wrap in square brackets,
+ e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 (but not IPv6) addresses.
A valid SSL configuration must be provided when this form is used,
this can be specified either via command-line options or the
part of Open vSwitch.
</p>
</dd>
- <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
+ <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
- choose an available port. If <var>ip</var>, which must be
- expressed as an IP address (not a DNS name), is specified, then
- connections are restricted to the specified local IP address
- (either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
- address, wrap it in square brackets,
- e.g. <code>ptcp:6640:[::1]</code>. If <var>ip</var> is not
+ choose an available port. If <var>host</var>, which can either
+ be a DNS name (if built with unbound library) or an IP address,
+ is specified, then connections are restricted to the resolved or
+ specified local IP address (either IPv4 or IPv6 address). If
+ <var>host</var> is an IPv6 address, wrap it in square brackets,
+ e.g. <code>ptcp:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 addresses.
</p>
<p>
The following connection methods are currently supported:
</p>
<dl>
- <dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
+ <dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
- The specified SSL <var>port</var> on the host at the given
- <var>ip</var>, which must be expressed as an IP address
- (not a DNS name). A valid SSL configuration must be provided
- when this form is used, this configuration can be specified
- via command-line options or the <ref table="SSL"/> table.
+ The specified SSL <var>port</var> on the given <var>host</var>,
+ which can either be a DNS name (if built with unbound library) or
+ an IP address. A valid SSL configuration must be provided when
+ this form is used, this configuration can be specified via
+ command-line options or the <ref table="SSL"/> table.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
</dd>
- <dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
+ <dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
- The specified TCP <var>port</var> on the host at the given
- <var>ip</var>, which must be expressed as an IP address (not a
- DNS name), where <var>ip</var> can be IPv4 or IPv6 address. If
- <var>ip</var> is an IPv6 address, wrap it in square brackets,
- e.g. <code>tcp:[::1]:6640</code>.
+ The specified TCP <var>port</var> on the given <var>host</var>,
+ which can either be a DNS name (if built with unbound library) or
+ an IP address (IPv4 or IPv6). If <var>host</var> is an IPv6
+ address, wrap it in square brackets, e.g. <code>tcp:[::1]:6640</code>.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
</dd>
- <dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
+ <dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
- choose an available port. If <var>ip</var>, which must be
- expressed as an IP address (not a DNS name), is specified, then
- connections are restricted to the specified local IP address
- (either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
- address, wrap in square brackets,
- e.g. <code>pssl:6640:[::1]</code>. If <var>ip</var> is not
+ choose an available port. If <var>host</var>, which can either
+ be a DNS name (if built with unbound library) or an IP address,
+ is specified, then connections are restricted to the resolved or
+ specified local IP address (either IPv4 or IPv6 address). If
+ <var>host</var> is an IPv6 address, wrap in square brackets,
+ e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 (but not IPv6) addresses.
A valid SSL configuration must be provided when this form is used,
this can be specified either via command-line options or the
part of Open vSwitch.
</p>
</dd>
- <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
+ <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
- choose an available port. If <var>ip</var>, which must be
- expressed as an IP address (not a DNS name), is specified, then
- connections are restricted to the specified local IP address
- (either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
- address, wrap it in square brackets,
- e.g. <code>ptcp:6640:[::1]</code>. If <var>ip</var> is not
+ choose an available port. If <var>host</var>, which can either
+ be a DNS name (if built with unbound library) or an IP address,
+ is specified, then connections are restricted to the resolved or
+ specified local IP address (either IPv4 or IPv6 address). If
+ <var>host</var> is an IPv6 address, wrap it in square brackets,
+ e.g. <code>ptcp:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 addresses.
</p>
<p>
return """
Active %s connection methods:
unix:FILE Unix domain socket named FILE
- tcp:IP:PORT TCP socket to IP with port no of PORT
- ssl:IP:PORT SSL socket to IP with port no of PORT
+ tcp:HOST:PORT TCP socket to HOST with port no of PORT
+ ssl:HOST:PORT SSL socket to HOST with port no of PORT
Passive %s connection methods:
punix:FILE Listen on Unix domain socket FILE""" % (name, name)
BuildRequires: dpdk-devel >= 17.05.1
Provides: %{name}-dpdk = %{version}-%{release}
%endif
+BuildRequires: unbound unbound-devel
-Requires: openssl hostname iproute module-init-tools
+Requires: openssl hostname iproute module-init-tools unbound
#Upstream kernel commit 4f647e0a3c37b8d5086214128614a136064110c3
#Requires: kernel >= 3.15.0-0
BuildRequires: checkpolicy, selinux-policy-devel
BuildRequires: autoconf, automake, libtool
BuildRequires: python-sphinx
+BuildRequires: unbound-devel
%bcond_without check
%bcond_with check_datapath_kernel
#include "openvswitch/vconn.h"
#include "openvswitch/vlog.h"
#include "lib/vswitch-idl.h"
+#include "lib/dns-resolve.h"
VLOG_DEFINE_THIS_MODULE(vswitchd);
set_program_name(argv[0]);
ovsthread_id_init();
+ dns_resolve_init(true);
ovs_cmdl_proctitle_init(argc, argv);
service_start(&argc, &argv);
remote = parse_options(argc, argv, &unixctl_path);
service_stop();
vlog_disable_async();
ovsrcu_exit();
+ dns_resolve_destroy();
return 0;
}
controllers:
</p>
<dl>
- <dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
+ <dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>The specified SSL <var>port</var> on the host at the
- given <var>ip</var>, which must be expressed as an IP
- address (not a DNS name). The <ref table="Open_vSwitch"
- column="ssl"/> column in the <ref table="Open_vSwitch"/>
- table must point to a valid SSL configuration when this form
- is used.</p>
+ given <var>host</var>, which can either be a DNS name (if built
+ with unbound library) or an IP address. The <ref table="Open_vSwitch"
+ column="ssl"/> column in the <ref table="Open_vSwitch"/> table must
+ point to a valid SSL configuration when this form is used.</p>
<p>If <var>port</var> is not specified, it defaults to 6653.</p>
<p>SSL support is an optional feature that is not always built as
part of Open vSwitch.</p>
</dd>
- <dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
+ <dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified TCP <var>port</var> on the host at the given
- <var>ip</var>, which must be expressed as an IP address (not a
- DNS name), where <var>ip</var> can be IPv4 or IPv6 address. If
- <var>ip</var> is an IPv6 address, wrap it in square brackets,
- e.g. <code>tcp:[::1]:6653</code>.
+ <var>host</var>, which can either be a DNS name (if built with
+ unbound library) or an IP address (IPv4 or IPv6). If <var>host</var>
+ is an IPv6 address, wrap it in square brackets, e.g.
+ <code>tcp:[::1]:6653</code>.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6653.
controllers:
</p>
<dl>
- <dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
+ <dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>.
- If <var>ip</var>, which must be expressed as an IP address (not a
- DNS name), is specified, then connections are restricted to the
- specified local IP address (either IPv4 or IPv6). If
- <var>ip</var> is an IPv6 address, wrap it in square brackets,
- e.g. <code>pssl:6653:[::1]</code>.
+ If <var>host</var>, which can either be a DNS name (if built with
+ unbound library) or an IP address, is specified, then connections
+ are restricted to the resolved or specified local IP address
+ (either IPv4 or IPv6). If <var>host</var> is an IPv6 address,
+ wrap it in square brackets, e.g. <code>pssl:6653:[::1]</code>.
</p>
<p>
If <var>port</var> is not specified, it defaults to
- 6653. If <var>ip</var> is not specified then it listens only on
+ 6653. If <var>host</var> is not specified then it listens only on
IPv4 (but not IPv6) addresses. The
<ref table="Open_vSwitch" column="ssl"/>
column in the <ref table="Open_vSwitch"/> table must point to a
part of Open vSwitch.
</p>
</dd>
- <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
+ <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for connections on the specified TCP <var>port</var>. If
- <var>ip</var>, which must be expressed as an IP address (not a
- DNS name), is specified, then connections are restricted to the
- specified local IP address (either IPv4 or IPv6). If
- <var>ip</var> is an IPv6 address, wrap it in square brackets,
- e.g. <code>ptcp:6653:[::1]</code>. If <var>ip</var> is not
- specified then it listens only on IPv4 addresses.
+ <var>host</var>, which can either be a DNS name (if built with
+ unbound library) or an IP address, is specified, then connections
+ are restricted to the resolved or specified local IP address
+ (either IPv4 or IPv6). If <var>host</var> is an IPv6 address, wrap
+ it in square brackets, e.g. <code>ptcp:6653:[::1]</code>. If
+ <var>host</var> is not specified then it listens only on IPv4
+ addresses.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6653.
The following connection methods are currently supported:
</p>
<dl>
- <dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
+ <dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified SSL <var>port</var> on the host at the given
- <var>ip</var>, which must be expressed as an IP address
- (not a DNS name). The <ref table="Open_vSwitch"
+ <var>host</var>, which can either be a DNS name (if built with
+ unbound library) or an IP address. The <ref table="Open_vSwitch"
column="ssl"/> column in the <ref table="Open_vSwitch"/>
table must point to a valid SSL configuration when this
form is used.
</p>
</dd>
- <dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
+ <dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified TCP <var>port</var> on the host at the given
- <var>ip</var>, which must be expressed as an IP address (not a
- DNS name), where <var>ip</var> can be IPv4 or IPv6 address. If
- <var>ip</var> is an IPv6 address, wrap it in square brackets,
- e.g. <code>tcp:[::1]:6640</code>.
+ <var>host</var>, which can either be a DNS name (if built with
+ unbound library) or an IP address (IPv4 or IPv6). If <var>host</var>
+ is an IPv6 address, wrap it in square brackets, e.g.
+ <code>tcp:[::1]:6640</code>.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
</dd>
- <dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
+ <dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
- choose an available port. If <var>ip</var>, which must be
- expressed as an IP address (not a DNS name), is specified, then
- connections are restricted to the specified local IP address
- (either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
- address, wrap in square brackets,
- e.g. <code>pssl:6640:[::1]</code>. If <var>ip</var> is not
+ choose an available port. If <var>host</var>, which can either
+ be a DNS name (if built with unbound library) or an IP address,
+ is specified, then connections are restricted to the resolved or
+ specified local IP address (either IPv4 or IPv6 address). If
+ <var>host</var> is an IPv6 address, wrap in square brackets,
+ e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 (but not IPv6) addresses.
The <ref table="Open_vSwitch" column="ssl"/> column in the <ref
table="Open_vSwitch"/> table must point to a valid SSL
part of Open vSwitch.
</p>
</dd>
- <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
+ <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
- choose an available port. If <var>ip</var>, which must be
- expressed as an IP address (not a DNS name), is specified, then
- connections are restricted to the specified local IP address
- (either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
- address, wrap it in square brackets,
- e.g. <code>ptcp:6640:[::1]</code>. If <var>ip</var> is not
+ choose an available port. If <var>host</var>, which can either
+ be a DNS name (if built with unbound library) or an IP address,
+ is specified, then connections are restricted to the resolved or
+ specified local IP address (either IPv4 or IPv6 address). If
+ <var>host</var> is an IPv6 address, wrap it in square brackets,
+ e.g. <code>ptcp:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 addresses.
</p>
<p>
The following connection methods are currently supported:
</p>
<dl>
- <dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
+ <dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
- The specified SSL <var>port</var> (default: 6640) on the host at
- the given <var>ip</var>, which must be expressed as an IP address
- (not a DNS name).
+ The specified SSL <var>port</var> (default: 6640) on the given
+ <var>host</var>, which can either be a DNS name (if built with
+ unbound library) or an IP address.
</p>
<p>
SSL key and certificate configuration happens outside the
</p>
</dd>
- <dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
+ <dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
- The specified TCP <var>port</var> (default: 6640) on the host at
- the given <var>ip</var>, which must be expressed as an IP address
- (not a DNS name).
+ The specified TCP <var>port</var> (default: 6640) on the given
+ <var>host</var>, which can either be a DNS name (if built with
+ unbound library) or an IP address.
</dd>
- <dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
+ <dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>
- (default: 6640). If <var>ip</var>, which must be expressed as an
- IP address (not a DNS name), is specified, then connections are
- restricted to the specified local IP address.
+ (default: 6640). If <var>host</var>, which can either be a DNS
+ name (if built with unbound library) or an IP address, is
+ specified, then connections are restricted to the resolved or
+ specified local IP address.
</p>
</dd>
- <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
+ <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
Listens for connections on the specified TCP <var>port</var>
- (default: 6640). If <var>ip</var>, which must be expressed as an
- IP address (not a DNS name), is specified, then connections are
- restricted to the specified local IP address.
+ (default: 6640). If <var>host</var>, which can either be a DNS
+ name (if built with unbound library) or an IP address, is
+ specified, then connections are restricted to the resolved or
+ specified local IP address.
</dd>
</dl>
</column>
projects / ovs.git / commitdiff