Greg Rose [Wed, 18 Jul 2018 16:22:13 +0000 (09:22 -0700)]
erspan: set bso bit based on mirrored packet's len
Upstream commit:
Before the patch, the erspan BSO bit (Bad/Short/Oversized) is not
handled. BSO has 4 possible values:
00 --> Good frame with no error, or unknown integrity
11 --> Payload is a Bad Frame with CRC or Alignment Error
01 --> Payload is a Short Frame
10 --> Payload is an Oversized Frame
Based the short/oversized definitions in RFC1757, the patch sets
the bso bit based on the mirrored packet's size.
Reported-by: Xiaoyan Jin <xiaoyanj@vmware.com> Signed-off-by: William Tu <u9012063@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: William Tu <u9012063@gmail.com> Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: William Tu <u9012063@gmail.com>
Ian Stokes [Wed, 25 Jul 2018 14:00:43 +0000 (15:00 +0100)]
ovn-nbctl: Initialize arguments to avoid compilation warnings.
Output arguments for parse_priority() and dhcp_options_get() may not be
initialized when either function returns an error.
This causes compilation warnings for GCC 6.3.x regarding use of
uninitialized variable use and null-pointer-arithmetic.
Fix this by initializing priority_p* value to 0 for priority_parse()
when an error occurs during parsing.
For dhcp_options_get() set *dhcp_opts_p = dhcp_opts regardless as
dhcp_opts will be equal to NULL when an error occurs within the function
anyhow.
Cc: Jakub Sitnicki <jkbs@redhat.com> Fixes: 3844c85de979 ("ovn-nbctl: Don't die in dhcp_options_get()." Fixes: bc8223df3b01 ("ovn-nbctl: Don't die in parse_priority().") Signed-off-by: Ian Stokes <ian.stokes@intel.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Jakub Sitnicki <jkbs@redhat.com>
Jakub Sitnicki [Wed, 25 Jul 2018 15:26:54 +0000 (17:26 +0200)]
ovn-nbctl: Detect unrecognized short options in server mode.
Because getopt() will set optopt for both known and unknown options,
we need to differentiate between them ourselves by checking if we
know the option. Do that by looking up its value.
Also, because we are using GNU extensions to getopt(), we need to be
resetting getopt() state by setting optind to 0 instead of 1 as
pointed out in NOTES in getopt(3) man-page. Not doing so results in
invalid reads and optopt being set to a garbarge value.
Fixes: 3ec06ea9c668 ("ovn-nbctl: Initial support for daemon mode.") Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jakub Sitnicki [Mon, 30 Jul 2018 14:37:49 +0000 (16:37 +0200)]
ovn-northd: Propagate dynamic addresses to port group address sets.
If a logical switch port belongs to a port group and has dynamic
addresses assigned, propagate the addresses to the auto-generated
address sets for the port group.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Acked-by: Han Zhou <hzhou8@ebay.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
ovn: Support configuring meters through SB Meter table.
Add the ability to configure meters through the newly introduced Meter
table in the Southbound database. Previously, meters were configured by
providing strings to describe the meter in the extended meter table.
This patch changes the behavior so that the extended meter table's
strings are references to names in the Meter table. The old behavior is
still supported if the extended meter table entry begins with "__string: "
Signed-off-by: Justin Pettit <jpettit@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
ovn: Add Meter and Meter_Band tables to the NB and SB databases.
Add support for configuring meters through the Meter and Meter_Band
tables in the Northbound database. This commit also has ovn-northd
sync those tables between the Northbound and Southbound databases.
Add support for configuring meters with ovn-nbctl.
Signed-off-by: Justin Pettit <jpettit@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found
If an OVS_ATTR_NESTED attribute type is found while walking
through netlink attributes, we call nlattr_set() recursively
passing the length table for the following nested attributes, if
different from the current one.
However, once we're done with those sub-nested attributes, we
should continue walking through attributes using the current
table, instead of using the one related to the sub-nested
attributes.
we switch to the 'ovs_tunnel_key_lens' table on attribute #3,
and we don't switch back to 'ovs_key_lens' while setting
attributes #9 to #11 in the sequence. As OVS_KEY_ATTR_MPLS
evaluates to 21, and the array size of 'ovs_tunnel_key_lens' is
15, we also get this kind of KASan splat while accessing the
wrong table:
[ 7655.132484] The buggy address belongs to the variable:
[ 7655.138226] ovs_tunnel_key_lens+0xf0/0xffffffffffffd400 [openvswitch]
[ 7655.145507]
[ 7655.147166] Memory state around the buggy address:
[ 7655.152514] ffffffffc169eb80: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
[ 7655.160585] ffffffffc169ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 7655.168644] >ffffffffc169ec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
[ 7655.176701] ^
[ 7655.184372] ffffffffc169ed00: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 05
[ 7655.192431] ffffffffc169ed80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
[ 7655.200490] ==================================================================
Reported-by: Hangbin Liu <liuhangbin@gmail.com> Fixes: 982b52700482 ("openvswitch: Fix mask generation for nested attributes.") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Tested-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Justin Pettit <jpettit@ovn.org>
netfilter: add NAT support for shifted portmap ranges
This is a patch proposal to support shifted ranges in portmaps. (i.e. tcp/udp
incoming port 5000-5100 on WAN redirected to LAN 192.168.1.5:2000-2100)
Currently DNAT only works for single port or identical port ranges. (i.e.
ports 5000-5100 on WAN interface redirected to a LAN host while original
destination port is not altered) When different port ranges are configured,
either 'random' mode should be used, or else all incoming connections are
mapped onto the first port in the redirect range. (in described example
WAN:5000-5100 will all be mapped to 192.168.1.5:2000)
This patch introduces a new mode indicated by flag NF_NAT_RANGE_PROTO_OFFSET
which uses a base port value to calculate an offset with the destination port
present in the incoming stream. That offset is then applied as index within the
redirect port range (index modulo rangewidth to handle range overflow).
In described example the base port would be 5000. An incoming stream with
destination port 5004 would result in an offset value 4 which means that the
NAT'ed stream will be using destination port 2004.
Other possibilities include deterministic mapping of larger or multiple ranges
to a smaller range : WAN:5000-5999 -> LAN:5000-5099 (maps WAN port 5*xx to port
51xx)
This patch does not change any current behavior. It just adds new NAT proto
range functionality which must be selected via the specific flag when intended
to use.
A patch for iptables (libipt_DNAT.c + libip6t_DNAT.c) will also be proposed
which makes this functionality immediately available.
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Justin Pettit <jpettit@ovn.org>
datapath: Introduce net_rwsem and remove rtnl_lock()
This patch backports the following two upstream commits and
add a new symbol HAVE_NET_RWSEM in acinclude.m4 to determine
whether to use new introduced rw_semaphore, net_rwsem.
net: Introduce net_rwsem to protect net_namespace_list
rtnl_lock() is used everywhere, and contention is very high.
When someone wants to iterate over alive net namespaces,
he/she has no a possibility to do that without exclusive lock.
But the exclusive rtnl_lock() in such places is overkill,
and it just increases the contention. Yes, there is already
for_each_net_rcu() in kernel, but it requires rcu_read_lock(),
and this can't be sleepable. Also, sometimes it may be need
really prevent net_namespace_list growth, so for_each_net_rcu()
is not fit there.
This patch introduces new rw_semaphore, which will be used
instead of rtnl_mutex to protect net_namespace_list. It is
sleepable and allows not-exclusive iterations over net
namespaces list. It allows to stop using rtnl_lock()
in several places (what is made in next patches) and makes
less the time, we keep rtnl_mutex. Here we just add new lock,
while the explanation of we can remove rtnl_lock() there are
in next patches.
Fine grained locks generally are better, then one big lock,
so let's do that with net_namespace_list, while the situation
allows that.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream commit:
commit ec9c780925c57588637e1dbd8650d294107311c0
Author: Kirill Tkhai <ktkhai@virtuozzo.com>
Date: Thu Mar 29 19:21:09 2018 +0300
ovs: Remove rtnl_lock() from ovs_exit_net()
Here we iterate for_each_net() and removes
vport from alive net to the exiting net.
ovs_net::dps are protected by ovs_mutex(),
and the others, who change it (ovs_dp_cmd_new(),
__dp_destroy()) also take it.
The same with datapath::ports list.
So, we remove rtnl_lock() here.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Justin Pettit <jpettit@ovn.org>
openvswitch: meter: fix the incorrect calculation of max delta_t
Max delat_t should be the full_bucket/rate instead of the full_bucket.
Also report EINVAL if the rate is zero.
Fixes: 96fbc13d7e77 ("openvswitch: Add meter infrastructure") Cc: Andy Zhou <azhou@ovn.org> Signed-off-by: zhangliping <zhangliping02@baidu.com> Acked-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Tested-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Justin Pettit <jpettit@ovn.org>
Greg Rose [Fri, 27 Jul 2018 18:20:08 +0000 (11:20 -0700)]
compat: Allow IPv6 GRE/ERSPAN Tx when ip6_gre is loaded
When for some reason the built-in kernel ip6_gre module is loaded that
would prevent the openvswitch kernel driver from loading. Even when
the built-in kernel ip6_gre module is loaded we can still perform
port mirroring via Tx. Adjust the error handling and detect when
the ip6_gre kernel module is loaded and in that case still enable
IPv6 GRE/ERSPAN Tx.
Signed-off-by: Greg Rose <gvrose8192@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: William Tu <u9012063@gmail.com>
Greg Rose [Fri, 20 Jul 2018 01:48:31 +0000 (18:48 -0700)]
compat: Initialize IPv4 reassembly secret timer
The RHEL 7 kernels expect the secret timer interval to be initialized
before calling the inet_frags_init() function. By not initializing it
the inet_frags_secret_rebuild() function was running on every tick
rather than on the expected interval. This caused occasional panics
from page faults when inet_frags_secret_rebuild() would try to rearm a
timer from the openvswitch kernel module which had just been removed.
Also remove the prior, and now unnecessary, work around.
Timothy Redaelli [Fri, 22 Jun 2018 18:04:10 +0000 (20:04 +0200)]
Permit to build OVS with only Python3 installed
This commit renames HAVE_PYTHON to HAVE_PYTHON2 and PYTHON to PYTHON2
and adds HAVE_PYTHON and PYTHON with a different semantics:
- If PYTHON environment variable is set, use it as PYTHON
- If a python2 interpreter is available, PYTHON became the python2 interpreter
- If a python3 interpreter is available, PYTHON became the python3 interpreter
PYTHON is only used to run the python scripts needed by the build system
NOTE:
Since currently most of the utilities and bugtool doesn't support Python3,
they're installed only if python2 is available. This will be fixed in later
commits.
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Opening a file with 'rw' in Python3 returns an error, moreover using 'rw' in
Python2 is wrong too since it opens the file using O_RDONLY and not by using
O_RDWR.
This commit fixes it by using the low-level os.open function with O_RDWR
as suggested by the Linux kernel (tuntap.txt) documentation.
This commit fixes also some usual bytes vs string incompatibilities.
Tested on Python 2.7.15 and Python 3.6.5
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Added parenthesis after print and use "as" instead of "," in except.
This commit fixes also a couple of flake8 warnings:
utilities/ovs-tcpundump:23:1: E302 expected 2 blank lines, found 1
utilities/ovs-tcpundump:35:1: E305 expected 2 blank lines after class or
function definition, found 1
Tested on Python 2.7.15 and Python 3.6.5
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ian Stokes [Thu, 12 Jul 2018 18:48:42 +0000 (19:48 +0100)]
Docs: Improve OVS DPDK version mapping notice.
A common issue is users pairing the incorrect version of OVS to DPDK
when working outside of the build tree.
To avoid this, this commit updates the OVS DPDK documentation to explicitly
flag that users should consult the OVS to DPDK release mapping in FAQ if
working outside of the OVS build tree.
Suggested-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ian Stokes <ian.stokes@intel.com> Acked-by: Flavio Leitner <fbl@sysclose.org>
Yipeng Wang [Tue, 10 Jul 2018 10:14:06 +0000 (03:14 -0700)]
dpif-netdev: Add SMC cache after EMC cache
This patch adds a signature match cache (SMC) after exact match
cache (EMC). The difference between SMC and EMC is SMC only stores
a signature of a flow thus it is much more memory efficient. With
same memory space, EMC can store 8k flows while SMC can store 1M
flows. It is generally beneficial to turn on SMC but turn off EMC
when traffic flow count is much larger than EMC size.
SMC cache will map a signature to an dp_netdev_flow index in
flow_table. Thus, we add two new APIs in cmap for lookup key by
index and lookup index by key.
For now, SMC is an experimental feature that it is turned off by
default. One can turn it on using ovsdb options.
Signed-off-by: Yipeng Wang <yipeng1.wang@intel.com> Co-authored-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Acked-by: Billy O'Mahony <billy.o.mahony@intel.com> Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:23 +0000 (15:51 +0200)]
ovn-nbctl: Initial support for daemon mode.
Make ovn-nbctl act as a unixctl server if we were asked to detach. This
turns ovn-nbctl into a long-lived process that acts a proxy for
interacting with NB DB. The main difference to regular mode of ovn-nbctl
is that in the daemon mode, a local copy of database contents has to be
obtained only once.
Just two unixctl commands are supported 'run' and 'exit'. The former can
be used to run any ovn-nbctl command or a batch of them as so:
ovs-appctl -t ovn-nbctl run [OPTIONS] COMMAND [-- [OPTIONS] COMMAND] ...
Running commands that have not yet been converted to not use ctl_fatal()
will result in death of the daemon process. However, --monitor option
can be used to keep the daemon running.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:18 +0000 (15:51 +0200)]
ovn-nbctl: Introduce a poll_timer based wait timeout.
Extend the main loop and the command runner so that the caller can
specify a timeout for poll_block(). This will allow us to break out of
the main loop when waiting on IDL, like in the blocked '--wait=sb/hv
sync' case.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:07 +0000 (15:51 +0200)]
ovsdb-idl: Allow monitoring columns that are already monitored.
If IDL was created with monitoring and alerts turned on by default for
all columns, then there is no harm in allowing the API users to ask
again for monitoring and alerts to be enabled for any given column.
This allows us to run prerequisites handlers for db-ctl and ovn-nbctl
commands once the IDL has already ran once.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Jakub Sitnicki [Thu, 19 Jul 2018 13:51:06 +0000 (15:51 +0200)]
table: Introduce a constant for default table style.
Having a constant in addition to the constant expression for the default
table style allows us to reset 'struct table_style' variables to default
style.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
The command: `make check-tabs` fails on Windows due to line ending conversions
caused by the following setting: `git config --global core.autocrlf true`
(the whitelist `build-aux/initial-tab-whitelist` becomes a blacklist)
This patch adds a .gittatribute file to build-aux to force LF endings
on Windows.
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org> Co-authored-by: Aaron Conole <aconole@redhat.com> Signed-off-by: Aaron Conole <aconole@redhat.com> Acked-by: Ben Pfaff <blp@ovn.org>
Ian Stokes [Tue, 10 Jul 2018 18:46:55 +0000 (19:46 +0100)]
ovn-nbctl: Fix compilation warnings.
This commit fixes 'maybe-uninitialized' warnings for pointers in various
functions in ovn-nbctl when compiling with gcc 6.3.1 and -Werror.
Pointers to structs nbrec_logical_switch, nbrec_logical_switch_port,
nbrec_logical_router and nbrec_logical_router_port are now initialized
to NULL where required.
Cc: Justin Pettit <jpettit@ovn.org> Cc: Venkata Anil <vkommadi@redhat.com> Fixes: 31114af758c7 ("ovn-nbctl: Update logical router port commands.") Fixes: 80f408f4cffb ("ovn: Use Logical_Switch_Port in NB.") Fixes: 36f232bca2db ("ovn: l3ha, CLI for logical router port gateway
chassis") Signed-off-by: Ian Stokes <ian.stokes@intel.com> Signed-off-by: Justin Pettit <jpettit@ovn.org>
Martin Xu [Thu, 12 Jul 2018 23:25:24 +0000 (16:25 -0700)]
rhel: support kmod-openvswitch build against multiple kernels, rhel6
This patch only affects rhel6 spec file.
RHEL 7.4 introduced backward incompatible changes in the kernel. As
a result, prebuilt PRM packages against kernels newer than 693.17.1
will cannot be used on systems with older kernels, vice versa.
This patch allows multiple kernel version numbers delimited by
whitespace to be passed as variable "kversion". kmod-openvswitch RPM
packages the kernel module .ko files from all specified kernel
versions.
This patch also includes a script to update the weak-update symlinks
if the system kernel version is upgraded or downgraded after
kmod-openvswitch is installed.
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com> Co-authored-by: Greg Rose <gvrose8192@gmail.com> CC: Ben Pfaff <blp@ovn.org> CC: Flavio Leitner <fbl@redhat.com> CC: Aaron Conole <aconole@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Martin Xu [Thu, 12 Jul 2018 23:25:23 +0000 (16:25 -0700)]
rhel: remove openvswitch-kmod package from build, rhel6
This patch only affects rhel6 spec file.
Previouly the kernel_module_package macro is used to generate spec file
template to build kmod-openvswitch RPM. The main package only contains
the openvswitch.conf for depmod. The macro is now removed. Everything is
built in the main package instead. This effectively removes the redudant
openvswitch-kmod package from the build.
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com> CC: Greg Rose <gvrose8192@gmail.com> CC: Ben Pfaff <blp@ovn.org> CC: Flavio Leitner <fbl@redhat.com> CC: Aaron Conole <aconole@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Martin Xu [Thu, 12 Jul 2018 23:25:22 +0000 (16:25 -0700)]
rhel: rename openvswitch kmod rhel6 spec file
This patch only affects rhel6 spec file.
The rhel6 kmod spec file is renamed from openvswitch-kmod-rhel6.spec
to kmod-openvswitch-rhel6.spec . This is to prepare for the next
patches to support building multiple kernel versions in the main
package. The rename makes the spec file consistent with the resulted
kmod-openvswitch-<version>.rpm, which is the real package with
kernel module files.
Signed-off-by: Martin Xu <martinxu9.ovs@gmail.com> Reviewed-by: Flavio Leitner <fbl@redhat.com> CC: Greg Rose <gvrose8192@gmail.com> CC: Ben Pfaff <blp@ovn.org> CC: Aaron Conole <aconole@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
William Tu [Wed, 11 Jul 2018 16:45:08 +0000 (09:45 -0700)]
datapath: work around the single GRE receive limitation.
Commit 9f57c67c379d ("gre: Remove support for sharing GRE protocol hook")
allows only single GRE packet receiver. When upstream kernel's gre module
is loaded, the gre.ko exclusively becomes the only gre packet receiver,
preventing OVS kernel module from registering another gre receiver.
We can either try to unload the gre.ko by removing its dependencies,
or, in this patch, we try to register OVS as only the GRE transmit
portion when detecting there already exists another GRE receiver.
Signed-off-by: William Tu <u9012063@gmail.com> Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com> Cc: Greg Rose <gvrose8192@gmail.com> Cc: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
conntrack: Fix conn_update_state_alg use after free.
When conn_update_state() returns true, conn has been freed, so skip calling
handle_ftp_ctl() with this conn and instead follow code path for new
connections.
Fixes: bd5e81a0e596 ("Userspace Datapath: Add ALG infra and FTP.") Signed-off-by: Darrell Ball <dlu998@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Tue, 10 Jul 2018 16:27:18 +0000 (09:27 -0700)]
sparse: Make IN6_IS_ADDR_MC_LINKLOCAL and IN6_ARE_ADDR_EQUAL pickier.
On GNU systems these macros work with arbitrary pointers, but the relevant
standards only require IN6_IS_ADDR_MC_LINKLOCAL to work with in6_addr (and
don't specify IN6_ARE_ADDR_EQUAL at all). Make the "sparse"
implementations correspondingly pickier so that we catch any introduced
problems more quickly.
Ken Sanislo [Wed, 20 Jun 2018 21:44:08 +0000 (14:44 -0700)]
ifupdown.sh: Correctly bring up bond slaves.
It seems that line 70 needs to be operating on the $slave variable created
in the for loop at :68. Bonded interfaces fail to bring up their links
with the current version, this will makes them work correctly.
Signed-off-by: Ken Sanislo <ken@intherack.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Tiago Lam [Thu, 21 Jun 2018 17:39:16 +0000 (18:39 +0100)]
bridge: Clean leaking netdevs when route is added.
When adding a route to a bridge, by executing "$appctl ovs/route/add
$IP/$MASK $BR", a reference to the existing netdev is taken and stored
in an instantiated ip_dev struct which is then stored in an addr_list
list in tnl-ports.c. When OvS is signaled to exit, as a result of a
"$appctl $OVS_PID exit --cleanup", for example, the bridge takes care of
destroying its allocated port and iface structs. While destroying and
freeing an iface, the netdev associated with it is also destroyed.
However, for this to happen its ref_cnt must be 0. Otherwise the
destructor of the netdev (specific to each datapath) won't be called. On
the userspace datapath this means a system interface, such as "br0",
wouldn't get deleted upon exit of OvS (when a route happens to be
assocaited).
This was first observed in the "ptap - triangle bridge setup with L2 and
L3 GRE tunnels" test, which runs as part of the system userspace
testsuite and uses the netdev datapath (as opoosed to several tests
which use the dummy datapath, where this issue isn't seen). The test
would pass every other time and fail the rest of the times because the
needed system interfaces (br-p1, br-p2 and br-p3) were already present
(from the previous successfull run which didn't clean up properly),
leading to a failure.
To fix the leak and clean up the interfaces upon exit, on its final
stage before destroying a netdev, in iface_destroy__(), the bridge calls
tnl_port_map_delete_ipdev() which takes care of freeing the instatiated
ip_dev structs that refer to a specific netdev.
An extra test is also introduced which verifies that the resources used
by OvS netdev datapath have been correctly cleaned up between
OVS_TRAFFIC_VSWITCHD_STOP and AT_CLEANUP.
Signed-off-by: Tiago Lam <tiago.lam@intel.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
xlate: use const struct in6_addr in linklocal check
Commit 83c2757bd16e ("xlate: Move tnl_neigh_snoop() to
terminate_native_tunnel()") introduced a call to
IN6_IS_ADDR_MC_LINKLOCAL() when checking neighbor discovery.
The call to this assumes that the argument may be a const uint8_t *.
According to The Open Group Base Specifications Issue 7, 2018:
macro is of type int and takes a single argument of
type const struct in6_addr *
The GNU implementation allows a bit of flexibility, by internally
casting the argument. However, other implementations (such as OS X)
more rigidly implement the standard and fail with errors like:
error: member reference base type 'const uint8_t'
(aka 'const unsigned char') is not a structure or union
Fixes: 83c2757bd16e ("xlate: Move tnl_neigh_snoop() to terminate_native_tunnel()") Cc: Zoltan Balogh <zoltan.balogh.eth@gmail.com> Cc: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Aaron Conole <aconole@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Ben Pfaff [Mon, 9 Jul 2018 20:04:03 +0000 (13:04 -0700)]
flow: Fix buffer overread for crafted IPv6 packets.
The ipv6_sanity_check() function implemented a check for IPv6 payload
length wrong: ip6_plen is the payload length but this function checked
whether it was longer than the total length of IPv6 header plus payload.
This meant that a packet with a crafted ip6_plen could result in a buffer
overread of up to the length of an IPv6 header (40 bytes).
The kernel datapath flow extraction code does not obviously have a similar
problem.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9287 Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Darrell Ball <dlu998@gmail.com>
projects / ovs.git / log