Re: [ovs-dev] [PATCH v3 0/6] IPsec support for tunneling

In both cases, IPsec won't be correctly set up in the system. The traffic might be sent out in cleartext. Maybe we can let the ovs-monitor-ipsec daemon monitor whether IPsec tunnel is actually taking effect in the system and report it on the tunnel interface, so that user won't have wrong

Re: [ovs-dev] [PATCH v3 0/6] IPsec support for tunneling

On Fri, Jul 27, 2018 at 04:32:32PM -0700, Ben Pfaff wrote: > On Fri, Jul 27, 2018 at 01:44:28PM -0700, Qiuyu Xiao wrote: > > This patch series reintroduce IPsec support for OVS tunneling and > > enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec > > tunnels are supported.

Re: [ovs-dev] [PATCH v3 0/6] IPsec support for tunneling

On Fri, Jul 27, 2018 at 01:44:28PM -0700, Qiuyu Xiao wrote: > This patch series reintroduce IPsec support for OVS tunneling and > enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec > tunnels are supported. StrongSwan and LibreSwan IKE daemons are > supported. Thank you. My first

Re: [ovs-dev] [ovs-dev, PATCHv2, 2 of 2] dpif-netlink: Add meter support.

Bleep bloop. Greetings Justin Pettit, I am a robot and I have tried out your patch. Thanks for your contribution. I encountered some error that I wasn't expecting. See the details below. checkpatch: WARNING: Line is 80 characters long (recommended limit is 79) #272 FILE:

Re: [ovs-dev] [PATCHv2 1/2] dpif: Move common meter checks into the dpif layer.

On Fri, Jul 27, 2018 at 02:19:12PM -0700, Justin Pettit wrote: > Another dpif provider will soon add support for meters, so move > some of the common sanity checks up into the dpif layer so that each > provider doesn't need to re-implement them. > > Signed-off-by: Justin Pettit > --- > v2: This

[ovs-dev] [PATCHv2 2/2] dpif-netlink: Add meter support.

From: Andy Zhou To work with kernel datapath that supports meter. Signed-off-by: Andy Zhou Co-authored-by: Justin Pettit Signed-off-by: Justin Pettit Acked-by: Alin Gabriel Serdean --- v1->v2: Addressed Ben's comments. --- Documentation/faq/releases.rst | 1 + lib/dpif-netlink.c

[ovs-dev] [PATCHv2 1/2] dpif: Move common meter checks into the dpif layer.

Another dpif provider will soon add support for meters, so move some of the common sanity checks up into the dpif layer so that each provider doesn't need to re-implement them. Signed-off-by: Justin Pettit --- v2: This patch is new to the series. --- lib/dpif-netdev.c | 15 +++

Re: [ovs-dev] [ovs-dev, v3, 4 of 6] Documentation: IPsec tunnel tutorial and documentation.

Bleep bloop. Greetings Qiuyu Xiao, I am a robot and I have tried out your patch. Thanks for your contribution. I encountered some error that I wasn't expecting. See the details below. checkpatch: ERROR: Too many signoffs; are you missing Co-authored-by lines? Lines checked: 789, Warnings: 0,

Re: [ovs-dev] [ovs-dev, v3, 3 of 6] debian and rhel: Create IPsec package.

Bleep bloop. Greetings Qiuyu Xiao, I am a robot and I have tried out your patch. Thanks for your contribution. I encountered some error that I wasn't expecting. See the details below. checkpatch: ERROR: Too many signoffs; are you missing Co-authored-by lines? Lines checked: 400, Warnings: 0,

Re: [ovs-dev] [ovs-dev, v3, 2 of 6] ipsec: reintroduce IPsec support for tunneling

Bleep bloop. Greetings Qiuyu Xiao, I am a robot and I have tried out your patch. Thanks for your contribution. I encountered some error that I wasn't expecting. See the details below. checkpatch: ERROR: Too many signoffs; are you missing Co-authored-by lines? WARNING: Line has trailing

[ovs-dev] [PATCH v3 6/6] OVN: native support for tunnel encryption

This patch adds IPsec support for OVN tunnel. Basically, OVN offers a binary option to its user for encryption configuration. If the IPsec option is turned on, all tunnels will be encrypted. Otherwise, no tunnel will be encrypted. The changes are summarized as below: 1) Added a ipsec column on

[ovs-dev] [PATCH v3 4/6] Documentation: IPsec tunnel tutorial and documentation.

tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec tunnel. tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel configuration methods and forwarding modes. Signed-off-by: Ansis Atteka Signed-off-by: Qiuyu Xiao Co-authored-by: Ansis Atteka Co-authored-by: Qiuyu

[ovs-dev] [PATCH v3 5/6] ovs-pki: generate x.509 v3 certificate

This patch modifies ovs-pki to generate x.509 version 3 certificate. Compared with the x.509 v1 certificate generated by ovs-pki, version 3 certificate adds subjectAltName field and sets its value the same as common name (CN). The main reason for this change is to enable strongSwan IKE daemon to

[ovs-dev] [PATCH v3 3/6] debian and rhel: Create IPsec package.

Added rules and files to create debian and rpm ovs-ipsec packages. Signed-off-by: Ansis Atteka Signed-off-by: Qiuyu Xiao Co-authored-by: Ansis Atteka Co-authored-by: Qiuyu Xiao --- debian/automake.mk| 3 + debian/control| 21 ++

[ovs-dev] [PATCH v3 2/6] ipsec: reintroduce IPsec support for tunneling

This patch reintroduces ovs-monitor-ipsec daemon that was previously removed by commit 2b02d770 ("openvswitch: Allow external IPsec tunnel management.") After this patch, there are no IPsec flavored tunnels anymore. IPsec is enabled by setting up the right values in: 1. OVSDB:Interface:options

[ovs-dev] [PATCH v3 0/6] IPsec support for tunneling

This patch series reintroduce IPsec support for OVS tunneling and enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. StrongSwan and LibreSwan IKE daemons are supported. Changes from v1 to v2 - 1. Merged the ovs-monitor-ipsec code to a

[ovs-dev] [PATCH v3 1/6] datapath: add transport ports in route lookup to enable IPsec policy match.

This patch adds transport ports information for route lookup so that IPsec can select tunnel traffic (geneve, stt, vxlan) to do encryption. The patch was tested for geneve, stt, and vxlan tunnel and the results show that IPsec policy can be set to only match the corresponding tunnel traffic.

Re: [ovs-dev] [PATCH] compat: ip6_tunnel: improve error message.

On 7/27/2018 9:30 AM, William Tu wrote: When loading compact ip6 tunnel, if the system already loads upstream s/compact/compat/ kernel's ip6 tunnel, print error message before return. Signed-off-by: William Tu Cc: Greg Rose --- datapath/linux/compat/ip6_tunnel.c | 12 +--- 1

Re: [ovs-dev] [PATCH] compat: Initialize IPv4 reassembly secret timer

On 7/27/2018 11:38 AM, Ben Pfaff wrote: On Wed, Jul 25, 2018 at 08:46:21AM -0700, Gregory Rose wrote: On 7/23/2018 9:22 AM, Yi-Hung Wei wrote: --- a/datapath/linux/compat/ip_fragment.c +++ b/datapath/linux/compat/ip_fragment.c @@ -812,6 +812,9 @@ int __init rpl_ipfrag_init(void) #ifdef

Re: [ovs-dev] [PATCH V2] compat: Allow IPv6 GRE/ERSPAN Tx when ip6_gre is loaded

On 7/27/2018 12:31 PM, Ben Pfaff wrote: On Fri, Jul 27, 2018 at 11:20:08AM -0700, Greg Rose wrote: When for some reason the built-in kernel ip6_gre module is loaded that would prevent the openvswitch kernel driver from loading. Even when the built-in kernel ip6_gre module is loaded we can

Re: [ovs-dev] [PATCH] utilities: Run ovsdb-server pre-startup DB steps as root

Markos Chandras writes: > Hello Aaron, > > On 18/07/18 16:24, Aaron Conole wrote: >> >> I think there's actually a race condition here. Most likely, >> ovsdb-server doesn't need to be started before network.service. >> >> Looking at the bug, I think we can unroll some of the dependencies that

Re: [ovs-dev] [PATCH] utilities: Run ovsdb-server pre-startup DB steps as root

Flavio Leitner writes: > On Wed, Jul 18, 2018 at 11:24:43AM -0400, Aaron Conole wrote: >> Markos Chandras writes: >> >> > When ovsdb-server is starting, it performs some DB steps such as >> > creating and upgrading the OvS DB. When we are running as >> > 'non-root' user, the 'runuser' tool is

Re: [ovs-dev] [PATCH V2] compat: Allow IPv6 GRE/ERSPAN Tx when ip6_gre is loaded

On Fri, Jul 27, 2018 at 11:20:08AM -0700, Greg Rose wrote: > When for some reason the built-in kernel ip6_gre module is loaded that > would prevent the openvswitch kernel driver from loading. Even when > the built-in kernel ip6_gre module is loaded we can still perform > port mirroring via Tx.

Re: [ovs-dev] [PATCH V2] compat: Allow IPv6 GRE/ERSPAN Tx when ip6_gre is loaded

On Fri, Jul 27, 2018 at 11:20 AM, Greg Rose wrote: > When for some reason the built-in kernel ip6_gre module is loaded that > would prevent the openvswitch kernel driver from loading. Even when > the built-in kernel ip6_gre module is loaded we can still perform > port mirroring via Tx. Adjust

Re: [ovs-dev] [PATCH] compat: Initialize IPv4 reassembly secret timer

On Wed, Jul 25, 2018 at 08:46:21AM -0700, Gregory Rose wrote: > On 7/23/2018 9:22 AM, Yi-Hung Wei wrote: > --- a/datapath/linux/compat/ip_fragment.c > +++ b/datapath/linux/compat/ip_fragment.c > @@ -812,6 +812,9 @@ int __init rpl_ipfrag_init(void) > #ifdef

Re: [ovs-dev] [PATCH v1] rhel: support kmod build against mulitple kernel versions, fedora

Hi Flavio, Thanks for the review. I was thinking of using this to prevent a user to directly install openvswitch-kmod rpm built with the fedora spec file when the system already has the kmod-openvswitch built from rhel6 spec file. Packages are named differently. In that case, it's not a matter of

[ovs-dev] [PATCH V2] compat: Allow IPv6 GRE/ERSPAN Tx when ip6_gre is loaded

When for some reason the built-in kernel ip6_gre module is loaded that would prevent the openvswitch kernel driver from loading. Even when the built-in kernel ip6_gre module is loaded we can still perform port mirroring via Tx. Adjust the error handling and detect when the ip6_gre kernel module

[ovs-dev] [PATCH 2/2] ofp-port: Drop of useless indirection in ofputil_pull_ofp14_port_stats().

Signed-off-by: Ben Pfaff --- lib/ofp-port.c | 30 ++ 1 file changed, 2 insertions(+), 28 deletions(-) diff --git a/lib/ofp-port.c b/lib/ofp-port.c index 1d864c3a3dc7..2c812f8ecfa3 100644 --- a/lib/ofp-port.c +++ b/lib/ofp-port.c @@ -1636,28 +1636,6 @@

[ovs-dev] [PATCH 1/2] ofp-port: Fix buffer overread parsing Intel custom statistics.

CC: Michal Weglicki Fixes: 971f4b394c6e ("netdev: Custom statistics.") Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9445 Signed-off-by: Ben Pfaff --- lib/ofp-port.c | 50 -- 1 file changed, 20 insertions(+), 30 deletions(-)

Re: [ovs-dev] [PATCH] selinux: changes to support newer hugetlbfs restrictions

Aaron Conole writes: > Newer selinux base policies now split out 'map' actions, as well as > adding more explicit checks for hugetlbfs objects. Where previously these > weren't required, recent changes have flagged the allocation of hugepages > and subsequent clearing. This means that the

[ovs-dev] [PATCH] compat: ip6_tunnel: improve error message.

When loading compact ip6 tunnel, if the system already loads upstream kernel's ip6 tunnel, print error message before return. Signed-off-by: William Tu Cc: Greg Rose --- datapath/linux/compat/ip6_tunnel.c | 12 +--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git

Re: [ovs-dev] [PATCH] compat: Allow IPv6 GRE/ERSPAN Tx when ip6_gre is loaded

On 7/27/2018 2:22 AM, William Tu wrote: On Thu, Jul 26, 2018 at 9:11 AM, Greg Rose > wrote: When for some reason the built-in kernel ip6_gre module is loaded that would prevent the openvswitch kernel driver from loading. Even when the built-in kernel

[ovs-dev] d...@openvswitch.org ¡FELICIDADES DEL GANADOR DEL PREMIO LOTERÍA DE FACEBOOK £ 1,500,000!

The Online Consumer Promotions 2018. Oficina de la Región Europea: 10B Widemarsh Street Hereford Square, London HP1 8HFD, Inglaterra. http: //www..com NÚMERO DE LOTE: FB / 8056490902. NÚMERO DE REF: FB / UK / 2011. ¡FELICIDADES! NOTIFICACIÓN DE PREMIO. Felizmente le anunciamos el sorteo de

[ovs-dev] [PATCH] stream-ssl: Don't enable new TLS versions by default

Currently protocol_flags is populated by the list of SSL and TLS protocols by hand. This means that when a new TLS version is added to openssl (in this case TLS v1.3 is added to openssl 1.1.1 beta) ovsdb-server automatically enable support to it with the default ciphers. This can be a security

[ovs-dev] d...@openvswitch.org ¡FELICIDADES DEL GANADOR DEL PREMIO LOTERÍA DE FACEBOOK £ 1,500,000!

The Online Consumer Promotions 2018. Oficina de la Región Europea: 10B Widemarsh Street Hereford Square, London HP1 8HFD, Inglaterra. http: //www..com NÚMERO DE LOTE: FB / 8056490902. NÚMERO DE REF: FB / UK / 2011. ¡FELICIDADES! NOTIFICACIÓN DE PREMIO. Felizmente le anunciamos el sorteo de

[ovs-dev] d...@openvswitch.org ¡FELICIDADES DEL GANADOR DEL PREMIO LOTERÍA DE FACEBOOK £ 1,500,000!

The Online Consumer Promotions 2018. Oficina de la Región Europea: 10B Widemarsh Street Hereford Square, London HP1 8HFD, Inglaterra. http: //www..com NÚMERO DE LOTE: FB / 8056490902. NÚMERO DE REF: FB / UK / 2011. ¡FELICIDADES! NOTIFICACIÓN DE PREMIO. Felizmente le anunciamos el sorteo de

Re: [ovs-dev] [PATCH 2/2] Revert "dpctl: Expand the flow dump type filter"

Hi Gavi, On 26 July 2018 at 17:36, Justin Pettit wrote: > > > On Jul 26, 2018, at 7:29 AM, Gavi Teitz wrote: > > > > From: Justin Pettit, sent: Thursday, July 26, 2018 12:02 AM: > >> Commit ab15e70eb587 ("dpctl: Expand the flow dump type filter") had a > number of issues with style, build

Re: [ovs-dev] [ovs-dev, v5] dpif-netdev: Avoid reordering of packets in a batch with same megaflow

> Have you tried solution with direct pushing of all the packets to > 'flow_map' and per-flow batching only at the end of 'dp_netdev_input__()'? > > Is it really slower? > If you have some performance data, I'd like to see it, because it looks > like code should be simpler without this

[ovs-dev] [PATCH v6] dpif-netdev: Avoid reordering of packets in a batch with same megaflow

OVS reads packets in batches from a given port and packets in the batch are subjected to potentially 3 levels of lookups to identify the datapath megaflow entry (or flow) associated with the packet. Each megaflow entry has a dedicated buffer in which packets that match the flow classification

Re: [ovs-dev] [PATCH] compat: Allow IPv6 GRE/ERSPAN Tx when ip6_gre is loaded

On Thu, Jul 26, 2018 at 9:11 AM, Greg Rose wrote: > When for some reason the built-in kernel ip6_gre module is loaded that > would prevent the openvswitch kernel driver from loading. Even when > the built-in kernel ip6_gre module is loaded we can still perform > port mirroring via Tx. Adjust

Re: [ovs-dev] [ovs-discuss] ovsdb-server core dump and ovsdb corruption using raft cluster

Hello Ben, Sorry, got distracted with something else at work. I am still able to reproduce the issue, and this is what I have and what I did (if you need the core, let me know and I can share it with you) - 3-cluster RAFT setup in Ubuntu VM (2 VCPUs with 8GB RAM) $ uname -r Linux