On 31 August 2017 at 16:22, Aaron Conole wrote:
> This series brings about a policy update to openvswitch allowing it to
> run on a RHEL / Fedora system, even as a non-root user, with selinux set
> to Enforcing.
>
> The first two patches make some changes to the way the selinux policy is
> built t
My Dear Friend,
Greetings to you.
Please do not view my plea as a contrived plot.My trusted family
attorney who would have executed my WILL & TESTAMENT on my behalf died
early this year after a brief illness.I therefore prayed fervently and
by the special grace of GOD,i was led to you.I am Mrs.Ma
On 31 August 2017 at 16:22, Aaron Conole wrote:
> This will be used by an upcoming commit to have @begin_ and @end_ dpdk
> blocks to keep dpdk specific policy decisions only active when dpdk is
> used.
>
> Acked-by: Flavio Leitner
> Signed-off-by: Aaron Conole
> Tested-by: Jean Hsiao
Acked-by:
On Thu, Aug 31, 2017 at 09:27:36AM -0700, Ben Pfaff wrote:
> On Thu, Aug 31, 2017 at 09:23:34AM -0700, Ben Pfaff wrote:
> > On Wed, Aug 30, 2017 at 02:21:01AM +0800, Yi Yang wrote:
> > > IETF NSH draft will be approved by end of August, NSH header
> > > format has been finalized and won't be change
On 31 August 2017 at 16:22, Aaron Conole wrote:
> When building the openvswitch-custom.te file, it is important to have the
> ability to filter out dpdk blocks depending on whether the system has been
> configured with dpdk or not. This allows using all the standard .in file
> blocks, as well as
On 31 August 2017 at 16:22, Aaron Conole wrote:
> The selinux policy that exists in the repository did not specify access to
> all of the resources needed for Open vSwitch to properly function with
> an enforcing selinux policy. This update allows Open vSwitch to operate
> with selinux set to Enf
Ansis Atteka writes:
> On 31 August 2017 at 14:57, Aaron Conole wrote:
>> Ansis Atteka writes:
>>
>>> On 31 August 2017 at 11:58, Aaron Conole wrote:
Hi Ansis,
Thanks for the review!
Ansis Atteka writes:
> On 30 August 2017 at 07:00, Aaron Conole wrote:
The selinux policy that exists in the repository did not specify access to
all of the resources needed for Open vSwitch to properly function with
an enforcing selinux policy. This update allows Open vSwitch to operate
with selinux set to Enforcing mode, even while running as a non-root user.
Acke
When building the openvswitch-custom.te file, it is important to have the
ability to filter out dpdk blocks depending on whether the system has been
configured with dpdk or not. This allows using all the standard .in file
blocks, as well as the dpdkstrip blocks, when constructing the selinux
polic
This series brings about a policy update to openvswitch allowing it to
run on a RHEL / Fedora system, even as a non-root user, with selinux set
to Enforcing.
The first two patches make some changes to the way the selinux policy is
built to have a macro-like effect, allowing the dpdk policy to be e
This will be used by an upcoming commit to have @begin_ and @end_ dpdk
blocks to keep dpdk specific policy decisions only active when dpdk is
used.
Acked-by: Flavio Leitner
Signed-off-by: Aaron Conole
Tested-by: Jean Hsiao
---
rhel/openvswitch-fedora.spec.in | 1 +
On 08/25/2017 03:51 PM, Yi-Hung Wei wrote:
Instead of using fixed default conntrack state 'trk|new' in
ofproto/trace for conntrack recirculation, this patch queries the
conntrack state from datapath using ct_dpif_get_info().
Signed-off-by: Yi-Hung Wei
---
lib/ct-dpif.c| 42 +++
On 31 August 2017 at 14:57, Aaron Conole wrote:
> Ansis Atteka writes:
>
>> On 31 August 2017 at 11:58, Aaron Conole wrote:
>>> Hi Ansis,
>>>
>>> Thanks for the review!
>>>
>>> Ansis Atteka writes:
>>>
On 30 August 2017 at 07:00, Aaron Conole wrote:
> The selinux policy that exists in
> On Aug 31, 2017, at 2:38 PM, Russell Bryant wrote:
>
> On Thu, Aug 31, 2017 at 4:04 PM, Justin Pettit wrote:
>> Signed-off-by: Justin Pettit
>> ---
>> NEWS | 5 +
>> 1 file changed, 5 insertions(+)
>
> Acked-by: Russell Bryant
Thanks! I pushed this to branch-2.8.
--Justin
_
On 08/25/2017 03:51 PM, Yi-Hung Wei wrote:
This patch adds ct_dpif_get_info() to dpif_class for querying conntrack
info from datapath. Later patches will use this function to query ct_fields
such as ct_state, ct_mark, and ct_label for ofproto/trace command.
The following commits will provide impl
On Thu, 31 Aug 2017 13:04:11 -0700
Justin Pettit wrote:
> Signed-off-by: Justin Pettit
> ---
> NEWS | 5 +
> 1 file changed, 5 insertions(+)
>
> diff --git a/NEWS b/NEWS
> index ecb32c4df80c..0eaa64a8dfdc 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -90,6 +90,11 @@ v2.8.0 - xx xxx
> *
On Thu, 31 Aug 2017 13:04:10 -0700
Justin Pettit wrote:
> This reverts commit 8473cf69d25c4682cc6f6857b86b490a8c27cbd4.
>
> This commit introduced a change in the conntrack API. This affected
> some existing applications, so we will delay introducing the change
> until the next major release.
>
On Thu, 31 Aug 2017 13:17:28 -0700
Justin Pettit wrote:
>
> > On Aug 29, 2017, at 9:13 PM, Flavio Leitner wrote:
> >
> > On Mon, 21 Aug 2017 12:56:33 -0700
> > Justin Pettit wrote:
> >
> >>> On Aug 21, 2017, at 12:38 PM, Joe Stringer wrote:
> >>>
> >>> Overall I think that this is an impro
I would also like to point out that the wireshark corpus will make
testing more efficient. I am currently using a corpus from here [1] and
it covers code more quickly. Please bear in mind that this particular
payload corpus contains the packet payload (hence suitable for our
testcases) but is limit
Ansis Atteka writes:
> On 31 August 2017 at 11:58, Aaron Conole wrote:
>> Hi Ansis,
>>
>> Thanks for the review!
>>
>> Ansis Atteka writes:
>>
>>> On 30 August 2017 at 07:00, Aaron Conole wrote:
The selinux policy that exists in the repository did not specify access to
all of the res
This is a nice test case for upstream. Am currently running on 8 cores,
no crashes in the flow_extract API so far.
Regards,
Bhargava
On 08/31/2017 11:03 PM, Ben Pfaff wrote:
> int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
> {
> struct dp_packet packet;
> dp_packet_use_const
Add parameters in local Open_vSwitch DB external-ids for rate-
limiting the log file writing:
ovn-acl-log-rl-rate
ovn-acl-log-rl-burst
Note: this has nothing to do with packet-in rate-limiting.
Signed-off-by: Han Zhou
---
v1->v2: add documentation for the configurations.
ovn/controller/
On Thu, Aug 31, 2017 at 4:04 PM, Justin Pettit wrote:
> Signed-off-by: Justin Pettit
> ---
> NEWS | 5 +
> 1 file changed, 5 insertions(+)
Acked-by: Russell Bryant
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/lis
On 08/25/2017 03:51 PM, Yi-Hung Wei wrote:
This patch propagates ct_zone when ofproto/trace automatically runs
through the recirculation process.
Fixes: e6bc8e749381 ("ofproto/trace: Add support for tracing conntrack
recirculation")
Signed-off-by: Yi-Hung Wei
---
ofproto/ofproto-dpif-trace.c
On Thu, Aug 31, 2017 at 4:04 PM, Justin Pettit wrote:
> This reverts commit 8473cf69d25c4682cc6f6857b86b490a8c27cbd4.
>
> This commit introduced a change in the conntrack API. This affected
> some existing applications, so we will delay introducing the change
> until the next major release.
>
> S
With this fuzz target on v2.3.2 fuzzing finds CVE-2016-2074 in just a few
seconds starting from an empty corpus:
mkdir C; ./openvswitch-2.3.2-libfuzzer C -jobs=20
==34306==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffcfbfddce8 at pc 0x0050e2b8 bp 0x7ffcfbfdd990 sp 0x7ffcfbf
On 08/25/2017 03:51 PM, Yi-Hung Wei wrote:
Free the allocated memory in the pop function.
Fixes: 0f2f05bbcf743 ("ofproto/trace: Add --ct-next option to ofproto/trace")
Signed-off-by: Yi-Hung Wei
---
ofproto/ofproto-dpif-trace.c | 13 -
1 file changed, 8 insertions(+), 5 deletions
For the version Bhargava is testing I guess this reads as
int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
struct ofpbuf packet;
ofpbuf_use_const(&packet, data, size);
struct flow flow;
flow_extract(&packet, NULL, &flow);
return 0;
}
Looks great, and runs fast.
On Thu,
On 08/25/2017 03:51 PM, Yi-Hung Wei wrote:
This patch series add support of querying conntrack info that includes
ct_state, ct_mark, and ct_label from kernel datapath. This work first
introduces ct_dpif_get_info() in dpif layer, and then provides netlink
implementation of ct_dpif_get_info(). It a
Hi,
> I didn't look at the actual code before, but now that I have, I don't
> understand at all why it was doing file I/O just to write a packet to
> disk and then read it back.
Sorry, this was due to my ignorance. I was not aware of something like
dp_packet_use_const(). This should speed things
On Thu, Aug 31, 2017 at 12:46:50PM -0700, Kostya Serebryany wrote:
> On Thu, Aug 31, 2017 at 12:41 PM, Ben Pfaff wrote:
>
> > What's the issue with file I/O? If you can help me understand why you
> > want to get rid of it, maybe I can suggest what to do instead.
> >
>
> The file IO takes more t
On Thu, Aug 31, 2017 at 12:46 PM, Kostya Serebryany wrote:
>
>
> On Thu, Aug 31, 2017 at 12:41 PM, Ben Pfaff wrote:
>
>> What's the issue with file I/O? If you can help me understand why you
>> want to get rid of it, maybe I can suggest what to do instead.
>>
>
> The file IO takes more time tha
On 31 August 2017 at 11:58, Aaron Conole wrote:
> Hi Ansis,
>
> Thanks for the review!
>
> Ansis Atteka writes:
>
>> On 30 August 2017 at 07:00, Aaron Conole wrote:
>>> The selinux policy that exists in the repository did not specify access to
>>> all of the resources needed for Open vSwitch to
> On Aug 31, 2017, at 1:14 PM, Ben Pfaff wrote:
>
> On Thu, Aug 31, 2017 at 01:08:31PM -0700, Justin Pettit wrote:
>>
>>> On Aug 31, 2017, at 9:33 AM, Ben Pfaff wrote:
>>>
>>> Signed-off-by: Ben Pfaff
>>> ---
>>> This will be applied to both master and branch-2.8, to effectively release
>>>
> On Aug 29, 2017, at 9:13 PM, Flavio Leitner wrote:
>
> On Mon, 21 Aug 2017 12:56:33 -0700
> Justin Pettit wrote:
>
>>> On Aug 21, 2017, at 12:38 PM, Joe Stringer wrote:
>>>
>>> Overall I think that this is an improvement to consistency of what
>>> connection tracking metadata is accessible
On Thu, Aug 31, 2017 at 01:08:31PM -0700, Justin Pettit wrote:
>
> > On Aug 31, 2017, at 9:33 AM, Ben Pfaff wrote:
> >
> > Signed-off-by: Ben Pfaff
> > ---
> > This will be applied to both master and branch-2.8, to effectively release
> > Open vSwitch 2.8.0.
> >
> > diff --git a/NEWS b/NEWS
>
> On Aug 31, 2017, at 9:33 AM, Ben Pfaff wrote:
>
> Signed-off-by: Ben Pfaff
> ---
> This will be applied to both master and branch-2.8, to effectively release
> Open vSwitch 2.8.0.
>
> diff --git a/NEWS b/NEWS
> index 8e6fb79d38ca..b85c351dd961 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -1,4 +1,4
This reverts commit 8473cf69d25c4682cc6f6857b86b490a8c27cbd4.
This commit introduced a change in the conntrack API. This affected
some existing applications, so we will delay introducing the change
until the next major release.
Signed-off-by: Justin Pettit
Requested-by: Flavio Leitner
---
NEW
Signed-off-by: Justin Pettit
---
NEWS | 5 +
1 file changed, 5 insertions(+)
diff --git a/NEWS b/NEWS
index ecb32c4df80c..0eaa64a8dfdc 100644
--- a/NEWS
+++ b/NEWS
@@ -90,6 +90,11 @@ v2.8.0 - xx xxx
* HW offloading is done through the TC interface.
- IPv6 link local addresses
On Thu, Aug 31, 2017 at 12:41 PM, Ben Pfaff wrote:
> What's the issue with file I/O? If you can help me understand why you
> want to get rid of it, maybe I can suggest what to do instead.
>
The file IO takes more time than direct access to memory.
Even if the actual IO happens on tmpfs, this is
What's the issue with file I/O? If you can help me understand why you
want to get rid of it, maybe I can suggest what to do instead.
On Thu, Aug 31, 2017 at 09:24:29PM +0200, Bhargava Shastry wrote:
> An update from my side. I have written a small test case for catching
> CVE-2016-2074 here [1].
On Thu, Aug 31, 2017 at 12:24 PM, Bhargava Shastry <
bshas...@sec.t-labs.tu-berlin.de> wrote:
> Dear dev@OVS, KCC@google,
>
> Konstantin Serebryany (KCC) in CC is part of the OSS-Fuzz project that I
> mentioned before. I think he will be happy to see openvswitch use
> OSS-Fuzz services.
>
Yes, op
Dear dev@OVS, KCC@google,
Konstantin Serebryany (KCC) in CC is part of the OSS-Fuzz project that I
mentioned before. I think he will be happy to see openvswitch use
OSS-Fuzz services.
An update from my side. I have written a small test case for catching
CVE-2016-2074 here [1]. KCC strongly encour
> -Original Message-
> From: Ben Pfaff [mailto:b...@ovn.org]
> Sent: Thursday, 31 August, 2017 18:28
> >
> > This is a large change to just update the wire format. Can you make
> > it more minimal?
>
> Actually, let's skip it. I think that we should release OVS 2.8 as is.
> We delayed th
Hi Ansis,
Thanks for the review!
Ansis Atteka writes:
> On 30 August 2017 at 07:00, Aaron Conole wrote:
>> The selinux policy that exists in the repository did not specify access to
>> all of the resources needed for Open vSwitch to properly function with
>> an enforcing selinux policy. This
Yes. Any solution that samples the original packet and annotates it
with accurate information about its forwarding will conform to the
spec. But anything you do that touches the chain of actions in more
than one place is likely to be problematic...
For example, one possible approach that OVS *
On 31 August 2017 at 02:02, Stephen Finucane wrote:
> On Thu, 2017-08-31 at 09:59 +0100, Stephen Finucane wrote:
>> On Wed, 2017-08-30 at 10:38 -0700, Joe Stringer wrote:
>> > On 29 August 2017 at 02:54, Stephen Finucane wrote:
>
> [snip]
>
>> > However, it seems like this is broken right now. (g
On 30 August 2017 at 07:00, Aaron Conole wrote:
> The selinux policy that exists in the repository did not specify access to
> all of the resources needed for Open vSwitch to properly function with
> an enforcing selinux policy. This update allows Open vSwitch to operate
> with selinux set to Enf
On Thu, Aug 31, 2017 at 01:59:45PM -0300, Flavio Leitner wrote:
> On Thu, 31 Aug 2017 09:33:25 -0700
> Ben Pfaff wrote:
>
> > Signed-off-by: Ben Pfaff
> > ---
> > This will be applied to both master and branch-2.8, to effectively release
> > Open vSwitch 2.8.0.
>
> Hi Ben,
>
> I don't want to
On Thu, 31 Aug 2017 09:33:25 -0700
Ben Pfaff wrote:
> Signed-off-by: Ben Pfaff
> ---
> This will be applied to both master and branch-2.8, to effectively release
> Open vSwitch 2.8.0.
Hi Ben,
I don't want to delay 2.8 even more but there was a conntrack change[1]
which breaks OpenShift. I thi
Good catch.
Acked-by: Sairam Venugopal
On 8/30/17, 4:03 PM, "ovs-dev-boun...@openvswitch.org on behalf of Anand Kumar"
wrote:
>Only curNbl in the forwarding context needs to be updated with
>fragmented NBL.
>
>Signed-off-by: Anand Kumar
>---
> datapath-windows/ovsext/Actions.c | 9 +-
Great. That patch is already on all relevant branches, so I guess we
are done here. Thanks for figuring out the issue!
On Wed, Aug 30, 2017 at 03:49:43AM +, zengganghui wrote:
> We have found a patch (http://patchwork.ozlabs.org/patch/593753/) can resolve
> this problem.
>
> BR.
> Zeng Gan
Signed-off-by: Ben Pfaff
---
This will be applied to both master and branch-2.8, to effectively release
Open vSwitch 2.8.0.
diff --git a/NEWS b/NEWS
index 8e6fb79d38ca..b85c351dd961 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,4 @@
-v2.8.0 - xx xxx
+v2.8.0 - 31 Aug 2017
-
On Thu, Aug 31, 2017 at 09:23:34AM -0700, Ben Pfaff wrote:
> On Wed, Aug 30, 2017 at 02:21:01AM +0800, Yi Yang wrote:
> > IETF NSH draft will be approved by end of August, NSH header
> > format has been finalized and won't be change anymore, so we
> > need to follow this final spec to implement nsh
On Wed, Aug 30, 2017 at 02:21:01AM +0800, Yi Yang wrote:
> IETF NSH draft will be approved by end of August, NSH header
> format has been finalized and won't be change anymore, so we
> need to follow this final spec to implement nsh.
>
> kernel data path also needs finalized uAPIs, they can't be
>
On Tue, Aug 29, 2017 at 08:12:38PM +0200, Jiri Benc wrote:
> On Tue, 29 Aug 2017 10:50:11 -0700, Ben Pfaff wrote:
> > This feature landed late in 2.8 and the NSH wire protocol itself is not
> > completely stable.
>
> Acked-by: Jiri Benc
Thanks Jiri and Flavio. I applied this to master and branc
On Thu, Aug 31, 2017 at 09:50:08AM +0300, Liran Schour wrote:
> ovs-dev-boun...@openvswitch.org wrote on 30/08/2017 07:33:14 PM:
>
> > This removes n_true_cnd from struct ovsdb_monitor_session_condition.
> > It was an "optimization" that is not part of any inner loop, but
> > make the code harder
On Thu, Aug 31, 2017 at 09:48:14AM +0300, Liran Schour wrote:
> ovs-dev-boun...@openvswitch.org wrote on 30/08/2017 07:33:13 PM:
> > The current implementation of ovsdb-server caches only non-conditional
> > monitors, that is, monitors for every table row, not those that monitor
> > only rows that
Hello,
"Mooney, Sean K" writes:
[...]
>> >> > +struct ovs_key_nsh {
>> >> > + u8 flags;
>> >> > + u8 ttl;
>> >> > + u8 mdtype;
>> >> > + u8 np;
>> >> > + __be32 path_hdr;
>> >> > + __be32 context[NSH_MD1_CONTEXT_SIZE]; };
>> >> > +
>> >> > struct sw_flow_ke
Hello Neil,
The problem is that to fill NAT translation correctly through
extended_nat we need sample packet before and after the translation.
I understand that such information (possibly) could be analyzed by
collector based on information from two switches, however I think that
correctly ge
On Wed, 30 Aug 2017 20:39:12 +0800, Yi Yang wrote:
> --- a/net/nsh/nsh.c
> +++ b/net/nsh/nsh.c
> @@ -14,6 +14,47 @@
> #include
> #include
>
> +int skb_push_nsh(struct sk_buff *skb, const struct nshhdr *nsh_src, bool
> is_eth)
> +{
> + struct nshhdr *nsh;
> + size_t length = nsh_hdr_l
On Wed, Aug 30, 2017 at 07:39:35PM +, Darrell Ball wrote:
> > > Note that it's disabled by default, which can be enabled
> by:
> > >
> > > $ ovs-vsctl set Open_vSwitch .
> other_config:hw-offload=true
> > >
> > > Maybe per
On Wed, Aug 30, 2017 at 07:28:01PM +, Darrell Ball wrote:
>
> [Finn]
>
> I think we should not further intermix the rxqs distributed to different
> pmd's, other than initially configured, when setting up hw-offload. If we
> make a round-robin distribution of the rxqs, a diff
On Wed, Aug 30, 2017 at 04:23:53PM +, Darrell Ball wrote:
> One other general comment about the series:
>
> It is not a ‘big deal’ at this point since we are discussing high level
> concepts, but
> we would need to address these at some point anyways.
>
> Could you run
>
> ./utilities/chec
Let me use this liberty or this medium to inform you that my principal is
interested in investing his funds as a silent investor in your company. He
would like to invest in private sector projects with an established company
in any project(s) which are already in the market and have market value or
On Thu, 2017-08-31 at 09:59 +0100, Stephen Finucane wrote:
> On Wed, 2017-08-30 at 10:38 -0700, Joe Stringer wrote:
> > On 29 August 2017 at 02:54, Stephen Finucane wrote:
[snip]
> > However, it seems like this is broken right now. (git-pw patch list
> > returns empty list if I have project conf
On Wed, 2017-08-30 at 10:38 -0700, Joe Stringer wrote:
> On 29 August 2017 at 02:54, Stephen Finucane wrote:
> > Now that Patchwork 2.0 is out, folks can start to take advantage of some
> > of the new features that it offers. Chief among these is series support,
> > which is only exposed via the w
67 matches
Mail list logo
