Age | Commit message (Collapse) | Author |
|
integrity only."
This reverts commit 00c7faf3e5b7d4020e995a1429cf94313f197171.
In general, it should not be possible have a NULL return value from
skb_gso_segment() since we're not actually trying to verify the
header integrity. No other callers with similar needs have NULL
checks. The actual cause of the problem was LRO packets, which
OVS isn't equipped to handle. The commit
33e031e99cc630baf1b0cb9256710dee7d9ab66d (datapath: Move LRO check
from transmit to receive.) solves that problem by fixing the LRO
check. In order to avoid possibly masking any other problems, this
reverts the GSO check which should no longer be needed.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Conflicts:
datapath/datapath.c
|
|
Commit 24b019f808211a95078efd916064af0975ca5733 (datapath: Disable
LRO from userspace instead of the kernel.) accidentally moved the
check for LRO packets from the receive path to transmit. Since
this check is supposed to protect OVS (and other parts of the system)
from packets that it cannot handle it is obviously not useful on
egress. Therefore, this commit moves it back to the receive side.
The primary problem that this caused is upcalls to userspace tried
to segment the packet even though no segmentation information is
available. This would later cause NULL pointer dereferences when
skb_gso_segment() did nothing.
Bug #14772
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
|
skb_gso_segment() has the following comment:
* It may return NULL if the skb requires no segmentation. This is
* only possible when GSO is used for verifying header integrity.
Somehow queue_gso_packets() has never hit this case before, but some
failures have suddenly been reported. This commit should fix the problem.
Additional commentary by Jesse: We shouldn't normally be hitting this case
because we're actually trying to do GSO, not header validation. However, I
guess the guest/backend must be generating a packet with an MSS, which
tricks us into thinking that it's GSO, but no GSO is actually requested.
In the case of the bridge, header validation does take place so the
situation is handled already. It seems not ideal that the network backend
doesn't sanitize these packets but it's probably good that we handle
it in any case.
Bug #14772.
Reported-by: Deepesh Govindan <dgovindan@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
|
|
Signed-off-by: Justin Pettit <jpettit@nicira.com>
|
|
Signed-off-by: Justin Pettit <jpettit@nicira.com>
|
|
The old algorithm tries to converge to 0, despite it would mean a very
unbalanced situation. We're aiming for an ideal ratio of 1, meaning both
the 'from' and 'to' slave have the same load. Therefore, we only move an
entry if it decreases the load on 'from', and brings us closer to equal
traffic load.
Signed-off-by: Zoltan Kiss <zoltan.kiss@citrix.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
When I wrote the "trap" calls in ovs-ctl, I had the mistaken notion that
"trap $cmd $signal" would execute $cmd and then exit when $signal was
caught. This is incorrect. Instead, it executes $cmd and then resumes
executing the shell script.
On the other hand, "trap $cmd 0" does by itself what I wanted: it causes
the shell to execute $cmd and then exits due to the signal. So this commit
changes the offending traps to use this form.
Bug #14290.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>
|
|
If a negative number is supplied, the parsing code used to convert it
into a signed one. We ran into an incident where a third-party script
was attempting to get the OpenFlow port number for an interface, but got
-1 from the database, since the number had not yet been assigned. This
was converted to 65535, which maps to OFPP_NONE and all flows with
ingress port OFPP_NONE were modified. This commit disallows negative
port numbers to help prevent broken integration scripts from disturbing
the flow table.
Issue #14036
Signed-off-by: Justin Pettit <jpettit@nicira.com>
|
|
If the loop condition in Stream.connect() was false, which is especially
likely for TCP connections, then Stream.connect() would return None,
which violates its documented behavior. This commit fixes the problem.
Reported-by: Isaku Yamahata <yamahata@valinux.co.jp>
Tested-by: Isaku Yamahata <yamahata@valinux.co.jp>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
Use DSCP bits from ToS set on tunnel.
This is a crossport of commit 749ae9504293dbb695dd67402acbd47acbcbeb83
from master.
Bug #8822.
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
|
|
This patch fixes a possible lock-up bug where rtnl_lock might not
get released.
This is a crossport of commit 7a6c067d1ad65ae4abdb723b25a4ab591d1d2bc3
from master.
Acked-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
|
|
When collecting TCP flags we check that the IP header indicates that
a TCP header is present but not that the packet is actually long
enough to contain the header. This adds a check to prevent reading
off the end of the packet.
In practice, this is only likely to result in reading of bad data and
not a crash due to the presence of struct skb_shared_info at the end
of the packet.
This is a crossport of commit 9c47b45a3bb56009bf2553c493d097eeadd7e5c2
from master.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
|
|
Following patch fixes compilation error on older kernel.
This is a crossport of commit 08d19ca9fef29b23826f1fb52e2368a9077783ca
from master.
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
|
|
When modifying IP addresses or ports on a UDP packet we don't
correctly follow the rules for unchecksummed packets. This meant
that packets without a checksum can be given a incorrect new checksum
and packets with a checksum can become marked as being unchecksummed.
This fixes it to handle those requirements.
This is a crossport of commit 55ce87bcd542cc26def11000c9dee7690b7c3155
from master.
Bug #8937.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
|
When OVS_VPORT_ATTR_NAME is specified and dp_ifindex is nonzero, the
logical behavior would be for the vport name lookup scope to be limited
to the specified datapath, but in fact the dp_ifindex value was ignored.
This commit causes the search scope to be honored.
This is a crossport of commit 24ce832d5e076e5686b15d2aadd39e8c0818e932
from master.
Bug #9889.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
|
|
When unparsing the kernel tunnel configuration, TTL was incorrectly
converted to "tos". Although it leads to confusing configuration
output, actual operation is not affected.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>
|
|
|
|
This is analogous to the change made in userspace with
2508ac16defd417b94fb69689b6b1da4fbc76282 (odp-util: Update
ODPUTIL_FLOW_KEY_BYTES for current kernel flow format.). The extra
space for vlan encapsulation was not included in the allocation for
maximum length flows.
Found by code inspection and to my knowledge has never been hit, likely
because skb allocations are padded out to a cacheline, making userspace
more susceptible to this problem than the kernel. In theory, however,
the right combination of flow and packet size could result in a kernel
panic.
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Kyle Mestery <kmestery@cisco.com>
|
|
It's possible that packets that are sent on internal devices (from
the OVS perspective) have already traversed the local IP stack.
After they go through the internal device, they will again travel
through the IP stack which may get confused by the presence of
existing information in the skb. The problem can be observed
when switching between namespaces. This clears out that information
to avoid problems but deliberately leaves other metadata alone.
This is to provide maximum flexibility in chaining together OVS
and other Linux components.
Bug #10995
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
|
This counter was off by one, because port_num
should be less than STP_MAX_PORTS.
This caused an assert hit later in stp_get_port().
Issue: 13059
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Reported-by: Ram Jothikumar <rjothikumar@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
|
|
The bonding code is supposed to tag flows two ways:
- According to the chosen bond slave, to make it easy to invalidate all
of the flows assigned to a given slave.
- According to the hash value for a flow, to make it easy to invalidate
all of the flows that hash into the same bucket.
However, the code wasn't actually applying the hash-based tags. This
meant that rebalancing didn't take effect immediately, and so after
rebalancing we could get log messages like this:
inconsistency in subfacet (actions were: 5) (correct actions: 4)
specifying some flow that was moved by the rebalance.
This commit fixes the problem by applying the hash-based tags.
Bug #12847.
Reported-by: Pratap Reddy <preddy@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
|
|
Open vSwitch 1.4 and later is compatible with the upstream Linux kernel
module but the init scripts hadn't been adapted to work with the upstream
module name.
Debian bug #684057.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
When installing a flow with an action to set a particular field we
need to validate that the packets that are part of the flow actually
contain that header. With IP we use zeroed addresses and with TCP/UDP
the check is for zeroed ports. This check is overly broad and can catch
packets like DHCP requests that have a zero source address in a
legitimate header. This changes the check to look for a zeroed protocol
number for IP or for both ports be zero for TCP/UDP before considering
the header to not exist.
Bug #12769
Reported-by: Ethan Jackson <ethan@nicira.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
|
|
This probably means that some classifier functions based on the fragment
type of packets have never worked properly.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
POSIX states that the string returned by strerror() may be overwritten
by a subsequent call (i.e., because it returns a pointer to a static
buffer). Make a copy of one of the two strerror() strings to avoid
this.
Background: FreeBSD historically returned such a pointer only in the
case of an invalid errno. With the addition of NLS strerror was changed
to do so for all calls.
Prior to this change I had confusing results from the test suite like
"... is 22 (Invalid argument) but should be 0 (Invalid argument)".
Signed-off-by: Ed Maste <emaste@adaranet.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
This may be more useful in practice than failing the entire OVS startup
sequence.
Debian bug #681955.
CC: 681955@bugs.debian.org
Reported-by: Bastian Blank <waldi@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Simon Horman <horms@verge.net.au>
|
|
ovs-vsctl is listed, incorrectly, in both bin_PROGRAMS and bin_SCRIPTS.
This meant that "make install" with the -j option could try to install
ovs-vsctl two times in parallel, a race that occasionally caused a build
failure, e.g.:
http://buildd.debian.org/status/fetch.php?pkg=openvswitch&arch=s390&ver=1.4.2%2Bgit20120612-5&stamp=1342851603
Debian bug #682384.
CC: 682384@bugs.debian.org
Reported-by: Bastian Blank <waldi@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
A Debian package is expected to remove all its configuration files (which
includes all files in /etc) when it is purged, but the
openvswitch-controller package wasn't doing that. This fixes the problem.
Debian bug #682187.
CC: 682187@bugs.debian.org
Reported-by: Andreas Beckmann <debian@abeckmann.de>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
Debian kernel maintainer Bastian Blank writes, at
http://bugs.debian.org/680537:
The netfilter rules are a shared resource. There is no synchronization,
so the admin have the last word. As kernel maintainer, I see it similar
to a configuration file, so §10.7 policy applies.
The purpose of openvswitch is to provide support for switching, not to
setup filter rules. This means it violates the principle of least
surprise.
I believe that the argument by analogy to configuration files is weak,
given that the Debian policy section in question is very specifically about
files, not about general principles. On the other hand, Debian does not
install any firewall by default, so the presence of a rule that blocks GRE
traffic is a sign that the administrator has taken an explicit action to
install a firewall that blocks GRE, and therefore it is rather rude to
override this. Therefore, this patch simply turns off this behavior on
Debian, given that in ordinary Debian installations it will have no
adverse effect on Open vSwitch.
Debian bug #680537.
CC: 680537@bugs.debian.org
Reported-by: Bastian Blank <waldi@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Simon Horman <horms@verge.net.au>
|
|
Found by valgrind:
Syscall param socketcall.sendmsg(msg.msg_iov[i]) points to uninitialised
byte(s)
at 0x42D3021: sendmsg (in /lib/libc-2.5.so)
by 0x80E4D23: nl_sock_transact (netlink-socket.c:670)
by 0x80D9086: dpif_linux_execute__ (dpif-linux.c:872)
by 0x807D6AE: dpif_execute__ (dpif.c:957)
by 0x807D6FE: dpif_execute (dpif.c:987)
by 0x805DED9: send_packet (ofproto-dpif.c:4727)
by 0x805F8E1: port_run_fast (ofproto-dpif.c:2441)
by 0x8065CF6: run_fast (ofproto-dpif.c:926)
by 0x805674F: ofproto_run_fast (ofproto.c:1148)
by 0x804C957: bridge_run_fast (bridge.c:1980)
by 0x8053F49: main (ovs-vswitchd.c:123)
Address 0xbea0895c is on thread 1's stack
Bug #11797.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
At the point where it was used, skb_shinfo(skb)->gso_type referred to a
post-GSO sk_buff. Thus, it would always be 0. We want to know the pre-GSO
gso_type, so we need to obtain it before segmenting.
Before this change, the kernel would pass inconsistent data to userspace:
packets for UDP fragments with nonzero offset would be passed along with
flow keys that indicate a zero offset (that is, the flow key for "later"
fragments claimed to be "first" fragments). This inconsistency tended
to confuse Open vSwitch userspace, causing it to log messages about
"failed to flow_del" the flows with "later" fragments.
Bug #12394.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
|
|
This hasn't been necessary for a long time.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
ovs-ctl.in uses /etc/protocols, which is in the "netbase" package, so a
dependency is required.
Debian bug #680537.
CC: 680537@bugs.debian.org
Reported-by: Bastian Blank <waldi@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
Bug #12301.
Reported-by: Mike Kruze <mkruze@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
mlockall(2) says:
Memory locks are not inherited by a child created via fork(2) and are
automatically removed (unlocked) during an execve(2) or when the
process terminates.
which means that --mlockall was ineffective in combination with --detach
or --monitor or both. Both are used in the most common production
configuration of Open vSwitch, so this means that --mlockall has never been
effective in production.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
On FreeBSD sig_atomic_t is long, which causes the comparison in
fatal_signal_run to be true when no signal has been reported.
Signed-off-by: Ed Maste <emaste@freebsd.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
By default DKMS doesn't build on demand for each kernel booted or updated.
Adding AUTOINSTALL=yes gives it this behavior. Based on a small sample of
Debian packages and how-to guides for Ubuntu, AUTOINSTALL=yes is what most
packages use and what users expect.
Fix-suggested-by: Kirill Kabardin
Reported-by: Ralf Heiringhoff <ralf@frosty-geek.net>
Reported-at: https://bugs.launchpad.net/bugs/962189
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
Found by valgrind.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
Fix return check typo.
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Bug #11933
|
|
In one edge case, ofoperation_complete() destroys its rule, without
updating its ofoperation that the rule is gone. Later in the same
function, ofoperation_destroy() attempts to modify the rule which
already destroyed.
Bug #11797.
Signed-off-by: Ethan Jackson <ethan@nicira.com>
|
|
|
|
Reported-by: Justin Pettit <jpettit@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
Before we submitted the kernel module upstream, we updated the flow format
by adding two fields to the description of packets with VLAN headers, but
we forgot to update ODPUTIL_FLOW_KEY_BYTES to reflect these changes. The
result was that a maximum-length flow did not fit in the given space.
This fixes a crash processing IPv6 neighbor discovery packets with VLAN
headers received in a tunnel configured with key=flow or in_key=flow.
This updates some comments to better describe the implications of
ODPUTIL_FLOW_KEY_BYTES (suggested by Justin).
This also updates test-odp.c so that it would have caught this problem, and
updates odp.at to demonstrate that a full 156 bytes are necessary. (To see
that, revert the change to ODPUTIL_FLOW_KEY_BYTES and run the test.)
Reported-by: Dan Wendlandt <dan@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
Until now, bridges with datapath_type=netdev did not destroy the datapath
when deleted. In particular, the tap device implementing the internal
interface was not close()d, and therefore the tap persists until
ovs-vswitchd exit()s.
This behaviour was caused by the missing callback for 'enumerate' in the
dpif-netdev class. Without this callback 'bridge_reconfigure' failed to
realize that there are datapaths with no bridge, and thus cannot destroy
them. Providing an 'enumerate' callback fixes this.
Signed-off-by: Giuseppe Lettieri <g.lettieri@iet.unipi.it>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
Some OpenFlow 1.0 controllers incorrectly use OPFP_CONTROLLER as the
in_port in packet-out messages, when OFPP_NONE is their intent. Until now,
Open vSwitch has rejected such requests with an error message. This commit
makes Open vSwitch instead treat OFPP_CONTROLLER the same as OFPP_NONE for
compatibility with those controllers.
(Also, as of this writing, OpenFlow 1.0.1 appears to be changing the port
to use from OFPP_NONE to OFPP_CONTROLLER.)
Suggested-by: Rob Sherwood <rob.sherwood@bigswitch.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
If the daemon(s) aren't running for whatever reason, the RHEL ovs
ifup/ifdown scripts don't take that into account and an attempt to reboot a
system could take forever. (literally. endless loop!) Here are a couple of
patches (one of ifup, one for ifdown) to add timeouts (10 seconds), because
it runs per interface you have configured and that could take awhile to
reboot a system if needed.
Signed-off-by: Brian Kruger <bkruger+ovsdev@gmail.com>
[blp@nicira.com fixed up a conflict against master]
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
When the kernel validates set TCP/UDP port actions, it looks at
the ports in the existing flow to make sure that the L4 header exists.
However, these actions always use the IPv4 version of the struct.
Following patch fixes this by checking for flow ip protocol first.
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Bug #11205
|
|
Reported-by: Greg Dahlman <gdahlman@hotmail.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
|