| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
When debugging multiple programs under GDB, it will be easier to
identify xterms with the program name displayed as title. Without
this patch, xterms will have the title of "gdb", which is the first
program the xterm executes. This change is useful for the next patch.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream commit:
openvswitch: Add support for checksums on UDP tunnels.
Currently, it isn't possible to request checksums on the outer UDP
header of tunnels - the TUNNEL_CSUM flag is ignored. This adds
support for requesting that UDP checksums be computed on transmit
and properly reported if they are present on receive.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: b8693877 ("openvswitch: Add support for checksums on UDP tunnels.")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
|
| |
|
|
|
|
|
|
|
|
| |
This resolves the differences between the OVS Geneve implementation
and the upstream kernel, particularly in the area of the split
between vport-geneve.c and the generic Geneve data plane.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream commit:
udp: Do not require sock in udp_tunnel_xmit_skb
The UDP tunnel transmit functions udp_tunnel_xmit_skb and
udp_tunnel6_xmit_skb include a socket argument. The socket being
passed to the functions (from VXLAN) is a UDP created for receive
side. The only thing that the socket is used for in the transmit
functions is to get the setting for checksum (enabled or zero).
This patch removes the argument and and adds a nocheck argument
for checksum setting. This eliminates the unnecessary dependency
on a UDP socket for UDP tunnel transmit.
Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: d998f8ef ("udp: Do not require sock in udp_tunnel_xmit_skb")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream commit:
vlan: introduce *vlan_hwaccel_push_inside helpers
Use them to push skb->vlan_tci into the payload and avoid code
duplication.
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 5968250c ("vlan: introduce *vlan_hwaccel_push_inside helpers")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
|
| |
|
|
|
|
|
|
|
| |
LISP can also take advantage of setup_udp_tunnel_sock() and
udp_tunnel_xmit_skb() to increase code reuse.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
common UDP tunnel functions."
Upstream commit:
vxlan: Refactor vxlan driver to make use of the common UDP tunnel functions.
Simplify vxlan implementation using common UDP tunnel APIs.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Using the upstream functions where available also has the side effect
of ensuring that we can use hardware offloads. The GBP changes forced
the use of the OVS emulated GSO path on kernels that lack GBP. This
resulted in the loss of VXLAN offload on earlier kernels. This restores
the offload support (for both GBP and non-GBP VXLAN).
Upstream: acbf74a7 ("vxlan: Refactor vxlan driver to make use of the common UDP tunnel functions.")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
skb->inner_protocol is used by GSO and TSO for tunnels on new
kernels. Since we are setting up packets to be handled by the
kernel's GSO and not just our own, we need to initialize this
field properly.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream commit:
udp-tunnel: Add a few more UDP tunnel APIs
Added a few more UDP tunnel APIs that can be shared by UDP based
tunnel protocol implementation. The main ones are highlighted below.
setup_udp_tunnel_sock() configures UDP listener socket for
receiving UDP encapsulated packets.
udp_tunnel_xmit_skb() and upd_tunnel6_xmit_skb() transmit skb
using UDP encapsulation.
udp_tunnel_sock_release() closes the UDP tunnel listener socket.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 6a93cc90 ("udp-tunnel: Add a few more UDP tunnel APIs")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two important GSO tunnel features that were introduced
after the 3.12 cutoff for our current out of tree GSO implementation:
* 3.16 introduced support for outer UDP checksums.
* 3.18 introduced support for verifying hardware support for protocols
other than VXLAN.
In cases where these features are used, we should use OVS GSO to
ensure correct behavior. However, we also want to continue to use
kernel GSO or hardware TSO in existing situations. Therefore, this
extends the range of kernels where OVS GSO is available to 3.18 and
makes it easier to select which one to use.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Open vSwitch allows moving internal vport to different namespace
while still connected to the bridge. But when namespace deleted
OVS does not detach these vports, that results in dangling
pointer to netdevice which causes kernel panic as follows.
This issue is fixed by detaching all ovs ports from the deleted
namespace at net-exit.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
IP: [<ffffffffa0aadaa5>] ovs_vport_locate+0x35/0x80 [openvswitch]
Oops: 0000 [#1] SMP
Call Trace:
[<ffffffffa0aa6391>] lookup_vport+0x21/0xd0 [openvswitch]
[<ffffffffa0aa65f9>] ovs_vport_cmd_get+0x59/0xf0 [openvswitch]
[<ffffffff8167e07c>] genl_family_rcv_msg+0x1bc/0x3e0
[<ffffffff8167e319>] genl_rcv_msg+0x79/0xc0
[<ffffffff8167d919>] netlink_rcv_skb+0xb9/0xe0
[<ffffffff8167deac>] genl_rcv+0x2c/0x40
[<ffffffff8167cffd>] netlink_unicast+0x12d/0x1c0
[<ffffffff8167d3da>] netlink_sendmsg+0x34a/0x6b0
[<ffffffff8162e140>] sock_sendmsg+0xa0/0xe0
[<ffffffff8162e5e8>] ___sys_sendmsg+0x408/0x420
[<ffffffff8162f541>] __sys_sendmsg+0x51/0x90
[<ffffffff8162f592>] SyS_sendmsg+0x12/0x20
[<ffffffff81764ee9>] system_call_fastpath+0x12/0x17
Reported-by: Assaf Muller <amuller@redhat.com>
Fixes: 46df7b81454("openvswitch: Add support for network namespaces.")
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Reviewed-by: Thomas Graf <tgraf@noironetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 7b4577a9da ("openvswitch: Fix net exit").
Acked-by: Andy Zhou <azhou@nicira.com>
|
| |
|
|
|
|
|
|
| |
While adding support to Github markup language, the sentence had
gotten malformed.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
|
| |
strncpy() has a lot of pitfalls. A while back we replaced all its uses by
calls to ovs_strlcpy() or ovs_strzcpy(), but some more have crept in. This
commit fixes them.
Reported-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The set_dscp() function, until now, tried to set the DSCP as IPv4 and as
IPv6. This worked OK on Linux, where an ENOPROTOOPT error made it really
clear which one was wrong, but FreeBSD uses EINVAL instead, which has
multiple meanings and which it therefore seems somewhat risky to ignore.
Instead, this commit just tries to set the correct address family's DSCP
option.
Tested by Alex Wang on FreeBSD 9.3.
Reported-by: Atanu Ghosh <atanu@acm.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Co-authored-by: Alex Wang <alexw@nicira.com>
Signed-off-by: Alex Wang <alexw@nicira.com>
Tested-by: Alex Wang <alexw@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function is really of marginal utility. This commit drops it and
makes the existing callers instead open a new pstream with the desired
dscp.
The ulterior motive here is that the set_dscp() function that actually sets
the DSCP on a socket really wants to know the address family (AF_INET vs.
AF_INET6). We could plumb that down through the stream code, and that's
one reasonable option, but I thought that simply eliminating some calls
to set_dscp() where we don't already have the address family handy was
another reasonable way to go.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>
|
| |
|
|
|
|
|
|
|
| |
init_clock begins with a memset of 0 of the full clock struct. This
memset at the end of a single struct member just makes extra sure that
it's set to 0, which is unnecessary.
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
| |
The 2.3 branch has been the long-term release for a while now, but somehow
we forgot to update the FAQ.
Reported-by: Kentaro Ebisawa <ebiken.g@gmail.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream commit:
udp: Generic functions to set checksum
Added udp_set_csum and udp6_set_csum functions to set UDP checksums
in packets. These are for simple UDP packets such as those that might
be created in UDP tunnels.
Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: af5fcba7 ("udp: Generic functions to set checksum")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
|
| |
|
|
|
|
|
|
| |
Use the common udp_sock_create() for LISP, similar to what was
done for VXLAN.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream commit:
vxlan: Call udp_sock_create
In vxlan driver call common function udp_sock_create to create the
listener UDP port.
Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 3ee64f39 ("vxlan: Call udp_sock_create")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
listener socket"
Upstream commit:
udp: Add udp_sock_create for UDP tunnels to open listener socket
Added udp_tunnel.c which can contain some common functions for UDP
tunnels. The first function in this is udp_sock_create which is used
to open the listener port for a UDP tunnel.
Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: 8024e028 ("udp: Add udp_sock_create for UDP tunnels to open listener socket")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
|
| |
|
|
|
|
|
|
|
|
| |
vxlan_src_port() has been replaced with the more generic
udp_flow_src_port() upstream. We already have a backport for this and
it is used everywhere where this is needed, so we can remove the
dead vxlan_src_port() function.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
|
| |
|
|
|
|
|
| |
VXLAN is now RFC, so we better to change the pointer to it.
Signed-off-by: Kentaro Ebisawa <ebiken.g@gmail.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It is some times useful to leverage the sandbox facility to experiment
and explore the internals of ovs-vswitchd. Since GDB requires console
access for user inputs, this patch launch an xterm for GDB, The main
terminal continue to run the sub-shell as before. Exiting the sub-shell
will also kill the ovs-vswitchd under GDB (but not GDB itself currently)
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
| |
The copyright dates are taken from "git log --follow ovsdb/ovsdb-doc",
considering only Nicira authors' changes. (Only one change was from
a non-Nicira author anyhow.)
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
|
| |
|
|
|
|
|
|
|
| |
I really can't stand nroff syntax. This makes it possible to install
nroff but write in a more sensible XML syntax.
The following commit adds the first user.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
| |
This will make it cleaner to add another build-time program that generates
nroff from XML.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
| |
This seems like a better place for it.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>
|
| |
|
|
|
|
|
| |
This should make it harder to forget documentation.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>
|
| |
|
|
|
|
|
| |
This had been overlooked.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
A fair number of columns had been overlooked. This documents them.
The patch is smaller than it appears because this rearranges the STP and
RSTP documentation to group configuration, status, and statistics together
in the documentation for clarity.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>
|
| |
|
|
|
|
|
|
|
| |
The lower layers count errors but until now nothing actually reported them.
Found by inspection.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Update the logic used in constify() to add const to a 'char **' while
still excluding all other cases of more than one level of indirection.
This results in adding const to a parameter of a generated setter
function where we're generally passing in array of constant strings.
As a result, this patch includes the other necessary fixes to the code
base to reflect the const addition.
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add a new section about Python code to the coding style document.
Suggest that all new Python code should adhere to the PEP 8 standard.
Also include a reference to tools that can quickly check code for
style issues.
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
| |
Ken co-authored commit add17b6945ab6 (vtep: Initial checkin of vtep
schema.) back in 2013 but I forgot to credit him in AUTHORS at the time.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
| |
Madhu reported a bug last year, mentioned in commit 639b6d9c9093
(ovsdb-server: Document RFC 7047 extensions to ovsdb <error>s.) but I
forgot to credit him in AUTHORS at the time.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When updating post recirc rules, rule management requires calls to
hmap APIs, which requires proper locking to ensure mutual exclsion in
accessing the hmap internal data structure. The locking currently is
missing from the output_normal() xlate path, thus causing
a race condition.
The race condition leads to segfault crash of ovs-vswitchd, with the
following stack trace:
The crash was found by adding and deleting bond interfaces repeatedly
with on-going traffic hitting the bond interfaces. The same test was
ran over multiple days with this patch to ensure the same crash was
not seen.
The patch added the necessary lock annotation that would have caught
the bug.
Tested-by: Salvatore Cambria <salvatore.cambria@citrix.com>
Reported-by: Salvatore Cambria <salvatore.cambria@citrix.com>
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
| |
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patches that modify existing code can break expected behaviour.
Flag this by testing the patch with 'make check' prior to submission.
Furthermore, it is not sufficient to only test patches that add files
using 'make distcheck'; the compile flags for this target could change
the definition of some functions (ovs_assert, for example), altering
the outcome of some unit tests. Rather, it is preferable to use a
combination of 'make distcheck' with 'make check' to cover all bases.
Signed-off-by: Mark Kavanagh <mark.b.kavanagh@intel.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduces two new NXMs to represent VXLAN-GBP [0] fields.
actions=load:0x10->NXM_NX_TUN_GBP_ID[],NORMAL
tun_gbp_id=0x10,actions=drop
This enables existing VXLAN tunnels to carry security label
information such as a SELinux context to other network peers.
The values are carried to/from the datapath using the attribute
OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS.
[0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy-00
Signed-off-by: Madhu Challa <challa@noironetworks.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously, list_moved() only worked with non-empty lists, but this was a
caveat that was really easy to miss. parse_ofp_group_mod_file() had a bug
because it didn't honor that restriction. This commit fixes the problem,
by modifying the list_moved() interface to be harder to use incorrectly
and then updating the callers.
Reported-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Thomas Graf <tgraf@noironetworks.com>
|
| |
|
|
|
|
|
|
| |
According to netdev-provider, this function should return
EOPNOTSUPP if not supported.
Signed-off-by: Mark D. Gray <mark.d.gray@intel.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
| |
Signed-off-by: Mark D. Gray <mark.d.gray@intel.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
| |
Signed-off-by: Mark D. Gray <mark.d.gray@intel.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
testsuite uses mkfifo in its job dispatcher that manages
parallel unit tests. MinGW does not have a mkfifo. This
results in unit tests running serially on Windows. Right
now it takes up to approximately 40 minutes to run all the
unit tests on Windows.
This commit provides a job dispatcher for MinGW that uses
temporary files instead of mkfifo to manage parallel jobs.
With this commit, on a Windows machine with 4 cores and with
8 parallel unit test sessions, it takes approximately 8
minutes to finish a unit test run.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Eitan Eliahu <eliahue@vmware.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Multiple weak edges between nodes at the same rank overlaps with each other in
a dot/graphviz diagram. The vswitchd.pic used in ovs-vswitchd.conf.db.5 suffers
this problem.
Removing "constraint=false" allows graphviz to rank the nodes using the weak
edages as well so that the nodes at the ends of a weak edge won't be at the
same rank and allows mutlple 'weak' edges to be visible.
Signed-off-by: Shu Shen <shu.shen@radisys.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
vxlan: Only set has-GBP bit in header if any other bits would be set
This allows for a VXLAN-GBP socket to talk to a Linux VXLAN socket by
not setting any of the bits.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: db79a621835e ("vxlan: Only set has-GBP bit in header if any other bits would be set")
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
_BitScanForward() and friends are part of the Windows API and
take DWORD as parameter type. DWORD is defined to be 'unsigned long'
in Windows' header files.
We call into these functions from within lib/util.h. Currently, we
pass arguments of type uint32_t which is type defined to
'unsigned int'. This incompatiblity causes failures when we compile
the code as C++ code or with warnings enabled, when compiled as C
code.
The fix is to use 'unsigned long' rather than fixed size type.
Co-Authored-by: Linda Sun <lsun@vmware.com>
Signed-off-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Linda Sun <lsun@vmware.com>
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
OVS daemon service for Windows creates the pidfile and then
registers with the Windows services manager that the service
is running. There is a small time gap between the two steps.
So retry a few times in the test.
Also, provide a keyword for the test.
Reported-by: Nithin Raju <nithin@vmware.com>
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Nithin Raju <nithin@vmware.com>
Tested-by: Nithin Raju <nithin@vmware.com>
|
