Ethan Jackson [Wed, 1 Aug 2012 20:01:01 +0000 (13:01 -0700)]
flow: Fix wild pointer dereference in flow_compose().
The 'ip' variable in flow_compose() points to some memory allocated
in an ofpbuf. The ofpbuf is modified without making the necessary
updates to the location of 'ip' causing a potential wild memory
access.
Ben Pfaff [Mon, 30 Jul 2012 21:41:13 +0000 (14:41 -0700)]
lockfile: Be more forgiving about lockfiles for symlinks.
As the database is being transitioned from /etc to /var, there is a symlink
from the old to the new location for the database and a symlink for its
lockfile. This works OK, but it would be more user-friendly to still work
correctly in case the symlink for the lockfile isn't there (since its
existence is non-obvious), so this commit implements that behavior.
Ben Pfaff [Thu, 26 Jul 2012 21:42:58 +0000 (14:42 -0700)]
ovsdb: Make "ovsdb-tool create" work through a dangling symlink.
open() with O_CREAT|O_EXCL yields EEXIST if the name passed in is a
symlink, but we would like "ovsdb-tool create /etc/openvswitch/conf.db" to
work if /etc/openvswitch/conf.db is a symlink to elsewhere in the file
system. This commit fixes the problem. It introduces a theoretical race,
but no one should be doing "ovsdb-tool create" in parallel anyhow; O_EXCL
is just an idiot check here, not required to be fail-safe.
Debian bug #681880. CC: 681880@bugs.debian.org Reported-by: Bastian Blank <waldi@debian.org> Signed-off-by: Ben Pfaff <blp@nicira.com> Reviewed-by: Simon Horman <horms@verge.net.au>
Ben Pfaff [Thu, 26 Jul 2012 21:36:24 +0000 (14:36 -0700)]
lockfile: Fix hang locking through a dangling symlink.
open() with O_CREAT|O_EXCL yields EEXIST if the file being opened is a
symlink. lockfile_try_lock() interpreted that error code to mean that
some other process had created the lock file in the meantime, so it went
around its loop again, which found out the same thing, which led to a hang.
This commit fixes the problem by dropping O_EXCL. I don't see any reason
that it's actually necessary. That means that the loop itself is
unnecessary, so this commit drops that too.
Debian bug #681880. CC: 681880@bugs.debian.org Reported-by: Bastian Blank <waldi@debian.org> Signed-off-by: Ben Pfaff <blp@nicira.com> Reviewed-by: Simon Horman <horms@verge.net.au>
Ed Maste [Tue, 31 Jul 2012 12:24:30 +0000 (08:24 -0400)]
tests: Avoid xargs, for FreeBSD compatibility.
The FreeBSD version of xargs does not run the utility argument on empty
input, while GNU xargs runs it at least once, even with empty input. As
a result on FreeBSD VSCTL_CHECK_FIND returned no output for an empty
bridge list while on Linux it returned a single blank line.
Signed-off-by: Ed Maste <emaste@freebsd.org> Signed-off-by: Ben Pfaff <blp@nicira.com>
Simon Horman [Mon, 30 Jul 2012 02:03:03 +0000 (11:03 +0900)]
ofp-util: Update Capabilities for Open Flow 1.2
There are capabilities which are present in one, two and three
of Open Flow 1.0, 1.1 and 1.2. Update OFPC_COMMON to only include
capabilities that are present in all three Open Flow versions and
add ofputil_capabilities_mask() to return the mask of capabilities
for each version.
This does not cover OFPUTIL_C_STP and OFPUTIL_C_GROUP_STATS, which
both use capability bit 3 and are treated as special cases in
ofputil_encode_switch_features() and ofputil_decode_switch_features().
Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Ben Pfaff <blp@nicira.com>
Simon Horman [Mon, 30 Jul 2012 02:03:02 +0000 (11:03 +0900)]
ofp-util: Reduce scope of variables in ofputil_encode_flow_mod()
Reduce scope of per-protocol variables in ofputil_encode_flow_mod()
These variables are only needed in one of the cases covered by the switch
statement and will increase in number as more cases (protocols) are
supported.
Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Ben Pfaff <blp@nicira.com>
Simon Horman [Mon, 30 Jul 2012 02:03:00 +0000 (11:03 +0900)]
ofproto: As of Open Flow 1.1 switch_features has no capabilities field
In Open Flow 1.0 switch_features has a capabilities field.
However, in Open Flow 1.1, 1.2 and 1.3 this field is reserved.
Thus it should not be read on decode and it seems most appropriate
to set as zero on encode.
This patch takes the approach of setting the features field to
all available features for Open Flow 1.1+. I am unsure if it would
be sufficient to just set it to zero.
Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Ben Pfaff <blp@nicira.com>
Simon Horman [Mon, 30 Jul 2012 02:02:59 +0000 (11:02 +0900)]
openflow: Add enum ofp_version
Use an enum for ofp_version in ofp-util and ofp-msg.
This in conjunction with the use of switch() statements
allows the compiler to warn when a new ofp_version isn't handled.
Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Fri, 20 Jul 2012 06:23:17 +0000 (23:23 -0700)]
ofp-msgs: New approach to encoding and decoding OpenFlow headers.
OpenFlow headers are not as uniform as they could be, with size, alignment,
and numbering changes from one version to another and across varieties
(e.g. ordinary messages vs. "stats" messages). Until now the Open vSwitch
internal APIs haven't done a good job of abstracting those differences in
header formats. This commit changes that; from this commit forward very
little code actually needs to understand the header format or numbering.
Instead, it can just encode or decode, or pull or put, the header using
a more abstract API using the ofpraw_, ofptype_, and other APIs in the
new ofp-msgs module.
Signed-off-by: Ben Pfaff <blp@nicira.com> Tested-by: Simon Horman <horms@verge.net.au> Reviewed-by: Simon Horman <horms@verge.net.au>
ovs-dpctl: Allow requesting the port number from "add-if" command.
The datapath port number influences the OpenFlow port number in
ovs-vswitchd. The new "port_no" option for the "add-if" command allows
the user to request a specific datapath port number.
ovs-ctl.in: Don't stop forwarding while restarting the database.
Previously, the force-reload-kmod command would stop forwarding, stop
the database, restart the database, and then restart forwarding. If the
database is large, it can take a while to be read (we've seen as much as
10 seconds), which means the switch is not forwarding traffic during
that time.
This change stops and starts the database before restarting the
forwarding path. This means that ovs-vswitchd will lose its
connectivity to the database during a force-reload-kmod, but while it
will complain a little in the logs, it will continue to operate
properly.
Ed Maste [Mon, 30 Jul 2012 22:29:40 +0000 (15:29 -0700)]
Use int type for setsockopt IP_TOS value
FreeBSD requires that setsockopt(..., IP_TOS, ...) be passed an int
value. Linux accepts either int or char types (and has since at least
kernel 2.6.12) so just use int type unconditionally.
Signed-off-by: Ed Maste <emaste@freebsd.org> Signed-off-by: Ben Pfaff <blp@nicira.com>
Ed Maste [Fri, 27 Jul 2012 21:27:15 +0000 (17:27 -0400)]
Avoid implementation-defined strerror behaviour
POSIX states that the string returned by strerror() may be overwritten
by a subsequent call (i.e., because it returns a pointer to a static
buffer). Make a copy of one of the two strerror() strings to avoid
this.
Background: FreeBSD historically returned such a pointer only in the
case of an invalid errno. With the addition of NLS strerror was changed
to do so for all calls.
Prior to this change I had confusing results from the test suite like
"... is 22 (Invalid argument) but should be 0 (Invalid argument)".
Signed-off-by: Ed Maste <emaste@adaranet.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Thu, 26 Jul 2012 04:37:59 +0000 (21:37 -0700)]
packets: First-hop router redundancy protocol MAC addresses are not BPDUs.
Commit c93f9a78c349 (packets: Update the reserved protocols list.) added
a number of first-hop router redundancy protocol MAC addresses to the
list of BPDU MAC addresses. This means that packets destined to those MAC
addresses are dropped when other-config:forward-bpdu is set to false on a
bridge (the default setting).
However, this behavior is incorrect, because these MAC addresses are not
special in the way that, say, STP frames are special. STP is a
switch-to-switch protocol that end hosts have no use for, but end hosts do
speak directly to routers on the MAC addresses assigned by VRRP and the
other protocols in this category. Therefore, dropping packets in this
category means that end hosts can no longer talk to their first-hop router,
if that router is running one of these protocols.
This commit also refines the match used for EDP and EAPS, and adds Cisco
CFM to the protocols that are dropped.
After this commit, the following destination MACs are dropped:
This patch adds new netdev classes that implement
"system" and "tap" devices on FreeBSD using the
libpcap library. This enables the use of the
"netdev" datapath_type of Open vSwitch on FreeBSD.
Signed-off-by: Gaetano Catalli <gaetano.catalli@gmail.com> Signed-off-by: Ed Maste <emaste@adaranet.com> Signed-off-by: Giuseppe Lettieri <g.lettieri@iet.unipi.it> Signed-off-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Wed, 25 Jul 2012 17:28:38 +0000 (10:28 -0700)]
configure: Fix check for GNU make $(if) extension.
As it turns out, the argument to AC_CONFIG_COMMANDS_PRE gets copied into
config.status whether or not it gets run by the shell at "configure" time,
defeating my attempt to support non-GNU make here.
Reported-by: Ed Maste <emaste@freebsd.org> Signed-off-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Mon, 23 Jul 2012 16:54:16 +0000 (09:54 -0700)]
Fix race condition in parallel execution of "make install".
ovs-vsctl is listed, incorrectly, in both bin_PROGRAMS and bin_SCRIPTS.
This meant that "make install" with the -j option could try to install
ovs-vsctl two times in parallel, a race that occasionally caused a build
failure, e.g.:
http://buildd.debian.org/status/fetch.php?pkg=openvswitch&arch=s390&ver=1.4.2%2Bgit20120612-5&stamp=1342851603
Ben Pfaff [Mon, 23 Jul 2012 17:16:31 +0000 (10:16 -0700)]
ovs-ofctl: Avoid printing false differences on "ovs-ofctl diff-flows".
It is possible for "struct ofpact"s to differ bytewise even if they are
equivalent when converted to another representation, such as OpenFlow 1.0
action format or a string representation. This can cause "ovs-ofctl
diff-flows" to print surprising false "differences", e.g. as in the bug
report:
- actions=resubmit(,1)
+ actions=resubmit(,1)
This commit fixes the problem by comparing not just the ofpacts but also
the string representation and printing a difference only if both differ.
Bug #8899. Reported-by: Luca Giraudo <lgiraudo@nicira.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Fri, 20 Jul 2012 20:15:36 +0000 (13:15 -0700)]
debian: Remove controller keys on openvswitch-controller package purge.
A Debian package is expected to remove all its configuration files (which
includes all files in /etc) when it is purged, but the
openvswitch-controller package wasn't doing that. This fixes the problem.
Debian bug #682187. CC: 682187@bugs.debian.org Reported-by: Andreas Beckmann <debian@abeckmann.de> Signed-off-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Fri, 20 Jul 2012 17:49:06 +0000 (10:49 -0700)]
tests: Remove bit-rotted support for "lcov".
At one point I got the "lcov" utilities to work well with OVS. Then I
didn't try to use them again for a year or so, and when I did I found that
it didn't work at all. I wasn't able to fix the problem easily, so it
seems better to remove the feature than to leave around broken code.
Ben Pfaff [Wed, 23 May 2012 16:33:22 +0000 (09:33 -0700)]
ofp-print: Print the type of truncated messages, when available.
The function ofputil_decode_msg_type_partial() can figure out the type of
a truncated OpenFlow message, if the message is long enough that its type
can be determined, so we should print this information. This is
especially valuable for printing OFPT_ERROR messages, in which the inner
OpenFlow message is often truncated to 64 bytes.
Ethan Jackson [Fri, 20 Jul 2012 20:07:49 +0000 (13:07 -0700)]
cfm: Clear RDI on new CFM configurations.
When CFM is first configured, it detects no remote endpoints, and
thus sets RDI on its CCMs. This can cause the receiver of these
CCMs to think there is a problem when really things are simply
initializing. This patch fixes the issue by not setting the RDI
bit in CCMs until at least one fault interval has passed.
Bug #12610. Reported-by: Paul Ingram <paul@nicira.com> Signed-off-by: Ethan Jackson <ethan@nicira.com>
Ethan Jackson [Thu, 19 Jul 2012 03:39:54 +0000 (20:39 -0700)]
cfm: Improve logging.
This patch makes a two improvements to CFM logging which should
make debugging connectivity problems a bit more intuitive. First,
when a remote_mp disappears, the length of time since its last CCM
reception is logged. Second, the "CFM fault status changed"
message is reformatted in a more intuitive way. Instead of
prefixing additions and deletions with pluses and minuses, the full
old fault status and new fault status are logged.
Requested-by: Ben Basler <bbasler@nicira.com>, Signed-off-by: Ethan Jackson <ethan@nicira.com>
ovs-bugtool: Added --ovs option to get only ovs related information
Option --ovs is added for ovs-bugtool command to collect
only OpenvSwitch relevant information. To perform
filtering in plugins, a new xml attribute filters="ovs" (optional)
would be required in element 'command','files','directory' in
openvswitch.xml. Value of 'filters' attribute will be compared
with filtering option in load_plugins to get all relevant operation
to collect information. If no "--ovs" option is passed then it will
behave as earlier.
Fixed an issue which occurs in scenario where option '--yestoall'
is not passed and user keeps entering "y" or "n" on prompt.
Plus, trailing whitespaces are fixed. White space before '=' and
after in function def and call is also fixed.
Signed-off-by: Arun Sharma <arun.sharma@calsoftinc.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
Simon Horman [Thu, 19 Jul 2012 16:21:49 +0000 (09:21 -0700)]
OXM: Allow masking of ARP SHA and THA
Signed-off-by: Simon Horman <horms@verge.net.au>
[blp@nicira.com added NEWS, updated a few overlooked meta-flow bits] Signed-off-by: Ben Pfaff <blp@nicira.com>
Simon Horman [Wed, 18 Jul 2012 03:02:20 +0000 (12:02 +0900)]
classifier: Add helpers for setting ethernet addresses
Add helpers for setting ethernet addresses.
This patch makes use of them for setting the dl_src and dl_dst
addresses. A subsequent patch will also use them for arp_sha and arp_tpa.
Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Thu, 19 Jul 2012 15:42:21 +0000 (08:42 -0700)]
tests: Avoid hash order sensitivity in "ofproto - flow monitoring" test.
The order in which flows appear in an NXST_FLOW_MONITOR reply depends on
the hash order, which makes it depend on the details of the hash and on
system endianness. This avoids sensitivity to the order by sorting the
results.
Reported-by: Simon Horman <horms@verge.net.au> Signed-off-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Thu, 19 Jul 2012 07:15:19 +0000 (00:15 -0700)]
nx-match: Succeed pulling 0-byte nx-match from NULL buffer.
I don't think this corner case can come up in a real OpenFlow message,
because the presence of the OpenFlow header guarantees that the ofpbuf's
data is nonnull, but it did in a simple test that is coming up in a few
commits.
Ethan Jackson [Wed, 18 Jul 2012 17:56:21 +0000 (10:56 -0700)]
bridge: Segfault when missing Open vSwitch table.
The enable_system_stats() function calls smap_get_bool() on the
ovsrec_open_vswitch passed to it. This was segmentation faulting
when 'null_cfg' defined in bridge_reconfigure() was used because
there was no Open vSwitch table.
Ben Pfaff [Wed, 27 Jun 2012 17:42:34 +0000 (10:42 -0700)]
vlog: Use worker process to write to log file.
Writes to regular files under Unix-like kernels, including Linux, typically
block until the write is complete, regardless of O_NONBLOCK. When the I/O
subsystem is busy, this can cause indefinite delays. We have actually
observed "write" calls sleep for 5 seconds or more for this reason.
Delegating to a subprocess through the worker mechanism should solve the
problem.
Ben Pfaff [Wed, 27 Jun 2012 17:40:50 +0000 (10:40 -0700)]
worker: New library for breaking a daemon into multiple processes.
ovs-vswitchd is effectively a "soft real-time" process, because flows that
do not get set up quickly lead to packet loss or retransmission. We've
done our best to keep it from blocking unnecessarily, but some operations
unavoidably block. This new library allows a daemon to break itself up
into a main process and a worker process, connected by an RPC channel,
with the idea being that the main process will delegate any possibly
blocking operations to the worker.
This commit also modifies ovs-vswitchd to start a worker process, but it
does not actually introduce any uses for the worker process. Upcoming
commits will add those.
Ben Pfaff [Tue, 22 May 2012 18:36:50 +0000 (11:36 -0700)]
vlog: Add VLOG_ABORT() to log and call abort().
Whereas VLOG_FATAL() eventually calls exit(1), VLOG_ABORT()
eventually calls abort(). The key difference is that abort()
will cause a "monitor" process to restart, where exit(1) will
cause it to exit along with the monitored process.
Ben Pfaff [Wed, 18 Jul 2012 17:30:47 +0000 (10:30 -0700)]
util: Introduce "subprogram_name" to identify subprocesses and threads.
This will be more useful later when we introduces "worker" subprocesses.
I don't have any current plans to introduce threading, but I can't
think of a disadvantage to wording this in a general manner.
Ben Pfaff [Fri, 13 Jul 2012 06:08:45 +0000 (23:08 -0700)]
debian: Do not change iptables rules by default.
Debian kernel maintainer Bastian Blank writes, at
http://bugs.debian.org/680537:
The netfilter rules are a shared resource. There is no synchronization,
so the admin have the last word. As kernel maintainer, I see it similar
to a configuration file, so ยง10.7 policy applies.
The purpose of openvswitch is to provide support for switching, not to
setup filter rules. This means it violates the principle of least
surprise.
I believe that the argument by analogy to configuration files is weak,
given that the Debian policy section in question is very specifically about
files, not about general principles. On the other hand, Debian does not
install any firewall by default, so the presence of a rule that blocks GRE
traffic is a sign that the administrator has taken an explicit action to
install a firewall that blocks GRE, and therefore it is rather rude to
override this. Therefore, this patch simply turns off this behavior on
Debian, given that in ordinary Debian installations it will have no
adverse effect on Open vSwitch.
Debian bug #680537. CC: 680537@bugs.debian.org Reported-by: Bastian Blank <waldi@debian.org> Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Simon Horman <horms@verge.net.au>
Ben Pfaff [Wed, 18 Jul 2012 17:10:20 +0000 (10:10 -0700)]
ofproto-dpif: Make OFPP_TABLE always resubmit to table 0.
Commit 299016266ed1 (New action NXAST_RESUBMIT_TABLE.) changed OFPP_TABLE
from resubmitting to table 0 to resubmitting to the current table. This
wasn't mentioned in the change log and I believe it was a typo. This
commit changes the behavior back.
This isn't a very serious bug because OpenFlow 1.0 says that OFPP_TABLE is
supposed to be used only in packet-out messages, in which case the current
table is 0 anyhow.
OpenFlow 1.3 is explicit:
The action list of an OFPT_PACKET_OUT message can also specify the
OFPP_TABLE reserved port as an output action to process the packet
through the existing flow entries, starting at the first flow table.
Reported-by: Isaku Yamahata <yamahata@valinux.co.jp> Signed-off-by: Ben Pfaff <blp@nicira.com>
Simon Horman [Wed, 18 Jul 2012 01:47:56 +0000 (10:47 +0900)]
ofproto: More vlan tests
I'm not sure if this is the best place for this, but exercising
adding flows with dl_vlan and dl_vlan_pcp in this matter helped
my to find some bugs in changes that I am working on in relation
to the OpenFlow VLAN match.
Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Ben Pfaff <blp@nicira.com>
Ben Pfaff [Tue, 10 Jul 2012 06:45:25 +0000 (23:45 -0700)]
ofp-util: Wildcard VLAN PCP in OF1.0 matches when 802.1Q not present.
When an output OF1.0 match uses OFP_VLAN_NONE to match only when the 802.1Q
header is not present, it is somewhat contradictory to specify any value
for the VLAN PCP, since none can be present without an 802.1Q header, but
the match output by Open vSwitch did so. This fixes it.
Signed-off-by: Ben Pfaff <blp@nicira.com> Tested-by: Simon Horman <horms@verge.net.au>
Ethan Jackson [Tue, 17 Jul 2012 17:07:36 +0000 (10:07 -0700)]
tests: Fix unit test failures related to additional logging.
Commit a890678229 (userspace: Log version on startup.) added
additional logging to ovsdb-server and ovs-vswitchd, but failed to
make certain the unit tests still passed.
Signed-off-by: Ethan Jackson <ethan@nicira.com>
[blp@nicira.com changed the strategy for fixing ovsdb-server.at] Signed-off-by: Ben Pfaff <blp@nicira.com>