netlink linux: enable listening to all nsids

Internal ports may be moved to another network namespace
and when that happens, the vswitch stops receiving netlink
notifications.

This patch enables the vswitch to listen to all network
namespaces that have a nsid assigned into the network
namespace where the socket has been opened.

It requires kernel 4.2 or newer.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>

7 files changed, 45 insertions, 8 deletions

diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
index 04c6a874e..3ad1c6288 100644
--- a/lib/daemon-unix.c
+++ b/lib/daemon-unix.c
@@ -820,7 +820,8 @@ daemon_become_new_user_linux(bool access_datapath OVS_UNUSED)
 
             if (access_datapath && !ret) {
                 ret = capng_update(CAPNG_ADD, cap_sets, CAP_NET_ADMIN)
-                      || capng_update(CAPNG_ADD, cap_sets, CAP_NET_RAW);
+                      || capng_update(CAPNG_ADD, cap_sets, CAP_NET_RAW)
+                      || capng_update(CAPNG_ADD, cap_sets, CAP_NET_BROADCAST);
             }
         } else {
             ret = -1;
diff --git a/lib/daemon.man b/lib/daemon.man
index 820a09903..68c0a312d 100644
--- a/lib/daemon.man
+++ b/lib/daemon.man
@@ -76,9 +76,9 @@ started by the root user accepts this argument.
 .IP
 On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES
 before dropping root privileges. Daemons that interact with a datapath,
-such as \fBovs\-vswitchd\fR, will be granted two additional capabilities, namely
-CAP_NET_ADMIN and CAP_NET_RAW. The capability change will apply even if
-new user is "root".
+such as \fBovs\-vswitchd\fR, will be granted three additional capabilities,
+namely CAP_NET_ADMIN, CAP_NET_BROADCAST and CAP_NET_RAW.  The capability
+change will apply even if the new user is root.
 .IP
 On Windows, this option is not currently supported. For security reasons,
 specifying this option will cause the daemon process not to start.
diff --git a/lib/daemon.xml b/lib/daemon.xml
index 5cb447c49..1b5e8acae 100644
--- a/lib/daemon.xml
+++ b/lib/daemon.xml
@@ -107,10 +107,10 @@
       On Linux, daemons will be granted <code>CAP_IPC_LOCK</code> and
       <code>CAP_NET_BIND_SERVICES</code> before dropping root privileges.
       Daemons that interact with a datapath, such as
-      <code>ovs-vswitchd</code>, will be granted two additional
-      capabilities, namely <code>CAP_NET_ADMIN</code> and
-      <code>CAP_NET_RAW</code>.  The capability change will apply even
-      if the new user is root.
+      <code>ovs-vswitchd</code>, will be granted three additional
+      capabilities, namely <code>CAP_NET_ADMIN</code>,
+      <code>CAP_NET_BROADCAST</code> and <code>CAP_NET_RAW</code>.  The
+      capability change will apply even if the new user is root.
     </p>
 
     <p>
diff --git a/lib/netdev-linux.c b/lib/netdev-linux.c
index 0cc580eb5..2e20fac56 100644
--- a/lib/netdev-linux.c
+++ b/lib/netdev-linux.c
@@ -655,6 +655,7 @@ netdev_linux_notify_sock(void)
                 }
             }
         }
+        nl_sock_listen_all_nsid(sock, true);
         ovsthread_once_done(&once);
     }
 
diff --git a/lib/netlink-protocol.h b/lib/netlink-protocol.h
index a7b9a65fa..c0617dfad 100644
--- a/lib/netlink-protocol.h
+++ b/lib/netlink-protocol.h
@@ -158,6 +158,12 @@ enum {
 #define NETLINK_DROP_MEMBERSHIP 2
 #endif
 
+/* This was introduced in v4.2.  (We want our programs to support the newer
+ * kernel features even if compiled with older headers.) */
+#ifndef NETLINK_LISTEN_ALL_NSID
+#define NETLINK_LISTEN_ALL_NSID 8
+#endif
+
 /* These were introduced all together in 2.6.23.  (We want our programs to
  * support the newer kernel features even if compiled with older headers.) */
 #ifndef CTRL_ATTR_MCAST_GRP_MAX
diff --git a/lib/netlink-socket.c b/lib/netlink-socket.c
index f68ca860d..f3cce9314 100644
--- a/lib/netlink-socket.c
+++ b/lib/netlink-socket.c
@@ -442,6 +442,33 @@ nl_sock_join_mcgroup(struct nl_sock *sock, unsigned int multicast_group)
     return 0;
 }
 
+/* When 'enable' is true, it tries to enable 'sock' to receive netlink
+ * notifications form all network namespaces that have an nsid assigned
+ * into the network namespace where the socket has been opened. The
+ * running kernel needs to provide support for that. When 'enable' is
+ * false, it will receive netlink notifications only from the network
+ * namespace where the socket has been opened.
+ *
+ * Returns 0 if successful, otherwise a positive errno.  */
+int
+nl_sock_listen_all_nsid(struct nl_sock *sock, bool enable)
+{
+    int error;
+    int val = enable ? 1 : 0;
+
+#ifndef _WIN32
+    if (setsockopt(sock->fd, SOL_NETLINK, NETLINK_LISTEN_ALL_NSID, &val,
+                   sizeof val) < 0) {
+        error = errno;
+        VLOG_INFO("netlink: could not %s listening to all nsid (%s)",
+                  enable ? "enable" : "disable", ovs_strerror(error));
+        return errno;
+    }
+#endif
+
+    return 0;
+}
+
 #ifdef _WIN32
 int
 nl_sock_subscribe_packet__(struct nl_sock *sock, bool subscribe)
diff --git a/lib/netlink-socket.h b/lib/netlink-socket.h
index 98f6554fa..7852ad052 100644
--- a/lib/netlink-socket.h
+++ b/lib/netlink-socket.h
@@ -213,6 +213,8 @@ void nl_sock_destroy(struct nl_sock *);
 int nl_sock_join_mcgroup(struct nl_sock *, unsigned int multicast_group);
 int nl_sock_leave_mcgroup(struct nl_sock *, unsigned int multicast_group);
 
+int nl_sock_listen_all_nsid(struct nl_sock *, bool enable);
+
 #ifdef _WIN32
 int nl_sock_subscribe_packets(struct nl_sock *sock);
 int nl_sock_unsubscribe_packets(struct nl_sock *sock);