1. 18 Jun, 2015 1 commit
  2. 11 Jun, 2015 1 commit
  3. 07 Jun, 2015 1 commit
    • Alex Wang's avatar
      odp-util: Make sure vlan tci mask has exact match for VLAN_CFI. · 1cb39f32
      Alex Wang authored
      OVS datapath has check which prevents the installation of flow
      that matches VLAN TCI but does not have exact match for VLAN_CFI
      bit.  To follow this rule, ovs userspace must make sure the
      flow key for datapath flow matching VLAN TCI has exact match for
      VLAN_CFI bit.
      Before this commit, this is not enforced, so OpenFlow flow like
      "vlan_tci=0x000a/0x0fff,action=output:local" can generate datapath
      flow like "vlan(vid=10/0xfff,pcp=0/0x0,cfi=1/0)".
      With the OVS datapath check, the installation of such datapath
      flow will be rejected with:
      "|WARN|system@ovs-system: failed to put[create][modify] (Invalid argument)"
      This commit makes ovs userspace always exact match the VLAN_CFI
      bit if the flow matches VLAN TCI.
      Reported-by: default avatarRonald Lee <ronaldlee@vmware.com>
      Signed-off-by: default avatarAlex Wang <alexw@nicira.com>
      Acked-by: default avatarBen Pfaff <blp@nicira.com>
      Acked-by: default avatarJarno Rajahalme <jrajahalme@nicira.com>
  4. 03 Jun, 2015 2 commits
  5. 01 Jun, 2015 1 commit
  6. 29 May, 2015 2 commits
  7. 28 May, 2015 1 commit
  8. 27 May, 2015 3 commits
  9. 21 May, 2015 1 commit
  10. 02 May, 2015 1 commit
    • Edwin Chiu's avatar
      xenserver: Use kernel uname version for XenServer 6.5 · e7e5467e
      Edwin Chiu authored
      In XenServer 6.5, multiple kernel packages with different
      rpm versions can have the same uname.  So, it is not
      necessary for openvswitch kernel module to require the
      exact rpm version.  Instead, the kernel module package
      should check the uname version.
      This commit will add a new variable %{kernel_uname} to
      specify whether to use kernel uname version or kernel
      rpm version as requirement.
      When %{kernel_name} is used, openvswitch-module will have
      "Requires: kernel-uname-r = <uname version>" set instead of
      "Requires: kernel = <version>".
      Reported-by: default avatarGosen Chien <astgosen@ccu.edu.tw>
      Signed-off-by: default avatarEdwin Chiu <echiu@vmware.com>
      Signed-off-by: default avatarAlex Wang <alexw@nicira.com>
  11. 27 Apr, 2015 1 commit
    • Jesse Gross's avatar
      datapath: Stop using __DATE__ and __TIME__ in startup string. · 0ce527f5
      Jesse Gross authored
      An increasing number of distributions ship with GCC 4.9 (including
      Fedora and Ubuntu) that has -Werror=date-time. This causes kernel
      compilation to fail because the builds are not exactly reproducible.
      This simply removes the use of those constants, which was already
      done for the upstream Linux version of the module. It retains the
      version string, however, which should provide the same information
      in most cases.
      Signed-off-by: default avatarJesse Gross <jesse@nicira.com>
      Acked-by: default avatarBen Pfaff <blp@nicira.com>
  12. 17 Apr, 2015 1 commit
  13. 07 Apr, 2015 1 commit
    • Ansis Atteka's avatar
      ofproto-dpif: Use fat_rwlock instead of ovs_rwlock. · d91f11d0
      Ansis Atteka authored
      This patch fixes a deadlock introduced by commit 6b59b543 (ovs-thread:
      Use fair (but nonrecursive) rwlocks on glibc.)
      If STP is enabled, then a handler thread could have already had
      acquired "xlate_rwlock" in xlate_actions() and then might have
      attempt to acquire it again in xlate_send_packet() leading to
      a deadlock:
      pthread_rwlock_rdlock () from /lib/x86_64-linux-gnu/libpthread.so.0
      ovs_rwlock_rdlock_at (l_=0x769cc0, where=0x4f4568 "../ofproto/ofproto-dpif-xlate.c:3600") at ../lib/ovs-thread.c:71
      xlate_send_packet (ofport=0x23b6400, packet=0x7f980400a8d0) at ../ofproto/ofproto-dpif-xlate.c:3600
      ofproto_dpif_send_packet (ofport=<optimized out>, packet=0x7f980400a8d0) at ../ofproto/ofproto-dpif.c:3684
      send_bpdu_cb (pkt=0x7f980400a8d0, port_num=0, ofproto_=0x229a410) at ../ofproto/ofproto-dpif.c:1927
      stp_send_bpdu (p=0x2400c00, bpdu=0x7f980f7e3080, bpdu_size=35) at ../lib/stp.c:1558
      stp_transmit_config (p=0x2400c00) at ../lib/stp.c:1052
      stp_acknowledge_topology_change (p=<optimized out>) at ../lib/stp.c:1301
      stp_received_tcn_bpdu (p=<optimized out>, stp=<optimized out>) at ../lib/stp.c:1353
      stp_received_bpdu (p=0x2400c00, bpdu=0x7f980f7f81e9, bpdu_size=<optimized out>) at ../lib/stp.c:771
      stp_process_packet (packet=0x7f980f7f80f8, xport=0x24594b0) at ../ofproto/ofproto-dpif-xlate.c:840
      process_special (flow=<optimized out>, xport=0x24594b0, packet=0x7f980f7f80f8, ctx=<optimized out>) at ../ofproto/ofproto-dpif-xlate.c:1832
      compose_output_action__ (ctx=0x7f980f7e3730, ofp_port=<optimized out>, check_stp=true) at ../ofproto/ofproto-dpif-xlate.c:1894
      compose_output_action (ofp_port=<optimized out>, ctx=0x7f980f7e3730) at ../ofproto/ofproto-dpif-xlate.c:2031
      output_normal (ctx=0x7f980f7e3730, out_xbundle=0x23d13a0, vlan=<optimized out>) at ../ofproto/ofproto-dpif-xlate.c:1316
      xlate_normal (ctx=0x7f980f7e3730) at ../ofproto/ofproto-dpif-xlate.c:1625
      xlate_output_action (ctx=0x7f980f7e3730, port=<optimized out>, max_len=<optimized out>, may_packet_in=<optimized out>) at ../ofproto/ofproto-dpif-xlate.c:2540
      do_xlate_actions (ofpacts=<optimized out>, ofpacts_len=<optimized out>, ctx=0x7f980f7e3730) at ../ofproto/ofproto-dpif-xlate.c:2833
      xlate_actions__ (xin=0x7f980f7fda40, xout=0x7f980f7e41f0) at ../ofproto/ofproto-dpif-xlate.c:3485
      xlate_actions (xin=0x7f980f7fda40, xout=0x7f980f7e41f0) at ../ofproto/ofproto-dpif-xlate.c:3223
      xlate_actions_for_side_effects (xin=<optimized out>) at ../ofproto/ofproto-dpif-xlate.c:3136
      handle_upcalls (n_upcalls=50, upcalls=0x7f980f7f3080, misses=0x7f980f7fd890, handler=<optimized out>) at ../ofproto/ofproto-dpif-upcall.c:973
      udpif_upcall_handler (arg=0x23e91e0) at ../ofproto/ofproto-dpif-upcall.c:541
      ovsthread_wrapper (aux_=<optimized out>) at ../lib/ovs-thread.c:322
      start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
      clone () from /lib/x86_64-linux-gnu/libc.so.6
      ?? ()
      The patch fixes this deadlock by using fat_rwlock that still allows
      to acquire read lock in a recursive manner.
      This bug is not present in master branch because commit
      84f0f298 (ofproto-dpif-xlate: Implement RCU locking in
      ofproto-dpif-xlate) removed xlate_rwlock.
      VMware-BZ: #1425671
      Reported-by: default avatarScott Hendricks <shendricks@nicira.com>
      Signed-off-by: default avatarAnsis Atteka <aatteka@nicira.com>
      Acked-by: default avatarBen Pfaff <blp@nicira.com>
      Acked-by: default avatarAlex Wang <alexw@nicira.com>
  14. 06 Apr, 2015 1 commit
    • Andy Zhou's avatar
      netdev-dummy: add appctl netdev-dummy/conn-state command · ae2c62e5
      Andy Zhou authored
      Using without any parameter, this command list the connection
      state of all netdev-dummy devices that are configured to make
      active connections.
      Optionally, the name of the netdev-dummy device can be supplied
      as a parameter.
      The states will be displayed as:
      "connected": The socket has been connected to the listener.
      "disconnected": The socket is not connected.
      "unknown":  It is not an active dummy device.
      CC: Jarno Rajahalme <jrajahalme@nicira.com>
      Signed-off-by: default avatarAndy Zhou <azhou@nicira.com>
      Acked-by: default avatarJarno Rajahalme <jrajahalme@nicira.com>
  15. 05 Apr, 2015 1 commit
  16. 04 Apr, 2015 1 commit
    • Ben Pfaff's avatar
      acinclude: Always assume buggy strtok_r() for glibc < 2.8. · cbcd9601
      Ben Pfaff authored
      Lately our internal build system has been seeing intermittent failures that
      I can't explain.  With old glibc versions, the "configure" time check will
      pass, but the equivalent (almost identical) "make check" test will fail.
      One possibility, I guess, is that occasionally address space randomization
      will put valid data at the 0xc0ffee address that the test assumes will
      segfault, and another is that some change in compiler optimization flags
      is making a difference.  At any rate, I think it's safe to just always
      assume that this strtok_r() bug is present whenever glibc before 2.8 is
      in use.
      Specifically we've seen this happen intermittently when building against
      the XenServer DDK 5.6.100 build 39265, which uses glibc 2.5.
      Reported-by: default avatarAlex Wang <alexw@nicira.com>
      Signed-off-by: default avatarBen Pfaff <blp@nicira.com>
      Acked-by: default avatarAlex Wang <alexw@nicira.com>
  17. 03 Apr, 2015 3 commits
  18. 28 Mar, 2015 1 commit
    • Alex Wang's avatar
      ofproto-dpif: Set need_revalidate when removing cfm from ofport. · 0e45cfe4
      Alex Wang authored
      When cfm is deleted from a port, all modules should release their
      reference so that the cfm struct can be removed from the global hmap
      and freed.  Therein, the reference held by xlate module can only be
      released when the need_revalidate flag is set (e.g set to
      REV_RECONFIGURE).  And this flag should be set while removing cfm
      from ofport.  Unfortunately, this has never been done before and the
      bug was hidden by another bug fixed in recent commit a1908399
      (netdev-vport: Do not update netdev when there is no config change.)
      To fix this issue, this commit makes the code set need_revalidate
      when removing cfm from ofport.
      Signed-off-by: default avatarAlex Wang <alexw@nicira.com>
      Acked-by: default avatarBen Pfaff <blp@nicira.com>
  19. 27 Mar, 2015 2 commits
    • Alex Wang's avatar
      netdev-linux: Make htb quantum always no less than mtu. · 3638617d
      Alex Wang authored
      Currently, ovs uses hardcoded rate2quantum = 10 for each htb qdisc.
      When qdisc class's rate is small, the resulting quantum (calculated
      by min_rate / rate2quantum) will be smaller than MTU.  This is not
      recommended and tc will keep complaining the following in syslog.
      localhost kernel: HTB: quantum of class 10003 is small. Consider r2q change.
      localhost kernel: HTB: quantum of class 10004 is small. Consider r2q change.
      localhost kernel: HTB: quantum of class 10005 is small. Consider r2q change.
      localhost kernel: HTB: quantum of class 10006 is small. Consider r2q change.
      To fix the issue, this commit makes ovs always use htb quantum no less
      than the MTU.
      Signed-off-by: default avatarAlex Wang <alexw@nicira.com>
      Acked-by: default avatarBen Pfaff <blp@nicira.com>
    • Alex Wang's avatar
      netdev-vport: Do not update netdev when there is no config change. · aaa1c7a9
      Alex Wang authored
      When there is any update from ovsdb, ovs will call netdev_set_config()
      for every vport.  Even though the change is not related to vport, the
      current implementation will always increment the per-netdev sequence
      number.  Subsequently this could cause even more unwanted effects,
      e.g. the recreation of 'struct tnl_port' in ofproto level.
      This commit fixes the issue by only updating the netdev when there
      is actual configuration change.
      Signed-off-by: default avatarAlex Wang <alexw@nicira.com>
      Acked-by: default avatarBen Pfaff <blp@nicira.com>
  20. 24 Mar, 2015 1 commit
  21. 18 Mar, 2015 1 commit
  22. 10 Mar, 2015 1 commit
    • Edwin Chiu's avatar
      xenserver: Fix build spec for XenServer 6.5. · 95c6aa03
      Edwin Chiu authored
      The latest XenServer 6.5 uses a new way for kernel version naming.
      Therein, the kernel flavor could not be found anymore.  Also, the
      directory name in 'lib/modules/' becomes a shortened version of
      kernel version. e.g.:
      [root@localhost ~]# ls /lib/modules/
      As a workaround, this commit modifies the spec file to make
      %{kernel_flavor} optional and %{xen_version} definable by users.
      In the long run, I'd like to spend time refining the spec file.
      Signed-off-by: default avatarEdwin Chiu <echiu@vmware.com>
      Signed-off-by: default avatarAlex Wang <alexw@nicira.com>
  23. 04 Mar, 2015 1 commit
    • Andy Zhou's avatar
      datapath: simplify sample action implementation · b9530422
      Andy Zhou authored
      The current sample() function implementation is more complicated
      than necessary in handling single user space action optimization
      and skb reference counting. There is no functional changes.
      Msg from Chris Dunlop:
      The commit isn't actually designed to address the problem directly,
      however in simplifying sample() it removes a call to skb_get(). The
      skb_get() makes the skb shared, which later causes us to hit the BUG().
      E.g. your v2.3.1 stack trace shows this call path:
        + netdev_port_receive
          | skb is guaranteed not-shared, via:
          |   skb = skb_share_check(skb, GFP_ATOMIC);
          + ovs_vport_receive
            + ovs_dp_process_received_packet
              + ovs_dp_process_packet_with_key
                + ovs_execute_actions
                  + do_execute_actions
                    | nla_type(a) == OVS_ACTION_ATTR_SAMPLE
                    + sample
                      | skb is made shared here, via:
                      |   sample_skb = skb;
                      |   skb_get(skb);
                      + do_execute_actions
                        | nla_type(a) == OVS_ACTION_ATTR_USERSPACE
                        + output_userspace
                          + ovs_dp_upcall
                            + queue_userspace_packet
                              + skb_checksum_help
                                + pskb_expand_head
                                  | if (skb_shared(skb))
                                  |         BUG();        BOOM!!!
      Reported-by: default avatarChris Dunlop <chris@onthe.net.au>
      Reported-by: default avatar"Xu (Simon) Chen" <xchenum@gmail.com>
      Signed-off-by: default avatarAndy Zhou <azhou@nicira.com>
      Acked-by: default avatarPravin B Shelar <pshelar@nicira.com>
  24. 03 Mar, 2015 1 commit
  25. 20 Feb, 2015 3 commits
    • Pravin B Shelar's avatar
      datapath: Fix net exit. · 531af54d
      Pravin B Shelar authored
      Open vSwitch allows moving internal vport to different namespace
      while still connected to the bridge. But when namespace deleted
      OVS does not detach these vports, that results in dangling
      pointer to netdevice which causes kernel panic as follows.
      This issue is fixed by detaching all ovs ports from the deleted
      namespace at net-exit.
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
      IP: [<ffffffffa0aadaa5>] ovs_vport_locate+0x35/0x80 [openvswitch]
      Oops: 0000 [#1] SMP
      Call Trace:
       [<ffffffffa0aa6391>] lookup_vport+0x21/0xd0 [openvswitch]
       [<ffffffffa0aa65f9>] ovs_vport_cmd_get+0x59/0xf0 [openvswitch]
       [<ffffffff8167e07c>] genl_family_rcv_msg+0x1bc/0x3e0
       [<ffffffff8167e319>] genl_rcv_msg+0x79/0xc0
       [<ffffffff8167d919>] netlink_rcv_skb+0xb9/0xe0
       [<ffffffff8167deac>] genl_rcv+0x2c/0x40
       [<ffffffff8167cffd>] netlink_unicast+0x12d/0x1c0
       [<ffffffff8167d3da>] netlink_sendmsg+0x34a/0x6b0
       [<ffffffff8162e140>] sock_sendmsg+0xa0/0xe0
       [<ffffffff8162e5e8>] ___sys_sendmsg+0x408/0x420
       [<ffffffff8162f541>] __sys_sendmsg+0x51/0x90
       [<ffffffff8162f592>] SyS_sendmsg+0x12/0x20
       [<ffffffff81764ee9>] system_call_fastpath+0x12/0x17
      Reported-by: default avatarAssaf Muller <amuller@redhat.com>
      Fixes: 46df7b81454("openvswitch: Add support for network namespaces.")
      Signed-off-by: default avatarPravin B Shelar <pshelar@nicira.com>
      Reviewed-by: default avatarThomas Graf <tgraf@noironetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Upstream: 7b4577a9da ("openvswitch: Fix net exit").
      Acked-by: default avatarAndy Zhou <azhou@nicira.com>
    • Ben Pfaff's avatar
      socket-util: Use correct address family in set_dscp(), instead of guessing. · ba8df9af
      Ben Pfaff authored
      The set_dscp() function, until now, tried to set the DSCP as IPv4 and as
      IPv6. This worked OK on Linux, where an ENOPROTOOPT error made it really
      clear which one was wrong, but FreeBSD uses EINVAL instead, which has
      multiple meanings and which it therefore seems somewhat risky to ignore.
      Instead, this commit just tries to set the correct address family's DSCP
      Tested by Alex Wang on FreeBSD 9.3.
      Reported-by: default avatarAtanu Ghosh <atanu@acm.org>
      Signed-off-by: default avatarBen Pfaff <blp@nicira.com>
      Co-authored-by: default avatarAlex Wang <alexw@nicira.com>
      Signed-off-by: default avatarAlex Wang <alexw@nicira.com>
      Tested-by: default avatarAlex Wang <alexw@nicira.com>
    • Ben Pfaff's avatar
      stream: Eliminate pstream_set_dscp(). · 611f766e
      Ben Pfaff authored
      This function is really of marginal utility.  This commit drops it and
      makes the existing callers instead open a new pstream with the desired
      The ulterior motive here is that the set_dscp() function that actually sets
      the DSCP on a socket really wants to know the address family (AF_INET vs.
      AF_INET6).  We could plumb that down through the stream code, and that's
      one reasonable option, but I thought that simply eliminating some calls
      to set_dscp() where we don't already have the address family handy was
      another reasonable way to go.
      Signed-off-by: default avatarBen Pfaff <blp@nicira.com>
      Acked-by: default avatarAlex Wang <alexw@nicira.com>
  26. 17 Feb, 2015 1 commit
  27. 13 Feb, 2015 2 commits
    • Ben Pfaff's avatar
      ofp-parse: Correctly update bucket lists if they are empty. · d7415215
      Ben Pfaff authored
      Previously, list_moved() only worked with non-empty lists, but this was a
      caveat that was really easy to miss.  parse_ofp_group_mod_file() had a bug
      because it didn't honor that restriction.  This commit fixes the problem,
      by modifying the list_moved() interface to be harder to use incorrectly
      and then updating the callers.
      Reported-by: default avatarSimon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarBen Pfaff <blp@nicira.com>
      Acked-by: default avatarThomas Graf <tgraf@noironetworks.com>
    • Ben Pfaff's avatar
      mac-learning: Implement per-port MAC learning fairness. · 76438edd
      Ben Pfaff authored
      In "MAC flooding", an attacker transmits an overwhelming number of frames
      with unique Ethernet source address on a switch port.  The goal is to
      force the switch to evict all useful MAC learning table entries, so that
      its behavior degenerates to that of a hub, flooding all traffic.  In turn,
      that allows an attacker to eavesdrop on the traffic of other hosts attached
      to the switch, with all the risks that that entails.
      Before this commit, the Open vSwitch "normal" action that implements its
      standalone switch behavior (and that can be used by OpenFlow controllers
      as well) was vulnerable to MAC flooding attacks.  This commit fixes the
      problem by implementing per-port fairness for MAC table entries: when
      the MAC table is at its maximum size, MAC table eviction always deletes an
      entry from the port with the most entries.  Thus, MAC entries will never
      be evicted from ports with only a few entries if a port with a huge number
      of entries exists.
      Controllers could introduce their own MAC flooding vulnerabilities into
      OVS.  For a controller that adds destination MAC based flows to an OpenFlow
      flow table as a reaction to "packet-in" events, such a bug, if it exists,
      would be in the controller code itself and would need to be fixed in the
      controller.  For a controller that relies on the Open vSwitch "learn"
      action to add destination MAC based flows, Open vSwitch has existing
      support for eviction policy similar to that implemented in this commit
      through the "groups" column in the Flow_Table table documented in
      ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
      familiar with eviction groups to read that documentation.
      In addition to implementation of per-port MAC learning fairness,
      this commit includes some closely related changes:
          - Access to client-provided "port" data in struct mac_entry
            is now abstracted through helper functions, which makes it
            easier to ensure that the per-port data structures are maintained
          - The mac_learning_changed() function, which had become trivial,
            vestigial, and confusing, was removed.  Its functionality was folded
            into the new function mac_entry_set_port().
          - Many comments were added and improved; there had been a lot of
            comment rot in previous versions.
      CERT: VU#784996
      Reported-by: default avatar"Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
      Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthewsSigned-off-by: default avatarBen Pfaff <blp@nicira.com>
      Acked-by: default avatarEthan Jackson <ethan@nicira.com>
  28. 11 Feb, 2015 1 commit
  29. 07 Feb, 2015 2 commits