| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add two new commands, fdb/stats-show and fdb/stats-clear, to
ovs-appctl to show and clear the new mac_learning statistics.
$ ovs-appctl fdb/stats-show ovs_pvp_br0
Statistics for bridge "ovs_pvp_br0":
Current/maximum MAC entries in the table: 4/2048
Total number of learned MAC entries : 4
Total number of expired MAC entries : 1
Total number of evicted MAC entries : 0
Total number of port moved MAC entries : 32
$ ovs-appctl fdb/stats-clear ovs_pvp_br0
statistics successfully cleared
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds counters per mac_learning instance.
The following counters are added:
total_learned: Total number of learned MAC entries
total_expired: Total number of expired MAC entries
total_evicted: Total number of evicted MAC entries, i.e. entries moved
out due to the table being full.
total_moved : Total number of port moved MAC entries, i.e. entries
where the MAC address moved to a different port.
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds two additional mac-learning coverage counters:
- mac_learning_evicted, entries deleted due to mac table being full
- mac_learning_moved, entries where the port has changed.
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
| |
Poll-loop is the core to implement main loop. It should be available in
libopenvswitch.
Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
There are many docs that don't need to kept at the top level, along
with many more hidden in random folders. Move them all.
This also allows us to add the '-W' flag to Sphinx, ensuring unindexed
docs result in build failures.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
| |
Signed-off-by: Stephen Finucane <stephen@that.guru>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Make mac table update functions part of the mac-learning module, which
also helps in figuring what is the minimal set of struct flow fields
needed for the update. Use this to change the xlate cache entry for
XC_NORMAL to not take a copy of the struct flow, but only save the
in_port, dl_src, and some auxiliary fields. This reduces the memory
burden of XC_NORMAL by roughly 0.5kb.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
| |
This attempts to prevent namespace collisions with other list libraries
Signed-off-by: Ben Warren <ben@skyportsystems.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
| |
All code is now in include/openvswitch/list.h.
Signed-off-by: Ben Warren <ben@skyportsystems.com>
Acked-by: Ryan Moats <rmoats@us.ibm.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define struct eth_addr and use it instead of a uint8_t array for all
ethernet addresses in OVS userspace. The struct is always the right
size, and it can be assigned without an explicit memcpy, which makes
code more readable.
"struct eth_addr" is a good type name for this as many utility
functions are already named accordingly.
struct eth_addr can be accessed as bytes as well as ovs_be16's, which
makes the struct 16-bit aligned. All use seems to be 16-bit aligned,
so some algorithms on the ethernet addresses can be made a bit more
efficient making use of this fact.
As the struct fits into a register (in 64-bit systems) we pass it by
value when possible.
This patch also changes the few uses of Linux specific ETH_ALEN to
OVS's own ETH_ADDR_LEN, and removes the OFP_ETH_ALEN, as it is no
longer needed.
This work stemmed from a desire to make all struct flow members
assignable for unrelated exploration purposes. However, I think this
might be a nice code readability improvement by itself.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
|
| |
|
|
|
|
|
| |
struct list is a common name and can't be used in public headers.
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
| |
Add hash_mac() and apply it when appropriate.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
| |
None of the atomic implementations need a destroy function anymore, so it's
"more standard" and more convenient for users to get rid of them.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a thin wrapper around an atomic_uint. It is useful anyhow because
each ovs_refcount_ref() or ovs_refcount_unref() call saves a few lines of
code.
This commit also changes all the potential direct users over to use the new
data structure.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
| |
C11 is able to require that atomics don't need to be destroyed, but some
of the OVS implementations do.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
| |
Does not matter as long as ovs_assert is a simple macro but if ovs_assert
is converted to a function this will fail.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
| |
Found by Clang.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
|
| |
|
|
|
|
|
|
| |
This patch transitions mac learning away from using tags as required
by future patches.
Signed-off-by: Ethan Jackson <ethan@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
| |
Signed-off-by: Ethan Jackson <ethan@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
| |
This commit fixes the warning issued by 'clang' when pointer is casted
to one with greater alignment.
Signed-off-by: Alex Wang <alexw@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
| |
Signed-off-by: Ethan Jackson <ethan@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
| |
With this patch, the mac_learning module takes responsibility for
remembering tags which need revalidation after a
mac_learning_changed() call. This removes one of
ofproto-dpif-xlate's dpif_backer uses.
Signed-off-by: Ethan Jackson <ethan@nicira.com>
|
| |
|
|
|
|
|
|
| |
This is a straight search-and-replace, except that I also removed #include
<assert.h> from each file where there were no assert calls left.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
|
| |
|
|
|
|
|
|
| |
We've had a couple of requests for this over the years. It's easy to do,
so let's implement it.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>
|
| |
|
|
|
|
|
|
| |
Replaced all instances of Nicira Networks(, Inc) to Nicira, Inc.
Feature #10593
Signed-off-by: Raju Subramanian <rsubramanian@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
| |
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
| |
NICS-11.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Most callers of mac_learning_flush() need to revalidate all flows
anyway, but this update forces new callers of mac_learning_flush()
to think about whether or not they need to explicitly handle
revalidation. Also, it's theoretically more efficient when there
are lots of flows but the learning table is empty, (e.g. bridges
that don't use the NORMAL action).
Signed-off-by: Ethan Jackson <ethan@nicira.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When a bit is set in flood_vlans, that VLAN must be flooded, but the logic
here was reversed in the case where there were any flooded VLANs at all.
Thus, if a single VLAN was configured to be flooded, all VLANs except that
one were actually flooded.
The common case where no VLANs were to be flooded was handled correctly.
Reported-by: David Tsai <dtsai@nicira.com>
|
| |
|
|
|
|
|
| |
The mac-learning implementation used a free list to keep track of
statically allocated table entries. This made the code slightly
more difficult to understand than the more straightforward heap
based strategy implemented by this patch.
|
| |
|
|
|
|
|
|
|
| |
The mac-learning 'secret' parameter is intended to prevent an
attacker from turning the mac learning table into a linked list by
using a known hash function to choose perfectly bad mac entries.
However, this parameter was not taken into account in most cases.
Found by inspection.
|
| |
|
|
|
|
|
| |
The mac-learning code predates the hmap data structure in OVS. For
this reason, it rolled it's own hmap-like bucket concept. This
patch converts it to use an hmap which makes the code slightly
simpler and easier to understand.
|
| |
|
|
|
| |
Due to a typo, the mac-learning hash table had dissolved into a
linked list. This caused a significant reduction in performance.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
These new semantics are less efficient in the case where the flood_vlans
actually changed, but that should be very rare.
There are no advantages to this change on its own, but upcoming commits
will add multiple layers between the code supplying the flood_vlans and
actually calling mac_learning_set_flood_vlans(). Consistency in this
multilayered interface seems valuable, and the rest of it does not transfer
ownership from the caller to the callee.
|
| | |
|
| |
|
|
|
| |
The bridge will soon use this for expiring only the MAC learning entries
associated with a given port at port deletion time.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In an upcoming commit I want to store a pointer in MAC learning entries
in the bridge, instead of an integer port number. The MAC learning library
has other clients, and the others do not gracefully fit this new model, so
in fact the data will have to become a union. However, this does not fit
well with the current mac_learning API, since mac_learning_learn()
currently initializes and compares the data. It seems better to break up
the API so that only the client has to know the data's format and how to
initialize it or compare it. This commit makes this possible.
This commit doesn't change the type of the data stored in a MAC learning
entry yet.
As a side effect this commit has the benefit that clients that don't need
gratuitous ARP locking don't have to specify any policy for it at all.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Until now, the collection of coverage counters supported by a given OVS
program was not specific to that program. That means that, for example,
even though ovs-dpctl does not have anything to do with mac_learning, it
still has a coverage counter for it. This is confusing, at best.
This commit fixes the problem on some systems, in particular on ones that
use GCC and the GNU linker. It uses the feature of the GNU linker
described in its manual as:
If an orphaned section's name is representable as a C identifier then
the linker will automatically see PROVIDE two symbols: __start_SECNAME
and __end_SECNAME, where SECNAME is the name of the section. These
indicate the start address and end address of the orphaned section
respectively.
Systems that don't support these features retain the earlier behavior.
This commit also fixes the annoyance that files that include coverage
counters must be listed on COVERAGE_FILES in lib/automake.mk.
This commit also fixes the annoyance that modifying any source file that
includes a coverage counter caused all programs that link against
libopenvswitch.a to relink, even programs that the source file was not
linked into. For example, modifying ofproto/ofproto.c (which includes
coverage counters) caused tests/test-aes128 to relink, even though
test-aes128 does not link again ofproto.o.
|
| |
|
|
|
| |
It's kind of odd for VLOG_DEFINE_THIS_MODULE to supply its own semicolon,
so this commit switches to the more common form.
|
| |
|
|
|
| |
These macros require one fewer argument by switching, which makes code
that uses them shorter and more readable.
|
| |
|
|
|
|
|
| |
Adding a macro to define the vlog module in use adds a level of
indirection, which makes it easier to change how the vlog module must be
defined. A followup commit needs to do that, so getting these widespread
changes out of the way first should make that commit easier to review.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Normally we filter out packets received on a bond if we have
learned the source MAC as belonging to another port to avoid packets
sent on one slave and reflected back on another. The exception to
this is gratuitous ARPs because they indicate that the host
has moved to another port. However, this can result in an additional
problem on the switch that the host moved to if the gratuitous ARP is
reflected back on a bond slave. In this case, we incorrectly relearn
the slave as the source of the MAC address. To solve this, we lock the
learning entry for 5 seconds after receiving a gratuitous ARP against
further updates caused by gratuitous ARPs on bond slaves.
Bug #2516
Reported-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
| |
Many of poll_timer_wait()'s callers actually want to wait until a specific
time, so it's convenient for them to offer a function that does this.
|
| |
|
|
| |
Usually positive names are better than negative ones.
|
| |
|
|
|
|
|
|
|
| |
RSPAN does not work properly unless MAC learning for the VLAN is
disabled on all switches between the origin and monitoring point.
This allows learning to be disabled on a given VLAN so vSwitch can
acts as an intermediate switch.
Feature #2136
|
| |
|
|
|
| |
This function will be used as part of printing the MAC learning table at
user request.
|
| | |
|
| |
|
|
|
|
|
|
| |
The vswitchd bonding code needs to iterate through the table entries to
be able to send out gratuitous learning packets when bond slaves go down.
It might be best to create an abstract interface to the MAC learning table,
but this commit does the simpler thing and exposes the data structures in
the header file.
|
