commit 82fd454fe8a9baa9edc3cd39c15b38cf7ae99594a5d0cfb135199cd8c4b8af6f Author: Dirk Mueller Date: Mon Sep 2 16:57:50 2024 +0000 Action: Submit home:dpitchumani:branches:network/openvswitch to network/openvswitch Description : - Update openvswitch to 3.3.1. For a list of changes, check https://github.com/openvswitch/ovs/blob/v3.3.1/NEWS - Update OVN to 24.03.3. For a list of changes, check https://github.com/ovn-org/ovn/blob/v24.03.3/NEWS - Drop upstream fixed patches, * CVE-2023-1668.patch * CVE-2023-3152.patch * CVE-2023-5366.patch * openvswitch-2.17.8-gcc14-build-fix.patch * openvswitch-CVE-2023-3966.patch - Updated the patch for version v3.3.1 * install-ovsdb-tools.patch OBS-URL: https://build.opensuse.org/package/show/network/openvswitch?expand=0&rev=263 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/0001-Don-t-change-permissions-of-dev-hugepages.patch b/0001-Don-t-change-permissions-of-dev-hugepages.patch new file mode 100644 index 0000000..18f9600 --- /dev/null +++ b/0001-Don-t-change-permissions-of-dev-hugepages.patch @@ -0,0 +1,26 @@ +From e54cce931bafa12176989a5d59e3839f1bcfdf0c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= +Date: Wed, 6 May 2020 16:32:28 +0200 +Subject: [PATCH 1/2] Don't change permissions of /dev/hugepages + +For SLES/openSUSE, don't change permissions of /dev/hugepages as that is +a system path. Sysadmin shoudl mount hugepages on a path and permission +of his choosing if OVS either manually or via hugeadm. + +Updated 2023-02-26 for version 3.1.0 + +diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in +index 6d021618b..71c49dc59 100644 +--- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in ++++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in +@@ -16,10 +16,6 @@ EnvironmentFile=/etc/openvswitch/default.conf + EnvironmentFile=-/etc/sysconfig/openvswitch + EnvironmentFile=-/run/openvswitch.useropts + LimitSTACK=2M +-@begin_dpdk@ +-ExecStartPre=-/bin/sh -c '/usr/bin/chown :$${OVS_USER_ID##*:} /dev/hugepages' +-ExecStartPre=-/usr/bin/chmod 0775 /dev/hugepages +-@end_dpdk@ + ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ + --no-ovsdb-server --no-monitor --system-id=random \ + ${OVS_USER_OPT} \ diff --git a/0001-Run-openvswitch-as-openvswitch-openvswitch.patch b/0001-Run-openvswitch-as-openvswitch-openvswitch.patch new file mode 100644 index 0000000..8883ca4 --- /dev/null +++ b/0001-Run-openvswitch-as-openvswitch-openvswitch.patch @@ -0,0 +1,35 @@ +From 4de3a6e6fc67125a900913598344881c0b0bed71 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= +Date: Fri, 8 May 2020 11:15:57 +0200 +Subject: [PATCH] Run openvswitch as openvswitch:openvswitch + +Change default run configuration to unprivilieged user openvswitch and +group openvswitch. Expect any further customization from user in +sysconfig/openvswitch, including setting it back to privileged root:root +configuration. + +Updated 2023-02-26 for version 3.1.0 + +diff --git a/rhel/etc_logrotate.d_openvswitch b/rhel/etc_logrotate.d_openvswitch +index c0f476744..fa6303873 100644 +--- a/rhel/etc_logrotate.d_openvswitch ++++ b/rhel/etc_logrotate.d_openvswitch +@@ -6,7 +6,7 @@ + # without warranty of any kind. + + /var/log/openvswitch/*.log { +- su root root ++ su openvswitch openvswitch + daily + compress + sharedscripts +diff --git a/rhel/etc_openvswitch_default.conf b/rhel/etc_openvswitch_default.conf +index c74417db6..569ca95de 100644 +--- a/rhel/etc_openvswitch_default.conf ++++ b/rhel/etc_openvswitch_default.conf +@@ -2,4 +2,4 @@ + + # The following is the *default* configuration for the openvswitch user ID. + # This is for backward compatibility. +-OVS_USER_ID="root:root" ++OVS_USER_ID="openvswitch:openvswitch" diff --git a/0001-Run-ovn-as-openvswitch-openvswitch.patch b/0001-Run-ovn-as-openvswitch-openvswitch.patch new file mode 100644 index 0000000..916e677 --- /dev/null +++ b/0001-Run-ovn-as-openvswitch-openvswitch.patch @@ -0,0 +1,49 @@ +diff --git a/rhel/etc_logrotate.d_ovn b/rhel/etc_logrotate.d_ovn +index a351ec303..4b26333fc 100644 +--- a/rhel/etc_logrotate.d_ovn ++++ b/rhel/etc_logrotate.d_ovn +@@ -6,7 +6,7 @@ + # without warranty of any kind. + + /var/log/ovn/*.log { +- su root root ++ su openvswitch openvswitch + daily + compress + sharedscripts +diff --git a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service +index c6601cb46..48f6e3992 100644 +--- a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service ++++ b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service +@@ -35,6 +35,7 @@ After=openvswitch.service + [Service] + Type=simple + Restart=on-failure ++Environment=OVN_USER_ID=openvswitch:openvswitch + Environment=OVS_RUNDIR=%t/openvswitch + Environment=OVN_RUNDIR=%t/ovn + Environment=OVN_DB=unix:%t/ovn/ovnsb_db.sock +diff --git a/rhel/usr_lib_systemd_system_ovn-controller.service b/rhel/usr_lib_systemd_system_ovn-controller.service +index 15d0ac853..c602760f1 100644 +--- a/rhel/usr_lib_systemd_system_ovn-controller.service ++++ b/rhel/usr_lib_systemd_system_ovn-controller.service +@@ -23,6 +23,7 @@ After=openvswitch.service + Type=forking + PIDFile=/var/run/ovn/ovn-controller.pid + Restart=on-failure ++Environment=OVN_USER_ID=openvswitch:openvswitch + Environment=OVN_RUNDIR=%t/ovn OVS_RUNDIR=%t/openvswitch + EnvironmentFile=-/etc/sysconfig/ovn + EnvironmentFile=-/etc/sysconfig/ovn-controller +diff --git a/rhel/usr_lib_systemd_system_ovn-northd.service b/rhel/usr_lib_systemd_system_ovn-northd.service +index 6c4c6621c..d74196a49 100644 +--- a/rhel/usr_lib_systemd_system_ovn-northd.service ++++ b/rhel/usr_lib_systemd_system_ovn-northd.service +@@ -20,6 +20,7 @@ After=syslog.target + [Service] + Type=oneshot + RemainAfterExit=yes ++Environment=OVN_USER_ID=openvswitch:openvswitch + Environment=OVN_RUNDIR=%t/ovn OVN_DBDIR=/var/lib/ovn + EnvironmentFile=-/etc/sysconfig/ovn + EnvironmentFile=-/etc/sysconfig/ovn-northd diff --git a/0001-Use-double-hash-for-OVS_USER_ID-comment.patch b/0001-Use-double-hash-for-OVS_USER_ID-comment.patch new file mode 100644 index 0000000..d0996c3 --- /dev/null +++ b/0001-Use-double-hash-for-OVS_USER_ID-comment.patch @@ -0,0 +1,17 @@ +From e007ba2d276530db6aa8a242b069f356395cd8e5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= +Date: Mon, 15 Jun 2020 15:15:53 +0200 +Subject: [PATCH] Use double hash for OVS_USER_ID comment + +Updated 2023-02-26 for version 3.1.0 + +diff --git a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template +index c467d02db..58c0e4797 100644 +--- a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template ++++ b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template +@@ -28,4 +28,4 @@ + OPTIONS="" + + # Uncomment and set the OVS User/Group value +-#OVS_USER_ID="openvswitch:openvswitch" ++##OVS_USER_ID="openvswitch:openvswitch" diff --git a/0001-Use-strongswan-for-openvswitch-ipsec-service.patch b/0001-Use-strongswan-for-openvswitch-ipsec-service.patch new file mode 100644 index 0000000..604710f --- /dev/null +++ b/0001-Use-strongswan-for-openvswitch-ipsec-service.patch @@ -0,0 +1,23 @@ +From f786cf97880bdf1ebed65db2f560ff15f1f29413 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= +Date: Mon, 28 Oct 2019 15:14:19 +0100 +Subject: [PATCH] Use strongswan for openvswitch-ipsec service + +Since libreswan is not packaged for Leap/SLES, use strongswan for the +time being. + +Updated 2023-02-26 for version 3.1.0 + +diff --git a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service +index 92dad44f9..ec86874cb 100644 +--- a/rhel/usr_lib_systemd_system_openvswitch-ipsec.service ++++ b/rhel/usr_lib_systemd_system_openvswitch-ipsec.service +@@ -7,7 +7,7 @@ After=openvswitch.service + Type=forking + PIDFile=/run/openvswitch/ovs-monitor-ipsec.pid + ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ +- --ike-daemon=libreswan start-ovs-ipsec ++ --ike-daemon=strongswan start-ovs-ipsec + ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop-ovs-ipsec + + [Install] diff --git a/CVE-2023-1668.patch b/CVE-2023-1668.patch new file mode 100644 index 0000000..39df51c --- /dev/null +++ b/CVE-2023-1668.patch @@ -0,0 +1,517 @@ +commit 9d840923d32124fe427de76e8234c49d64e4bb77 +Author: Aaron Conole +Date: Fri Mar 31 17:17:27 2023 -0400 + + ofproto-dpif-xlate: Always mask ip proto field. + + The ofproto layer currently treats nw_proto field as overloaded to mean + both that a proper nw layer exists, as well as the value contained in + the header for the nw proto. However, this is incorrect behavior as + relevant standards permit that any value, including '0' should be treated + as a valid value. + + Because of this overload, when the ofproto layer builds action list for + a packet with nw_proto of 0, it won't build the complete action list that + we expect to be built for the packet. That will cause a bad behavior + where all packets passing the datapath will fall into an incomplete + action set. + + The fix here is to unwildcard nw_proto, allowing us to preserve setting + actions for protocols which we know have support for the actions we + program. This means that a traffic which contains nw_proto == 0 cannot + cause connectivity breakage with other traffic on the link. + + Reported-by: David Marchand + Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2134873 + Acked-by: Ilya Maximets + Signed-off-by: Aaron Conole + Signed-off-by: Ilya Maximets + + +diff --git a/include/openvswitch/meta-flow.h b/include/openvswitch/meta-flow.h +index 045dce8f5..3b0220aaa 100644 +--- a/include/openvswitch/meta-flow.h ++++ b/include/openvswitch/meta-flow.h +@@ -2366,6 +2366,10 @@ void mf_format_subvalue(const union mf_subvalue *subvalue, struct ds *s); + void field_array_set(enum mf_field_id id, const union mf_value *, + struct field_array *); + ++/* Mask the required l3 prerequisites if a 'set' action occurs. */ ++void mf_set_mask_l3_prereqs(const struct mf_field *, const struct flow *, ++ struct flow_wildcards *); ++ + #ifdef __cplusplus + } + #endif +diff --git a/lib/meta-flow.c b/lib/meta-flow.c +index c576ae620..474344194 100644 +--- a/lib/meta-flow.c ++++ b/lib/meta-flow.c +@@ -3676,3 +3676,28 @@ mf_bitmap_not(struct mf_bitmap x) + bitmap_not(x.bm, MFF_N_IDS); + return x; + } ++ ++void ++mf_set_mask_l3_prereqs(const struct mf_field *mf, const struct flow *fl, ++ struct flow_wildcards *wc) ++{ ++ if (is_ip_any(fl) && ++ ((mf->id == MFF_IPV4_SRC) || ++ (mf->id == MFF_IPV4_DST) || ++ (mf->id == MFF_IPV6_SRC) || ++ (mf->id == MFF_IPV6_DST) || ++ (mf->id == MFF_IPV6_LABEL) || ++ (mf->id == MFF_IP_DSCP) || ++ (mf->id == MFF_IP_ECN) || ++ (mf->id == MFF_IP_TTL))) { ++ WC_MASK_FIELD(wc, nw_proto); ++ } else if ((fl->dl_type == htons(ETH_TYPE_ARP)) && ++ ((mf->id == MFF_ARP_OP) || ++ (mf->id == MFF_ARP_SHA) || ++ (mf->id == MFF_ARP_THA) || ++ (mf->id == MFF_ARP_SPA) || ++ (mf->id == MFF_ARP_TPA))) { ++ /* mask only the lower 8 bits. */ ++ wc->masks.nw_proto = 0xff; ++ } ++} +diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c +index a9cf3cbee..cffd733c5 100644 +--- a/ofproto/ofproto-dpif-xlate.c ++++ b/ofproto/ofproto-dpif-xlate.c +@@ -5211,6 +5211,7 @@ compose_dec_ttl(struct xlate_ctx *ctx, struct ofpact_cnt_ids *ids) + } + + ctx->wc->masks.nw_ttl = 0xff; ++ WC_MASK_FIELD(ctx->wc, nw_proto); + if (flow->nw_ttl > 1) { + flow->nw_ttl--; + return false; +@@ -7128,6 +7129,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, + case OFPACT_SET_IPV4_SRC: + if (flow->dl_type == htons(ETH_TYPE_IP)) { + memset(&wc->masks.nw_src, 0xff, sizeof wc->masks.nw_src); ++ WC_MASK_FIELD(wc, nw_proto); + flow->nw_src = ofpact_get_SET_IPV4_SRC(a)->ipv4; + } + break; +@@ -7135,12 +7137,14 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, + case OFPACT_SET_IPV4_DST: + if (flow->dl_type == htons(ETH_TYPE_IP)) { + memset(&wc->masks.nw_dst, 0xff, sizeof wc->masks.nw_dst); ++ WC_MASK_FIELD(wc, nw_proto); + flow->nw_dst = ofpact_get_SET_IPV4_DST(a)->ipv4; + } + break; + + case OFPACT_SET_IP_DSCP: + if (is_ip_any(flow)) { ++ WC_MASK_FIELD(wc, nw_proto); + wc->masks.nw_tos |= IP_DSCP_MASK; + flow->nw_tos &= ~IP_DSCP_MASK; + flow->nw_tos |= ofpact_get_SET_IP_DSCP(a)->dscp; +@@ -7149,6 +7153,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, + + case OFPACT_SET_IP_ECN: + if (is_ip_any(flow)) { ++ WC_MASK_FIELD(wc, nw_proto); + wc->masks.nw_tos |= IP_ECN_MASK; + flow->nw_tos &= ~IP_ECN_MASK; + flow->nw_tos |= ofpact_get_SET_IP_ECN(a)->ecn; +@@ -7157,6 +7162,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, + + case OFPACT_SET_IP_TTL: + if (is_ip_any(flow)) { ++ WC_MASK_FIELD(wc, nw_proto); + wc->masks.nw_ttl = 0xff; + flow->nw_ttl = ofpact_get_SET_IP_TTL(a)->ttl; + } +@@ -7224,6 +7230,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, + + /* Set the field only if the packet actually has it. */ + if (mf_are_prereqs_ok(mf, flow, wc)) { ++ mf_set_mask_l3_prereqs(mf, flow, wc); + mf_mask_field_masked(mf, ofpact_set_field_mask(set_field), wc); + mf_set_flow_value_masked(mf, set_field->value, + ofpact_set_field_mask(set_field), +@@ -7280,6 +7287,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, + + case OFPACT_DEC_TTL: + wc->masks.nw_ttl = 0xff; ++ WC_MASK_FIELD(wc, nw_proto); + if (compose_dec_ttl(ctx, ofpact_get_DEC_TTL(a))) { + return; + } +diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at +index fa6111c1e..62291de4a 100644 +--- a/tests/ofproto-dpif.at ++++ b/tests/ofproto-dpif.at +@@ -849,7 +849,7 @@ table=2 ip actions=set_field:192.168.3.91->ip_src,output(11) + AT_CHECK([ovs-ofctl -O OpenFlow12 add-flows br0 flows.txt]) + AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=1,nw_tos=0,nw_ttl=128,nw_frag=no,icmp_type=8,icmp_code=0'], [0], [stdout]) + AT_CHECK([tail -2 stdout], [0], +- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no ++ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no + Datapath actions: 10,set(ipv4(src=192.168.3.91)),11,set(ipv4(src=192.168.3.90)),13 + ]) + OVS_VSWITCHD_STOP +@@ -912,7 +912,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds + # Must match on the source address to be able to restore it's value for + # the second bucket + AT_CHECK([tail -2 stdout], [0], +- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no ++ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no + Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 + ]) + OVS_VSWITCHD_STOP +@@ -944,7 +944,7 @@ done + AT_CHECK([ovs-appctl dpctl/dump-flows | sed 's/dp_hash(.*\/0xf)/dp_hash(0xXXXX\/0xf)/' | sed 's/packets.*actions:/actions:/' | strip_ufid | strip_used | sort], [0], [dnl + flow-dump from the main thread: + recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:hash(sym_l4(0)),recirc(0x1) +-recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 ++recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,proto=1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 + ]) + + OVS_VSWITCHD_STOP +@@ -959,7 +959,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds + # Must match on the source address to be able to restore it's value for + # the third bucket + AT_CHECK([tail -2 stdout], [0], +- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no ++ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no + Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 + ]) + OVS_VSWITCHD_STOP +@@ -1536,17 +1536,17 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=2,frag=no)' -generate], [0], [stdout]) + AT_CHECK([tail -4 stdout], [0], [ + Final flow: ip,in_port=1,vlan_tci=0x0000,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=111,nw_tos=0,nw_ecn=0,nw_ttl=1,nw_frag=no +-Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=2,nw_frag=no ++Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=2,nw_frag=no + Datapath actions: set(ipv4(ttl=1)),2,userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)),4 + ]) + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=3,frag=no)'], [0], [stdout]) + AT_CHECK([tail -2 stdout], [0], +- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=3,nw_frag=no ++ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=3,nw_frag=no + Datapath actions: set(ipv4(ttl=2)),2,set(ipv4(ttl=1)),3,4 + ]) + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x86dd),ipv6(src=::1,dst=::2,label=0,proto=10,tclass=0x70,hlimit=128,frag=no)'], [0], [stdout]) + AT_CHECK([tail -2 stdout], [0], +- [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_ttl=128,nw_frag=no ++ [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_proto=10,nw_ttl=128,nw_frag=no + Datapath actions: set(ipv6(hlimit=127)),2,set(ipv6(hlimit=126)),3,4 + ]) + +@@ -1656,7 +1656,7 @@ AT_CHECK([ovs-vsctl -- \ + --id=@q2 create Queue dscp=2], [0], [ignore]) + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(9),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=1.1.1.1,dst=2.2.2.2,proto=1,tos=0xff,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout]) + AT_CHECK([tail -2 stdout], [0], +- [Megaflow: recirc_id=0,skb_priority=0,eth,ip,in_port=9,nw_tos=252,nw_frag=no ++ [Megaflow: recirc_id=0,skb_priority=0,eth,icmp,in_port=9,nw_tos=252,nw_frag=no + Datapath actions: dnl + 100,dnl + set(ipv4(tos=0x4/0xfc)),set(skb_priority(0x1)),1,dnl +@@ -8777,12 +8777,12 @@ recirc_id(0),in_port(3),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), p + ]) + + AT_CHECK([ovs-appctl dpif/dump-flows -m br0 | strip_ufid | strip_used | sort], [0], [dnl +-skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(p1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:05/00:00:00:00:00:00,dst=50:54:00:00:00:07/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.1/0.0.0.0,dst=192.168.0.2/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:0, bytes:0, used:never, actions:drop +-skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(p2),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:07/00:00:00:00:00:00,dst=50:54:00:00:00:05/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.2/0.0.0.0,dst=192.168.0.1/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=0/0,code=0/0), packets:0, bytes:0, used:never, actions:drop ++recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(p1),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:05/00:00:00:00:00:00,dst=50:54:00:00:00:07/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.1/0.0.0.0,dst=192.168.0.2/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:0, bytes:0, used:never, actions:drop ++recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(p2),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:07/00:00:00:00:00:00,dst=50:54:00:00:00:05/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.2/0.0.0.0,dst=192.168.0.1/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=0/0,code=0/0), packets:0, bytes:0, used:never, actions:drop + ]) + + AT_CHECK([ovs-appctl dpif/dump-flows -m br1 | strip_ufid | strip_used | sort], [0], [dnl +-skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(p3),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=10.0.0.2/0.0.0.0,dst=10.0.0.1/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:0, bytes:0, used:never, actions:drop ++recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(p3),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=10.0.0.2/0.0.0.0,dst=10.0.0.1/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:0, bytes:0, used:never, actions:drop + ]) + + OVS_VSWITCHD_STOP +@@ -8942,10 +8942,10 @@ recirc_id(0),in_port(101),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), + ]) + + AT_CHECK([grep -e 'in_port(100).*packets:9' ovs-vswitchd.log | strip_ufid | filter_flow_dump], [0], [dnl +-skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(100),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:05/00:00:00:00:00:00,dst=50:54:00:00:00:07/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.1/0.0.0.0,dst=192.168.0.2/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:9, bytes:954, used:0.0s, actions:101,3,2 ++recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(100),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:05/00:00:00:00:00:00,dst=50:54:00:00:00:07/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.1/0.0.0.0,dst=192.168.0.2/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:9, bytes:954, used:0.0s, actions:101,3,2 + ]) + AT_CHECK([grep -e 'in_port(101).*packets:4' ovs-vswitchd.log | strip_ufid | filter_flow_dump], [0], [dnl +-skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(101),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:07/00:00:00:00:00:00,dst=50:54:00:00:00:05/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.2/0.0.0.0,dst=192.168.0.1/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:4, bytes:424, used:0.0s, actions:100,2,3 ++recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(101),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:07/00:00:00:00:00:00,dst=50:54:00:00:00:05/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.2/0.0.0.0,dst=192.168.0.1/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:4, bytes:424, used:0.0s, actions:100,2,3 + ]) + + AT_CHECK([ovs-ofctl dump-ports br0 pbr0], [0], [dnl +@@ -9637,12 +9637,12 @@ table=0 in_port=1,ip,nw_dst=10.0.0.3 actions=drop + done + sleep 1 + AT_CHECK([strip_ufid < ovs-vswitchd.log | filter_flow_install | strip_used], [0], [dnl +-skb_priority(0),skb_mark(0),ct_state(-new-est-rel-rpl-inv-trk-snat-dnat),ct_zone(0),ct_mark(0),ct_label(0),recirc_id(0),dp_hash(0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.0.0.2,dst=10.0.0.1,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), actions:2 +-skb_priority(0),skb_mark(0),ct_state(-new-est-rel-rpl-inv-trk-snat-dnat),ct_zone(0),ct_mark(0),ct_label(0),recirc_id(0),dp_hash(0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=10.0.0.4,dst=10.0.0.3,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), actions:drop ++recirc_id(0),dp_hash(0),skb_priority(0),in_port(1),skb_mark(0),ct_state(-new-est-rel-rpl-inv-trk-snat-dnat),ct_zone(0),ct_mark(0),ct_label(0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.0.0.2,dst=10.0.0.1,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), actions:2 ++recirc_id(0),dp_hash(0),skb_priority(0),in_port(1),skb_mark(0),ct_state(-new-est-rel-rpl-inv-trk-snat-dnat),ct_zone(0),ct_mark(0),ct_label(0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=10.0.0.4,dst=10.0.0.3,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), actions:drop + ]) + AT_CHECK([strip_ufid < ovs-vswitchd.log | filter_flow_dump | grep 'packets:3'], [0], [dnl +-skb_priority(0),skb_mark(0),ct_state(0/0xff),ct_zone(0),ct_mark(0),ct_label(0),recirc_id(0),dp_hash(0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.0.0.2,dst=10.0.0.1,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), packets:3, bytes:318, used:0.0s, actions:2 +-skb_priority(0),skb_mark(0),ct_state(0/0xff),ct_zone(0),ct_mark(0),ct_label(0),recirc_id(0),dp_hash(0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=10.0.0.4,dst=10.0.0.3,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), packets:3, bytes:318, used:0.0s, actions:drop ++recirc_id(0),dp_hash(0),skb_priority(0),in_port(1),skb_mark(0),ct_state(0/0xff),ct_zone(0),ct_mark(0),ct_label(0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.0.0.2,dst=10.0.0.1,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), packets:3, bytes:318, used:0.0s, actions:2 ++recirc_id(0),dp_hash(0),skb_priority(0),in_port(1),skb_mark(0),ct_state(0/0xff),ct_zone(0),ct_mark(0),ct_label(0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=10.0.0.4,dst=10.0.0.3,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), packets:3, bytes:318, used:0.0s, actions:drop + ]) + OVS_VSWITCHD_STOP + AT_CLEANUP]) +@@ -10344,7 +10344,7 @@ recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x1234), packets:5, byte + ]) + + AT_CHECK([grep 'modify' ovs-vswitchd.log | strip_ufid ], [0], [dnl +-dpif|DBG|dummy@ovs-dummy: put[[modify]] skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x1234), actions:push_vlan(vid=4,pcp=0),100 ++dpif|DBG|dummy@ovs-dummy: put[[modify]] recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(1),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x1234), actions:push_vlan(vid=4,pcp=0),100 + ]) + OVS_VSWITCHD_STOP + AT_CLEANUP +@@ -10425,8 +10425,8 @@ recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x8100),vlan(vid=99,pcp= + # are wildcarded. + AT_CHECK([grep '\(modify\)\|\(flow_add\)' ovs-vswitchd.log | strip_ufid ], [0], [dnl + dpif_netdev|DBG|flow_add: recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x1234), actions:100 +-dpif|DBG|dummy@ovs-dummy: put[[modify]] skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x1234), actions:drop +-dpif|DBG|dummy@ovs-dummy: put[[modify]] skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x1234), actions:100 ++dpif|DBG|dummy@ovs-dummy: put[[modify]] recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(1),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x1234), actions:drop ++dpif|DBG|dummy@ovs-dummy: put[[modify]] recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(1),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x1234), actions:100 + dpif_netdev|DBG|flow_add: recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x8100),vlan(vid=99,pcp=7/0x0),encap(eth_type(0x1234)), actions:drop + ]) + OVS_VSWITCHD_STOP +@@ -10752,10 +10752,10 @@ AT_CHECK([ovs-appctl netdev-dummy/receive p2 'in_port(2),eth(src=50:54:00:00:00: + + + AT_CHECK([cat ovs-vswitchd.log | strip_ufid | filter_flow_install], [0], [dnl +-ct_state(+new-est+trk),recirc_id(0x1),in_port(2),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:drop +-ct_state(-new+est+trk),recirc_id(0x1),in_port(2),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=17,frag=no), actions:1 + recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=17,frag=no), actions:ct(commit),2 + recirc_id(0),in_port(2),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=17,frag=no), actions:ct,recirc(0x1) ++recirc_id(0x1),in_port(2),ct_state(+new-est+trk),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:drop ++recirc_id(0x1),in_port(2),ct_state(-new+est+trk),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=17,frag=no), actions:1 + ]) + + OVS_VSWITCHD_STOP +@@ -11161,9 +11161,9 @@ AT_CHECK([ovs-appctl netdev-dummy/receive p2 'in_port(2),eth(src=50:54:00:00:00: + ovs-appctl revalidator/wait + + AT_CHECK([cat ovs-vswitchd.log | strip_ufid | filter_flow_install], [0], [dnl +-ct_state(+rpl+trk),ct_label(0x1),recirc_id(0x1),in_port(2),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:1 + recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=17,frag=no),udp(src=1), actions:ct(commit,label=0x1),2 + recirc_id(0),in_port(2),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:ct,recirc(0x1) ++recirc_id(0x1),in_port(2),ct_state(+rpl+trk),ct_label(0x1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:1 + ]) + + OVS_VSWITCHD_STOP +@@ -11884,7 +11884,7 @@ ovs-ofctl dump-flows br0 + + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.10.10.2,dst=10.10.10.1,proto=1,tos=1,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout]) + AT_CHECK([tail -3 stdout], [0], [dnl +-Megaflow: recirc_id=0,eth,ip,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no ++Megaflow: recirc_id=0,eth,icmp,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no + Datapath actions: drop + Translation failed (Recursion too deep), packet is dropped. + ]) +diff --git a/tests/ofproto.at b/tests/ofproto.at +index a666bebca..2fa8486a8 100644 +--- a/tests/ofproto.at ++++ b/tests/ofproto.at +@@ -6538,3 +6538,185 @@ verify_deleted + + OVS_VSWITCHD_STOP(["/nw_dst,output=2 ++table=0 in_port=1 priority=83,ip,nw_dst=192.168.1.15,actions=set_field:192.168.21.26->nw_src,output=2 ++table=0 in_port=1 priority=82,ip,nw_dst=192.168.1.14,actions=set_field:0x40->nw_tos,output=2 ++table=0 in_port=1 priority=0,actions=drop ++]) ++AT_CHECK([ovs-ofctl del-flows br0]) ++AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) ++ ++dnl send a proto 0 packet to try and poison the DP flow path ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ ++ '5054000000075054000000050800450000548de140004000289fc0a801c4c0a8011408003bf60002001bbf080a640000000032ad010000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637']) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl ++flow-dump from the main thread: ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2 ++]) ++ ++dnl Send ICMP for mod nw_src and mod nw_dst ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.20,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will dec TTL ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.10,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will mod TTL ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.19,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will mod ECN ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.18,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will mod TOS ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.17,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will set DST ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.16,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will set SRC ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will set TOS ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.14,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl ++flow-dump from the main thread: ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.10,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=63)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.14,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.16,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.26)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.17,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.18,proto=1,tos=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x2/0x3)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.19,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=8)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.20)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.21.26)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.20.21)),2 ++]) ++ ++OVS_VSWITCHD_STOP ++AT_CLEANUP ++ ++AT_SETUP([ofproto - implicit mask of ipv6 proto with HOPOPT field]) ++OVS_VSWITCHD_START ++add_of_ports br0 1 2 ++ ++AT_DATA([flows.txt], [dnl ++table=0 in_port=1 priority=77,ip6,ipv6_dst=111:db8::3,actions=dec_ttl,output=2 ++table=0 in_port=1 priority=76,ip6,ipv6_dst=111:db8::4,actions=mod_nw_ttl:8,output=2 ++table=0 in_port=1 priority=75,ip6,ipv6_dst=111:db8::5,actions=mod_nw_ecn:2,output=2 ++table=0 in_port=1 priority=74,ip6,ipv6_dst=111:db8::6,actions=mod_nw_tos:0x40,output=2 ++table=0 in_port=1 priority=73,ip6,ipv6_dst=111:db8::7,actions=set_field:2112:db8::2->ipv6_dst,output=2 ++table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::8,actions=set_field:2112:db8::3->ipv6_src,output=2 ++table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::9,actions=set_field:44->ipv6_label,output=2 ++table=0 in_port=1 priority=0,actions=drop ++]) ++AT_CHECK([ovs-ofctl del-flows br0]) ++AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) ++ ++dnl send a proto 0 packet to try and poison the DP flow path ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=0,tclass=0,hlimit=64,frag=no)']) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl ++flow-dump from the main thread: ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) ++]) ++ ++dnl Send ICMP for mod nw_src and mod nw_dst ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::4,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++ ++dnl send ICMP that will dec TTL ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::5,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++ ++dnl send ICMP that will mod TTL ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::6,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++ ++dnl send ICMP that will mod ECN ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::7,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++ ++dnl send ICMP that will mod TOS ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++ ++dnl send ICMP that will set LABEL ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::9,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl ++flow-dump from the main thread: ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=63)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::4,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=8)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::5,proto=1,tclass=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x2/0x3)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::6,proto=1,tclass=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x40/0xfc)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::7,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(dst=2112:db8::2)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::9,label=0,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(label=0x2c)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(src=2112:db8::3)),2 ++]) ++ ++OVS_VSWITCHD_STOP ++AT_CLEANUP ++ ++AT_SETUP([ofproto - implicit mask of ARP OPer field]) ++OVS_VSWITCHD_START ++add_of_ports br0 1 2 ++ ++AT_DATA([flows.txt], [dnl ++table=0 in_port=1 priority=77,arp,arp_sha=00:01:02:03:04:06,actions=set_field:0x1->arp_op,2 ++table=0 in_port=1 priority=76,arp,arp_sha=00:01:02:03:04:07,actions=set_field:00:02:03:04:05:06->arp_sha,2 ++table=0 in_port=1 priority=75,arp,arp_sha=00:01:02:03:04:08,actions=set_field:ff:00:00:00:00:ff->arp_tha,2 ++table=0 in_port=1 priority=74,arp,arp_sha=00:01:02:03:04:09,actions=set_field:172.31.110.26->arp_spa,2 ++table=0 in_port=1 priority=73,arp,arp_sha=00:01:02:03:04:0a,actions=set_field:172.31.110.10->arp_tpa,2 ++table=0 in_port=1 priority=1,actions=drop ++]) ++ ++AT_CHECK([ovs-ofctl del-flows br0]) ++AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) ++ ++dnl Send op == 0 packet ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ ++ 'ffffffffffffaa55aa550000080600010800060400000001020304070c0a00010000000000000c0a0002']) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl ++flow-dump from the main thread: ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2 ++]) ++ ++dnl Send op 2 -> set op ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=2,sha=00:01:02:03:04:06,tha=ff:ff:ff:ff:ff:ff)']) ++ ++dnl Send op 1 -> set SHA ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:07,tha=ff:ff:ff:ff:ff:ff)']) ++ ++dnl Send op 1 -> set THA ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff)']) ++ ++dnl Send op 1 -> set SIP ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:09,tha=ff:ff:ff:ff:ff:ff)']) ++ ++dnl Send op 1 -> set TIP ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a,tha=ff:ff:ff:ff:ff:ff)']) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl ++flow-dump from the main thread: ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=2,sha=00:01:02:03:04:06), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(sip=172.31.110.1,op=1,sha=00:01:02:03:04:09), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) ++]) ++ ++OVS_VSWITCHD_STOP ++AT_CLEANUP +diff --git a/tests/packet-type-aware.at b/tests/packet-type-aware.at +index 3b5c66fe5..d63528e69 100644 +--- a/tests/packet-type-aware.at ++++ b/tests/packet-type-aware.at +@@ -1021,7 +1021,7 @@ AT_CHECK([ + ], [0], [flow-dump from the main thread: + recirc_id(0),in_port(p0),packet_type(ns=0,id=0),eth(src=aa:bb:cc:00:00:02,dst=aa:bb:cc:00:00:01),eth_type(0x0800),ipv4(dst=20.0.0.1,proto=47,frag=no), packets:3, bytes:378, used:0.0s, actions:tnl_pop(gre_sys) + tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0),in_port(gre_sys),packet_type(ns=1,id=0x8847),eth_type(0x8847),mpls(label=999/0x0,tc=0/0,ttl=64/0x0,bos=1/1), packets:3, bytes:264, used:0.0s, actions:push_eth(src=00:00:00:00:00:00,dst=00:00:00:00:00:00),pop_mpls(eth_type=0x800),recirc(0x1) +-tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br ++tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=1,ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br + ]) + + ovs-appctl time/warp 1000 diff --git a/CVE-2023-3152.patch b/CVE-2023-3152.patch new file mode 100644 index 0000000..576afa4 --- /dev/null +++ b/CVE-2023-3152.patch @@ -0,0 +1,121 @@ +commit 9a3f7ed905e525ebdcb14541e775211cbb0203bd +Author: Ales Musil +Date: Wed Jul 12 07:12:29 2023 +0200 + + northd, controller: Add CoPP for SVC monitor + + The SVC monitor was exposed without any limitation. + Add CoPP for the SVC monitor flow, which adds a way + for CMSs to limit the traffic that this flow accepts. + + Signed-off-by: Ales Musil + +diff --git a/lib/copp.c b/lib/copp.c +index 603e3f5bf..11dd9029d 100644 +--- a/lib/copp.c ++++ b/lib/copp.c +@@ -38,6 +38,7 @@ static char *copp_proto_names[COPP_PROTO_MAX] = { + [COPP_ND_RA_OPTS] = "nd-ra-opts", + [COPP_TCP_RESET] = "tcp-reset", + [COPP_REJECT] = "reject", ++ [COPP_SVC_MONITOR] = "svc-monitor", + [COPP_BFD] = "bfd", + }; + +diff --git a/lib/copp.h b/lib/copp.h +index f03004aa6..b99737220 100644 +--- a/lib/copp.h ++++ b/lib/copp.h +@@ -37,6 +37,7 @@ enum copp_proto { + COPP_TCP_RESET, + COPP_BFD, + COPP_REJECT, ++ COPP_SVC_MONITOR, + COPP_PROTO_MAX, + COPP_PROTO_INVALID = COPP_PROTO_MAX, + }; +diff --git a/northd/northd.c b/northd/northd.c +index 7ad4cdfad..1e05b8f22 100644 +--- a/northd/northd.c ++++ b/northd/northd.c +@@ -8876,9 +8876,11 @@ build_lswitch_destination_lookup_bmcast(struct ovn_datapath *od, + { + if (od->nbs) { + +- ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 110, +- "eth.dst == $svc_monitor_mac", +- "handle_svc_check(inport);"); ++ ovn_lflow_metered(lflows, od, S_SWITCH_IN_L2_LKUP, 110, "eth.dst == " ++ "$svc_monitor_mac && (tcp || icmp || icmp6)", ++ "handle_svc_check(inport);", ++ copp_meter_get(COPP_SVC_MONITOR, od->nbs->copp, ++ meter_groups)); + + struct mcast_switch_info *mcast_sw_info = &od->mcast_info.sw; + +diff --git a/ovn-nb.xml b/ovn-nb.xml +index 35acda107..59ac42dbd 100644 +--- a/ovn-nb.xml ++++ b/ovn-nb.xml +@@ -466,6 +466,10 @@ + + Rate limiting meter for packets that trigger a reject action + ++ ++ Rate limiting meter for packets that are arriving to service ++ monitor MAC address. ++ + + See External IDs at the beginning of this document. + +diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at +index b8376991b..70350a781 100644 +--- a/tests/ovn-northd.at ++++ b/tests/ovn-northd.at +@@ -3544,7 +3544,7 @@ AT_CHECK([ovn-sbctl list logical_flow | grep trigger_event -A 2 | grep -q meter0 + + # let's try to add an usupported protocol "dhcp" + AT_CHECK([ovn-nbctl --wait=hv copp-add copp5 dhcp meter1],[1],[],[dnl +-ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject. ++ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject, svc-monitor. + ]) + + #Let's try to add a valid protocol to an unknown datapath +diff --git a/tests/system-ovn.at b/tests/system-ovn.at +index f8131b90e..7c009e157 100644 +--- a/tests/system-ovn.at ++++ b/tests/system-ovn.at +@@ -7282,6 +7282,23 @@ OVS_WAIT_UNTIL([ + ]) + kill $(pidof tcpdump) + ++check ovn-nbctl set nb_global . options:svc_monitor_mac="33:33:33:33:33:33" ++check ovn-nbctl meter-add svc-meter drop 1 pktps 0 ++check ovn-nbctl --wait=hv copp-add copp4 svc-monitor svc-meter ++check ovn-nbctl --wait=hv ls-copp-add copp4 sw0 ++check ovn-appctl -t ovn-controller vlog/set vconn:dbg ++AT_CHECK([ovn-nbctl copp-list copp4], [0], [dnl ++svc-monitor: svc-meter ++]) ++ ++ip netns exec sw01 scapy -H <<-EOF ++p = Ether(dst="33:33:33:33:33:33", src="f0:00:00:01:02:03") /\ ++ IP(dst="192.168.1.100", src="192.168.1.2") / TCP(dport=1234, sport=1234) ++sendp(p, iface='sw01', loop=0, verbose=0, count=20) ++EOF ++ ++OVS_WAIT_UNTIL([test "1" = "$(grep -c "dl_dst=33:33:33:33:33:33" ovn-controller.log)"]) ++ + kill $(pidof ovn-controller) + + as ovn-sb +@@ -7295,7 +7312,8 @@ OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE]) + + as + OVS_TRAFFIC_VSWITCHD_STOP(["/.*error receiving.*/d +-/.*terminating with signal 15.*/d"]) ++/.*terminating with signal 15.*/d ++/.*Service monitor not found/d"]) + + AT_CLEANUP + ]) diff --git a/CVE-2023-5366.patch b/CVE-2023-5366.patch new file mode 100644 index 0000000..5f3b552 --- /dev/null +++ b/CVE-2023-5366.patch @@ -0,0 +1,227 @@ +commit 322c15598a483ba80d2ba3ced9a62f9e7a9a14a9 +Author: Ilya Maximets +Date: Fri Feb 17 21:09:59 2023 +0100 + + classifier: Fix missing masks on a final stage with ports trie. + + Flow lookup doesn't include masks of the final stage in a resulting + flow wildcards in case that stage had L4 ports match. Only the result + of ports trie lookup is added to the mask. It might be sufficient in + many cases, but it's not correct, because ports trie is not how we + decided that the packet didn't match in this subtable. In fact, we + used a full subtable mask in order to determine that, so all the + subtable mask bits has to be added. + + Ports trie can still be used to adjust ports' mask, but it is not + sufficient to determine that the packet didn't match. + + Assuming we have following 2 OpenFlow rules on the bridge: + + table=0, priority=10,tcp,tp_dst=80,tcp_flags=+psh actions=drop + table=0, priority=0 actions=output(1) + + The first high priority rule supposed to drop all the TCP data traffic + sent on port 80. The handshake, however, is allowed for forwarding. + + Both 'tcp_flags' and 'tp_dst' are on the final stage in the flow. + Since the stage mask from that stage is not incorporated into the flow + wildcards and only ports mask is getting updated, we have the following + megaflow for the SYN packet that has no match on 'tcp_flags': + + $ ovs-appctl ofproto/trace br0 "in_port=br0,tcp,tp_dst=80,tcp_flags=syn" + + Megaflow: recirc_id=0,eth,tcp,in_port=LOCAL,nw_frag=no,tp_dst=80 + Datapath actions: 1 + + If this flow is getting installed into datapath flow table, all the + packets for port 80, regardless of TCP flags, will be forwarded. + + Incorporating all the looked at bits from the final stage into the + stages map in order to get all the necessary wildcards. Ports mask + has to be updated as a last step, because it doesn't cover the full + 64-bit slot in the flowmap. + + With this change, in the example above, OVS is producing correct + flow wildcards including match on TCP flags: + + Megaflow: recirc_id=0,eth,tcp,in_port=LOCAL,nw_frag=no,tp_dst=80,tcp_flags=-psh + Datapath actions: 1 + + This way only -psh packets will be forwarded, as expected. + + This issue affects all other fields on stage 4, not only TCP flags. + Tests included to cover tcp_flags, nd_target and ct_tp_src/dst. + First two are frequently used, ct ones are sharing the same flowmap + slot with L4 ports, so important to test. + + Before the pre-computation of stage masks, flow wildcards were updated + during lookup, so there was no issue. The bits of the final stage was + lost with introduction of 'stages_map'. + + Recent adjustment of segment boundaries exposed 'tcp_flags' to the issue. + + Reported-at: https://github.com/openvswitch/ovs-issues/issues/272 + Fixes: ca44218515f0 ("classifier: Adjust segment boundary to execute prerequisite processing.") + Fixes: fa2fdbf8d0c1 ("classifier: Pre-compute stage masks.") + Acked-by: Aaron Conole + Signed-off-by: Ilya Maximets + +diff --git a/lib/classifier.c b/lib/classifier.c +index c4790ee6b..f6a86b662 100644 +--- a/lib/classifier.c ++++ b/lib/classifier.c +@@ -1695,6 +1695,8 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, + const struct cls_match *rule = NULL; + struct flowmap stages_map = FLOWMAP_EMPTY_INITIALIZER; + unsigned int mask_offset = 0; ++ bool adjust_ports_mask = false; ++ ovs_be32 ports_mask; + int i; + + /* Try to finish early by checking fields in segments. */ +@@ -1722,6 +1724,9 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, + subtable->index_maps[i], flow, wc)) { + goto no_match; + } ++ /* Accumulate the map used so far. */ ++ stages_map = flowmap_or(stages_map, subtable->index_maps[i]); ++ + hash = flow_hash_in_minimask_range(flow, &subtable->mask, + subtable->index_maps[i], + &mask_offset, &basis); +@@ -1731,14 +1736,16 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, + * unwildcarding all the ports bits, use the ports trie to figure out a + * smaller set of bits to unwildcard. */ + unsigned int mbits; +- ovs_be32 value, plens, mask; ++ ovs_be32 value, plens; + +- mask = miniflow_get_ports(&subtable->mask.masks); +- value = ((OVS_FORCE ovs_be32 *)flow)[TP_PORTS_OFS32] & mask; ++ ports_mask = miniflow_get_ports(&subtable->mask.masks); ++ value = ((OVS_FORCE ovs_be32 *) flow)[TP_PORTS_OFS32] & ports_mask; + mbits = trie_lookup_value(&subtable->ports_trie, &value, &plens, 32); + +- ((OVS_FORCE ovs_be32 *)&wc->masks)[TP_PORTS_OFS32] |= +- mask & be32_prefix_mask(mbits); ++ ports_mask &= be32_prefix_mask(mbits); ++ ports_mask |= ((OVS_FORCE ovs_be32 *) &wc->masks)[TP_PORTS_OFS32]; ++ ++ adjust_ports_mask = true; + + goto no_match; + } +@@ -1751,6 +1758,14 @@ no_match: + /* Unwildcard the bits in stages so far, as they were used in determining + * there is no match. */ + flow_wildcards_fold_minimask_in_map(wc, &subtable->mask, stages_map); ++ if (adjust_ports_mask) { ++ /* This has to be done after updating flow wildcards to overwrite ++ * the ports mask back. We can't simply disable the corresponding bit ++ * in the stages map, because it has 64-bit resolution, i.e. one ++ * bit covers not only tp_src/dst, but also ct_tp_src/dst, which are ++ * not covered by the trie. */ ++ ((OVS_FORCE ovs_be32 *) &wc->masks)[TP_PORTS_OFS32] = ports_mask; ++ } + return NULL; + } + +diff --git a/tests/classifier.at b/tests/classifier.at +index f652b5983..de2705653 100644 +--- a/tests/classifier.at ++++ b/tests/classifier.at +@@ -65,6 +65,94 @@ Datapath actions: 2 + OVS_VSWITCHD_STOP + AT_CLEANUP + ++AT_SETUP([flow classifier - lookup segmentation - final stage]) ++OVS_VSWITCHD_START ++add_of_ports br0 1 2 3 ++AT_DATA([flows.txt], [dnl ++table=0 in_port=1 priority=33,tcp,tp_dst=80,tcp_flags=+psh,action=output(2) ++table=0 in_port=1 priority=0,ip,action=drop ++table=0 in_port=2 priority=16,icmp6,nw_ttl=255,icmp_type=135,icmp_code=0,nd_target=1000::1 ,action=output(1) ++table=0 in_port=2 priority=0,ip,action=drop ++table=0 in_port=3 action=resubmit(,1) ++table=1 in_port=3 priority=45,ct_state=+trk+rpl,ct_nw_proto=6,ct_tp_src=3/0x1,tcp,tp_dst=80,tcp_flags=+psh,action=output(2) ++table=1 in_port=3 priority=10,ip,action=drop ++]) ++AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) ++ ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=syn'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh ++Datapath actions: drop ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=syn|ack'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh ++Datapath actions: drop ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=ack|psh'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=+psh ++Datapath actions: 2 ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh ++Datapath actions: drop ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=79'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=0x40/0xfff0,tcp_flags=-psh ++Datapath actions: drop ++]) ++ ++dnl Having both the port and the tcp flags in the resulting megaflow below ++dnl is redundant, but that is how ports trie logic is implemented. ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=81'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=81,tcp_flags=-psh ++Datapath actions: drop ++]) ++ ++dnl nd_target is redundant in the megaflow below and it is also not relevant ++dnl for an icmp reply. Datapath may discard that match, but it is OK as long ++dnl as we have prerequisites (icmp_type) in the match as well. ++AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=128,icmpv6_code=0"], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x80/0xfc,nd_target=:: ++Datapath actions: drop ++]) ++ ++AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0"], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=:: ++Datapath actions: drop ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0,nd_target=1000::1"], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=1000::1 ++Datapath actions: 1 ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0,nd_target=1000::2"], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=1000::2 ++Datapath actions: drop ++]) ++ ++dnl Check that ports' mask doesn't affect ct ports. ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=3,ct_state=trk|rpl,ct_nw_proto=6,ct_tp_src=3,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=psh'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,ct_state=+rpl+trk,ct_nw_proto=6,ct_tp_src=0x1/0x1,eth,tcp,in_port=3,nw_frag=no,tp_dst=80,tcp_flags=+psh ++Datapath actions: 2 ++]) ++AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=3,ct_state=trk|rpl,ct_nw_proto=6,ct_tp_src=3,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=79,tcp_flags=psh'], [0], [stdout]) ++AT_CHECK([tail -2 stdout], [0], ++ [Megaflow: recirc_id=0,ct_state=+rpl+trk,ct_nw_proto=6,ct_tp_src=0x1/0x1,eth,tcp,in_port=3,nw_frag=no,tp_dst=0x40/0xfff0,tcp_flags=+psh ++Datapath actions: drop ++]) ++ ++OVS_VSWITCHD_STOP ++AT_CLEANUP ++ + AT_BANNER([flow classifier prefix lookup]) + AT_SETUP([flow classifier - prefix lookup]) + OVS_VSWITCHD_START diff --git a/Module.supported.updates b/Module.supported.updates new file mode 100644 index 0000000..bd1f317 --- /dev/null +++ b/Module.supported.updates @@ -0,0 +1,6 @@ +updates/openvswitch.ko +updates/vport-geneve.ko +updates/vport-gre.ko +updates/vport-lisp.ko +updates/vport-stt.ko +updates/vport-vxlan.ko diff --git a/install-ovsdb-tools.patch b/install-ovsdb-tools.patch new file mode 100644 index 0000000..3371969 --- /dev/null +++ b/install-ovsdb-tools.patch @@ -0,0 +1,36 @@ +diff --git a/ovsdb/automake.mk b/ovsdb/automake.mk +index d484fe9de..c38a936ea 100644 +--- a/ovsdb/automake.mk ++++ b/ovsdb/automake.mk +@@ -88,8 +88,9 @@ CLEANFILES += ovsdb/ovsdb-server.1 + MAN_ROOTS += ovsdb/ovsdb-server.1.in + + # ovsdb-idlc +-noinst_SCRIPTS += ovsdb/ovsdb-idlc ++bin_SCRIPTS += ovsdb/ovsdb-idlc + EXTRA_DIST += ovsdb/ovsdb-idlc.in ++man_MANS += ovsdb/ovsdb-idlc.1 + MAN_ROOTS += ovsdb/ovsdb-idlc.1 + CLEANFILES += ovsdb/ovsdb-idlc + SUFFIXES += .ovsidl .ovsschema +@@ -112,7 +113,11 @@ CLEANFILES += $(OVSIDL_BUILT) + # at least for now. + $(OVSIDL_BUILT): ovsdb/ovsdb-idlc.in python/ovs/dirs.py + ++# Some internal tools, but installed for e.g. depending projects like OVN ++ovsdbdir = $(pkgdatadir)/ovsdb ++ovsdb_SCRIPTS = + # ovsdb-doc ++ovsdb_SCRIPTS += ovsdb/ovsdb-doc + EXTRA_DIST += ovsdb/ovsdb-doc + FLAKE8_PYFILES += ovsdb/ovsdb-doc + OVSDB_DOC = $(run_python) $(srcdir)/ovsdb/ovsdb-doc +@@ -121,7 +126,7 @@ ovsdb/ovsdb-doc: python/ovs/dirs.py + # ovsdb-dot + EXTRA_DIST += ovsdb/ovsdb-dot.in ovsdb/dot2pic + FLAKE8_PYFILES += ovsdb/ovsdb-dot.in ovsdb/dot2pic +-noinst_SCRIPTS += ovsdb/ovsdb-dot ++ovsdb_SCRIPTS += ovsdb/ovsdb-dot + CLEANFILES += ovsdb/ovsdb-dot + OVSDB_DOT = $(run_python) $(srcdir)/ovsdb/ovsdb-dot.in + diff --git a/openvswitch-2.17.8-gcc14-build-fix.patch b/openvswitch-2.17.8-gcc14-build-fix.patch new file mode 100644 index 0000000..e496389 --- /dev/null +++ b/openvswitch-2.17.8-gcc14-build-fix.patch @@ -0,0 +1,38 @@ +From 335a5deac3ff91448ca14651e92f39dfdd512fcf Mon Sep 17 00:00:00 2001 +From: Ilya Maximets +Date: Thu, 18 Jan 2024 15:59:05 +0100 +Subject: [PATCH] ovs-atomic: Fix inclusion of Clang header by GCC 14. + +GCC 14 started to advertise c_atomic extension, older versions didn't +do that. Add check for __clang__, so GCC doesn't include headers +designed for Clang. + +Another option would be to prefer stdatomic implementation instead, +but some older versions of Clang are not able to use stdatomic.h +supplied by GCC as described in commit: + 07ece367fb5f ("ovs-atomic: Prefer Clang intrinsics over .") + +This change fixes OVS build with GCC on Fedora Rawhide (40). + +Reported-by: Jakob Meng +Acked-by: Jakob Meng +Acked-by: Eelco Chaudron +Acked-by: Simon Horman +Signed-off-by: Ilya Maximets +--- + lib/ovs-atomic.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/ovs-atomic.h b/lib/ovs-atomic.h +index ab9ce6b2e0f..f140d25feba 100644 +--- a/lib/ovs-atomic.h ++++ b/lib/ovs-atomic.h +@@ -328,7 +328,7 @@ + #if __CHECKER__ + /* sparse doesn't understand some GCC extensions we use. */ + #include "ovs-atomic-pthreads.h" +- #elif __has_extension(c_atomic) ++ #elif __clang__ && __has_extension(c_atomic) + #include "ovs-atomic-clang.h" + #elif HAVE_ATOMIC && __cplusplus >= 201103L + #include "ovs-atomic-c++.h" diff --git a/openvswitch-3.1.0.tar.gz b/openvswitch-3.1.0.tar.gz new file mode 100644 index 0000000..87f0ea7 --- /dev/null +++ b/openvswitch-3.1.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2bdda56970e324107b7a7c9f178d928024bd6603cfd86f71959bec0ed0d1c4bb +size 7836227 diff --git a/openvswitch-3.3.1.tar.gz b/openvswitch-3.3.1.tar.gz new file mode 100644 index 0000000..fd2a80a --- /dev/null +++ b/openvswitch-3.3.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a5f29fe0e7b2561fbe1b459d42ddbdec204dad53c5b9a936457b2b7338241282 +size 9034955 diff --git a/openvswitch-CVE-2023-3966.patch b/openvswitch-CVE-2023-3966.patch new file mode 100644 index 0000000..c111349 --- /dev/null +++ b/openvswitch-CVE-2023-3966.patch @@ -0,0 +1,111 @@ +--- openvswitch-3.1.0.orig/lib/netdev-offload-tc.c 2024-02-13 11:52:45.356063229 +0530 ++++ openvswitch-3.1.0/lib/netdev-offload-tc.c 2024-02-13 12:09:48.472094452 +0530 +@@ -1719,12 +1719,12 @@ test_key_and_mask(struct match *match) + return 0; + } + +-static void ++static int + flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + struct flow_tnl *tnl_mask) + { + struct geneve_opt *opt, *opt_mask; +- int len, cnt = 0; ++ int tot_opt_len, len, cnt = 0; + + /* 'flower' always has an exact match on tunnel metadata length, so having + * it in a wrong format is not acceptable unless it is empty. */ +@@ -1740,7 +1740,7 @@ flower_match_to_tun_opt(struct tc_flower + memset(&tnl_mask->metadata.present.map, 0, + sizeof tnl_mask->metadata.present.map); + } +- return; ++ return 0; + } + + tnl_mask->flags &= ~FLOW_TNL_F_UDPIF; +@@ -1754,7 +1754,7 @@ flower_match_to_tun_opt(struct tc_flower + sizeof tnl_mask->metadata.present.len); + + if (!tnl->metadata.present.len) { +- return; ++ return 0; + } + + memcpy(flower->key.tunnel.metadata.opts.gnv, tnl->metadata.opts.gnv, +@@ -1768,7 +1768,16 @@ flower_match_to_tun_opt(struct tc_flower + * also not masks, but actual lengths in the 'flower' structure. */ + len = flower->key.tunnel.metadata.present.len; + while (len) { ++ if (len < sizeof *opt) { ++ return EOPNOTSUPP; ++ } ++ + opt = &flower->key.tunnel.metadata.opts.gnv[cnt]; ++ tot_opt_len = sizeof *opt + opt->length * 4; ++ if (len < tot_opt_len) { ++ return EOPNOTSUPP; ++ } ++ + opt_mask = &flower->mask.tunnel.metadata.opts.gnv[cnt]; + + opt_mask->length = opt->length; +@@ -1776,6 +1785,7 @@ flower_match_to_tun_opt(struct tc_flower + cnt += sizeof(struct geneve_opt) / 4 + opt->length; + len -= sizeof(struct geneve_opt) + opt->length * 4; + } ++ return 0; + } + + static void +@@ -2213,7 +2223,11 @@ netdev_tc_flow_put(struct netdev *netdev + tnl_mask->flags &= ~(FLOW_TNL_F_DONT_FRAGMENT | FLOW_TNL_F_CSUM); + + if (!strcmp(netdev_get_type(netdev), "geneve")) { +- flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ err = flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ if (err) { ++ VLOG_WARN_RL(&warn_rl, "Unable to parse geneve options"); ++ return err; ++ } + } + flower.tunnel = true; + } else { +--- openvswitch-3.1.0.orig/tests/system-offloads-traffic.at 2024-02-13 11:52:45.364063229 +0530 ++++ openvswitch-3.1.0/tests/system-offloads-traffic.at 2024-02-13 12:21:58.880116742 +0530 +@@ -742,3 +742,35 @@ recirc_id(),in_port(3),eth_type( + + OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP ++AT_SETUP([offloads - handling of geneve corrupted metadata - offloads enabled]) ++OVS_CHECK_GENEVE() ++ ++OVS_TRAFFIC_VSWITCHD_START( ++ [_ADD_BR([br-underlay]) -- \ ++ set bridge br0 other-config:hwaddr=f2:ff:00:00:00:01 -- \ ++ set bridge br-underlay other-config:hwaddr=f2:ff:00:00:00:02], ++ [], [-- set Open_vSwitch . other_config:hw-offload=true]) ++ ++AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) ++AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"]) ++ ++ADD_NAMESPACES(at_ns0) ++ ++dnl Set up underlay link from host into the namespace using veth pair. ++ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03) ++AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"]) ++AT_CHECK([ip link set dev br-underlay up]) ++ ++dnl Set up tunnel endpoints on OVS outside the namespace and with a native ++dnl linux device inside the namespace. ++ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24]) ++ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24], ++ [vni 0], [address f2:ff:00:00:00:04]) ++ ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 03 08 00 45 00 00 52 00 01 00 00 40 11 1f f7 ac 1f 01 01 ac 1f 01 64 de c1 17 c1 00 3e 59 e9 01 00 65 58 00 00 00 00 00 03 00 02 f2 ff 00 00 00 01 f2 ff 00 00 00 04 08 00 45 00 00 1c 00 01 00 00 40 01 64 7a 0a 01 01 01 0a 01 01 64 08 00 f7 ff 00 00 00 00 > /dev/null]) ++ ++OVS_WAIT_UNTIL([grep -q 'Invalid Geneve tunnel metadata' ovs-vswitchd.log]) ++ ++OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while processing icmp,in_port=1,vlan_tci=0x0000,dl_src=f2:ff:00:00:00:04,dl_dst=f2:ff:00:00:00:01,nw_src=10.1.1.1,nw_dst=10.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0/d ++/Unable to parse geneve options/d"]) ++AT_CLEANUP diff --git a/openvswitch-rpmlintrc b/openvswitch-rpmlintrc new file mode 100644 index 0000000..69d5344 --- /dev/null +++ b/openvswitch-rpmlintrc @@ -0,0 +1 @@ +addFilter("E: backup-file-in-package /etc/openvswitch/\.conf\.db\.~lock~") diff --git a/openvswitch-user.conf b/openvswitch-user.conf new file mode 100644 index 0000000..8f1bc28 --- /dev/null +++ b/openvswitch-user.conf @@ -0,0 +1,3 @@ +# Type Name ID GECOS [HOME] +g openvswitch - - +u openvswitch - "Open vSwitch Daemons" / /sbin/nologin diff --git a/openvswitch.changes b/openvswitch.changes new file mode 100644 index 0000000..816fbc0 --- /dev/null +++ b/openvswitch.changes @@ -0,0 +1,2220 @@ +------------------------------------------------------------------- +Wed Aug 28 05:18:36 UTC 2024 - Duraisankar P + +- Update openvswitch to 3.3.1. For a list of changes, check + https://github.com/openvswitch/ovs/blob/v3.3.1/NEWS +- Update OVN to 24.03.3. For a list of changes, check + https://github.com/ovn-org/ovn/blob/v24.03.3/NEWS +- Drop upstream fixed patches, + * CVE-2023-1668.patch + * CVE-2023-3152.patch + * CVE-2023-5366.patch + * openvswitch-2.17.8-gcc14-build-fix.patch + * openvswitch-CVE-2023-3966.patch +- Updated the patch for version v3.3.1 + * install-ovsdb-tools.patch + +------------------------------------------------------------------- +Tue Jul 30 13:50:21 UTC 2024 - pgajdos@suse.com + +- remove dependency on /usr/bin/python3 using + %python3_fix_shebang_path macro, [bsc#1212476] + +------------------------------------------------------------------- +Tue Jun 4 09:48:39 UTC 2024 - Martin Jambor + +- GCC 14 started to advertise c_atomic extension, older versions + didn't do that. Add check for __clang__, so GCC doesn't include + headers designed for Clang + (openvswitch-2.17.8-gcc14-build-fix.patch) [boo#1225906] + +------------------------------------------------------------------- +Mon Feb 26 12:38:17 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + +------------------------------------------------------------------- +Thu Feb 15 06:53:54 UTC 2024 - Duraisankar P + +- Fix CVE-2023-3966 [bsc#1219465] openvswitch3: Invalid memory access in Geneve with HW offload +- Added patch, + +openvswitch-CVE-2023-3966.patch + +------------------------------------------------------------------- +Thu Feb 1 19:34:16 UTC 2024 - Duraisankar P + +- Fix CVE-2023-5366 [bsc#1216002], openvswitch: missing masks on a final stage with ports trie +- Added patch, + * CVE-2023-5366.patch + +------------------------------------------------------------------- +Thu Dec 14 11:55:19 UTC 2023 - Dirk Müller + +- convert to sysuser generated users + +------------------------------------------------------------------- +Mon Dec 4 15:52:33 UTC 2023 - Ana Guerrero + +- Add BuildRequires on python-setuptools. Previously this was pulled + by python-Sphinx in the build environment. + +------------------------------------------------------------------- +Thu Sep 7 07:55:29 UTC 2023 - Duraisankar P + +- Fix CVE-2023-3153 [bsc#1212125], VUL-0: CVE-2023-3153: openvswitch,openvswitch3: service monitor MAC flow is not rate limited +- Added patch, + CVE-2023-3152.patch + +------------------------------------------------------------------- +Wed May 17 09:46:44 UTC 2023 - Duraisankar P + +- Fix CVE-2023-1668 [bsc#1210054], openvswitch: remote traffic denial of service via crafted packets with IP proto 0 +- Added patch, + CVE-2023-1668.patch + +------------------------------------------------------------------- +Tue May 2 07:48:43 UTC 2023 - Dominique Leuenberger + +- Remove python/ovs/dirs.py prior to building: have this + re-generated based on the shipped template (boo#1210479). + +------------------------------------------------------------------- +Wed Apr 5 21:14:59 UTC 2023 - Duraisankar P + +- Update OVS version to v3.1.0 and OVN version to v23.03.0 + Some of the features are, + - ovs-vswitchd now detects changes in CPU affinity and adjusts the number + of handler and revalidator threads if necessary. + - AF_XDP: + * Added support for building with libxdp and libbpf >= 0.7. + * Support for AF_XDP is now enabled by default if all dependencies are + available at the build time. Use --disable-afxdp to disable. + Use --enable-afxdp to fail the build if dependencies are not present. + - ovs-appctl: + * "ovs-appctl ofproto/trace" command can now display port names with the + "--names" option. + - OVSDB-IDL: + * Add the support to specify the persistent uuid for row insert in both + C and Python IDLs. + - Windows: + * Conntrack IPv6 fragment support. + - DPDK: + * Add support for DPDK 22.11.1. + - For the QoS max-rate and STP/RSTP path-cost configuration OVS now assumes + 10 Gbps link speed by default in case the actual link speed cannot be + determined. Previously it was 10 Mbps. Values can still be overridden + by specifying 'max-rate' or '[r]stp-path-cost' accordingly. + - OpenFlow: + * New OpenFlow extension NXT_CT_FLUSH to flush connections matching + the specified fields. + - ovs-ctl: + * New option '--dump-hugepages' to include hugepages in core dumps. This + can assist with postmortem analysis involving DPDK, but may also produce + significantly larger core dump files. + - ovs-dpctl and 'ovs-appctl dpctl/' commands: + * 'flush-conntrack' is now capable of handling partial 5-tuple, + with additional optional parameter to specify the reply direction. + - ovs-ofctl: + * New command 'flush-conntrack' that accepts zone and 5-tuple (or partial + 5-tuple) for both directions. + - Support for travis-ci.org based continuous integration builds has been + dropped. + - Userspace datapath: + * Add '-secs' argument to appctl 'dpif-netdev/pmd-rxq-show' to show + the pmd usage of an Rx queue over a configurable time period. + * Add new experimental PMD load based sleeping feature. PMD threads can + request to sleep up to a user configured 'pmd-maxsleep' value under + low load conditions. + -For more details, check + https://github.com/openvswitch/ovs/blob/v3.1.0/NEWS + -Includes secrity fix for CVE-2022-4338 (bsc#1206580) and CVE-2022-4337 (bsc#1206581) + - Removed patches, + * 0001-Replace-deprecated-var-run-with-run.patch + * 0001-openvswitch-merge-compiler.h-files-into-one-file.patch + * openvswitch-CVE-2021-36980.patch + * 0002-build-Seperated-common-used-headers.patch + * a77ad9693c8b49055389559187fe74eddb619746.patch + * 0001-m4-Test-avx512-for-x86-only.patch + * openvswitch-2.17.2-Fix-tests-with-GNU-grep-3.8.patch + - Renamed and rebased patches, + * 0001-Don-t-change-permissions-of-dev-hugepages.patch + * 0001-Use-double-hash-for-OVS_USER_ID-comment.patch + * 0001-Run-ovn-as-openvswitch-openvswitch.patch + * 0001-Use-strongswan-for-openvswitch-ipsec-service.patch + * 0001-Run-openvswitch-as-openvswitch-openvswitch.patch + - Added ovsb tool install patch, + * install-ovsdb-tools.patch + +------------------------------------------------------------------- +Thu Sep 29 11:58:47 UTC 2022 - Dirk Müller + +- add a77ad9693c8b49055389559187fe74eddb619746.patch to avoid + the cpu detection code being compiled with AVX512 enabled +- add 0001-m4-Test-avx512-for-x86-only.patch + +------------------------------------------------------------------- +Mon Sep 12 19:55:30 UTC 2022 - Andreas Stieger + +- fix tests with GNU grep 3.8 boo#1203239 + add openvswitch-2.17.2-Fix-tests-with-GNU-grep-3.8.patch + +------------------------------------------------------------------- +Wed Aug 3 11:11:36 UTC 2022 - Dirk Müller + +- update to 2.17.2: + - Bug fixes + - DPDK: + * OVS validated with DPDK 21.11.1. It is recommended to use this version + until further releases. + - Bug fixes + - libopenvswitch API change: + * To fix the Undefined Behavior issue causing the compiler to incorrectly + optimize important parts of code, container iteration macros (e.g., + LIST_FOR_EACH) have been re-implemented in a UB-safe way. + * Backwards compatibility has mostly been preserved, however the + user-provided pointer is now set to NULL after the loop (unless it + exited via "break;") + * Users of libopenvswitch will need to double-check the use of such loop + macros before compiling with a new version. + * Since the change is limited to the definitions within the headers, the + ABI is not affected. +- refresh 0001-openvswitch-merge-compiler.h-files-into-one-file.patch + 0002-build-Seperated-common-used-headers.patch + +------------------------------------------------------------------- +Fri May 13 15:52:24 UTC 2022 - Dominique Leuenberger + +- Allow dpdk version 21.11. + +------------------------------------------------------------------- +Fri Apr 22 20:42:31 UTC 2022 - Ferdinand Thiessen + +- Python package: Do not use C json parser on 32bit as large numbers + will overflow. + +------------------------------------------------------------------- +Sun Apr 3 13:12:28 UTC 2022 - Ferdinand Thiessen + +- Mention openvswitch-rpmlintrc as Source in spec file + +------------------------------------------------------------------- +Mon Mar 14 13:55:07 UTC 2022 - Ferdinand Thiessen + +- Fix installation of files shared with OVN (required for building + OVN without openvswitch sources), remove custom installation + of internal headers from SPEC-install section and use patches + (for upstreaming) instead. + * install-ovsdb-tools.patch + * Added 0001-openvswitch-merge-compiler.h-files-into-one-file.patch + * Added 0002-build-Seperated-common-used-headers.patch +- Enabled check section / running testsuite by default to validate + build result. There must no problems with the testsuite anymore as + upstream runs it by CI and checked before release of a new version. +- Renamed 0001-Don-t-change-permissions-of-dev-hugepages.patch to + Don-t-change-permissions-of-dev-hugepages.patch +- Renamed 0001-Run-openvswitch-as-openvswitch-openvswitch.patch to + Run-openvswitch-as-openvswitch-openvswitch.patch +- Renamed 0001-Use-double-hash-for-OVS_USER_ID-comment.patch to + Use-double-hash-for-OVS_USER_ID-comment.patch +- Rebased 0001-Use-strongswan-for-openvswitch-ipsec-service.patch to + Use-strongswan-for-openvswitch-ipsec-service.patch + +------------------------------------------------------------------- +Fri Mar 11 11:33:18 UTC 2022 - Ferdinand Thiessen + +- Fix OVS location for python bindings (dirs.py), boo#1196978 + Make sure dirs.py is freshly generated + +------------------------------------------------------------------- +Mon Mar 7 12:04:30 UTC 2022 - Dirk Müller + +- fix python3 requires (bsc#1196758) + +------------------------------------------------------------------- +Sun Feb 27 19:24:57 UTC 2022 - Ferdinand Thiessen + +- Added install-ovsdb-tools.patch to install ovsdb tools required + for building OVN + +------------------------------------------------------------------- +Sat Feb 26 22:11:06 UTC 2022 - Ferdinand Thiessen + +- Enable multiple python3 flavor subpackages on Tumbleweed / Factory + +------------------------------------------------------------------- +Sat Feb 26 00:56:03 UTC 2022 - Ferdinand Thiessen + +- Update OVS to version 2.17.0 + * Userspace datapath: + * Optimized flow lookups for datapath flows with simple match criteria. + * New per-interface configuration knob 'other_config:tx-steering'. + * Removed experimental tag for PMD Auto Load Balance. + * New configuration knob 'other_config:n-offload-threads' to change the + number of HW offloading threads. + * DPDK: + * EAL argument --socket-mem is no longer configured by default upon + start-up. If dpdk-socket-mem and dpdk-alloc-mem are not specified, + DPDK defaults will be used. + * EAL argument --socket-limit no longer takes on the value of --socket-mem + by default. 'other_config:dpdk-socket-limit' can be set equal to + the 'other_config:dpdk-socket-mem' to preserve the legacy memory + limiting behavior. + * EAL argument --in-memory is applied by default if supported. + * Add support for DPDK 21.11. + * Forbid use of DPDK multiprocess feature. + * Add support for running threads on cores >= RTE_MAX_LCORE. + * Python: For SSL support, the use of the pyOpenSSL library has + been replaced with the native 'ssl' module. + * OVSDB: + * Python library for OVSDB clients now also supports faster + resynchronization with a clustered database after a brief disconnection, + i.e. 'monitor_cond_since' monitoring method. + * Major improvement in the performance of the OVSDB server. + * OpenFlow: + * Default selection method for select groups with up to 256 buckets is + now dp_hash. Previously this was limited to 64 buckets. This change + is mainly for the benefit of OVN load balancing configurations. + * Encap & Decap action support for MPLS packet type. +- Update OVS to version 2.16.0 + * Fix CVE-2021-36980 (boo#1188524) + openvswitch 2.11.0 through 2.15.0 has a use-after-free in + decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) + during the decoding of a RAW_ENCAP action + * Removed support for 1024-bit Diffie-Hellman key exchange + * Rate limiting configuration now supports setting packet-per-second + limits in addition to the previously configurable byte rate settings. + * OVSDB: + * Introduced new database service model - "relay". + * New command line options --record/--replay for ovsdb-server and + ovsdb-client to record and replay all the incoming transactions, + monitors, etc. + * The Python Idl class now has a cooperative_yield() method + * In ovs-vsctl and vtep-ctl, the "find" command now accept new + operators {in} and {not-in}. + * Various Userspace datapath improvements + * ovs-ctl: + * New option '--no-record-hostname' to disable hostname configuration + in ovsdb on startup. + * New command 'record-hostname-if-not-set' to update hostname in ovsdb. + * ovs-appctl: Added ability to add and delete static mac entries using: + 'ovs-appctl fdb/add ' + 'ovs-appctl fdb/del ' + * Linux datapath: + * ovs-vswitchd will configure the kernel module using per-cpu dispatch + mode (if available). This changes the way upcalls are delivered to + user space in order to resolve a number of issues with per-vport dispatch. + * New vswitchd unixctl command `dpif-netlink/dispatch-mode` will return + the current dispatch mode for each datapath. +- Update OVS to version 2.15.0 + * OVSDB: + * Changed format in which ovsdb transactions are stored in + database files. Now each transaction contains diff of data + instead of the whole new value of a column. + * New unixctl command 'ovsdb-server/get-db-storage-status' + * New unixctl command 'ovsdb-server/memory-trim-on-compaction on|off'. + * Maximum backlog on RAFT connections limited to 500 messages or 4GB. + * DPDK: Removed support for vhost-user dequeue zero-copy. + * Add support for DPDK 20.11. + * The environment variable OVS_UNBOUND_CONF, if set, is now used + as the DNS resolver's (unbound) configuration file. + * Linux datapath: Support for kernel versions up to 5.8.x. + * Building the Linux kernel module from the OVS source tree is deprecated + * Support for the Linux kernel is capped at version 5.8 + * Only bug fixes for the Linux OOT kernel module will be accepted. + * The Linux kernel module will be fully removed from the OVS source tree + in OVS branch 2.18 +- Rebased 0001-Use-strongswan-for-openvswitch-ipsec-service.patch +- Drop upstream fixed 0001-Replace-deprecated-var-run-with-run.patch +- Separated OVN + * Stand alone package, this enables better maintenance + especially updates. + * Drop 0001-Run-ovn-as-openvswitch-openvswitch.patch from OVN + +------------------------------------------------------------------- +Mon May 10 10:28:32 UTC 2021 - Dirk Müller + +- add openssl(cli) dependency on pki (bsc#1185839) + +------------------------------------------------------------------- +Thu Apr 29 16:05:49 UTC 2021 - Jaime Caamaño Ruiz + +- Replace deprecated /var/run with /run (bsc#1185176, bsc#1185177). + * 0001-Replace-deprecated-var-run-with-run.patch + +------------------------------------------------------------------- +Fri Feb 12 10:36:03 UTC 2021 - Jaime Caamaño Ruiz + +- Update openvswitch to 2.14.2. For a list of changes, check + https://github.com/openvswitch/ovs/blob/v2.14.2/NEWS + Includes security fix for CVE-2020-27827 (bsc#1181345) and CVE-2020-35498 + (bsc#1181742). +- Removed patches no longer applying to code base: + * 0001-rhel-Fix-reload-of-OVS_USER_ID-on-startup.patch + * 0001-ipsec-Fix-Strongswan-configuration-syntax.patch + +------------------------------------------------------------------- +Tue Nov 3 10:50:49 UTC 2020 - Jaime Caamaño Ruiz + +- Replaced `%service_del_postun -n` with `%service_del_postun_without_restart` + (bsc#1117483). + +------------------------------------------------------------------- +Tue Sep 29 10:41:30 UTC 2020 - Jaime Caamaño Ruiz + +- Fix wrong default directories for OVS python utilities (bsc#1176273). +- Add upstream patches to fix openvswitch-ipsec service (bsc#1176273). + * 0001-ipsec-Fix-Strongswan-configuration-syntax.patch + +------------------------------------------------------------------- +Tue Sep 1 13:50:47 UTC 2020 - Jaime Caamaño Ruiz + +- Update openvswitch to 2.14.0. For a list of changes, check + https://github.com/openvswitch/ovs/blob/v2.14.0/NEWS +- Update OVN to 20.06.2. For a list of changes, check + https://github.com/ovn-org/ovn/blob/v20.06.2/NEWS + +------------------------------------------------------------------- +Mon Jun 15 13:21:22 UTC 2020 - Jaime Caamaño Ruiz + +- Fix preserving old default OVS_USER_ID for users that removed the + override at /etc/sysconfig/openvswitch or for users affected by + fillup bug below (bsc#1172861). +- Add patch to workaround a possible fillup issue that could cause + existing openvswitch configuration to be unintendedly altered during + upgrades (bsc#1172929). + * 0001-Use-double-hash-for-OVS_USER_ID-comment.patch + +------------------------------------------------------------------- +Wed Jun 3 14:53:21 UTC 2020 - Jaime Caamaño Ruiz + +- add missing provides/obsoletes for python3-openvswitch-test + +------------------------------------------------------------------- +Mon May 4 11:38:26 UTC 2020 - Jaime Caamaño Ruiz + +- Update openvswitch to 2.13.0. + * For a list of changes, check + https://github.com/openvswitch/ovs/blob/v2.13.0/NEWS + * This version drops python2 binding support. Only python3 bindings + provided going forward. + * Tool ovs-vlan-bug-workaround is no longer provided. +- OVN was split to its own repo but is still built together with OVS and as + such from this same source package. OVN initial version is 20.03. + * For a list of changes, check + https://github.com/ovn-org/ovn/blob/v20.03.0/NEWS + * Packages openvswitch-ovn* are renamed to ovn*. + * OVN now has its own sysconfig and log paths. +- Add OVS patch to be proposed upstream: + * 0001-rhel-Fix-reload-of-OVS_USER_ID-on-startup.patch +- Patch instead of post-processing configuration files to set running + credentials (bsc#1157338): + * 0001-Run-openvswitch-as-openvswitch-openvswitch.patch + * 0001-Run-ovn-as-openvswitch-openvswitch.patch +- Will no longer change group ownership of /dev/hugepages to 'hugetlbfs' + (bsc#1140835). System admin should mount hugepages on a path and permissions of + his choosing for OVS. Add patch: + * 0001-Don-t-change-permissions-of-dev-hugepages.patch +- Will no longer install udev rule to change group ownership of vfio devices to + 'hugetlbfs'. Group name does not make much sense in this case and ownership of + vfio devices should be coordinated system wide or per device. +- Will no longer run under group 'hugetlbfs' on new installs with DPDK enabled. + OVS will now run under group 'openvswitch' whether compiled with DPDK support + or not. +- OVS persistent state is now saved on /var/lib/openvswitch instead of + /etc/openvswitch for new installs. + +------------------------------------------------------------------- +Thu Feb 13 18:06:02 UTC 2020 - Dirk Mueller + +- add missing sortedcontainers dependency to the python bindings + +------------------------------------------------------------------- +Mon Oct 28 14:56:34 UTC 2019 - Jaime Caamaño Ruiz + +- Update openvswitch to 2.12.0. For a list of changes, check + https://github.com/openvswitch/ovs/blob/master/NEWS +- Removed patches that are already included upstream: + * 0001-rhel-secure-openvswitch-useropts.patch + * 0002-rhel-let-ctl-handle-runtime-directory.patch +- Rebased patches: + * 0001-Use-strongswan-for-openvswitch-ipsec-service.patch + +------------------------------------------------------------------- +Thu Aug 8 11:55:36 UTC 2019 - + +- Fixed missing obsoletes for old python-ovs (bsc#1138948). + +------------------------------------------------------------------- +Tue Jul 16 09:10:42 UTC 2019 - + +- Add unbound as a build requirement to support asynchronous DNS + resolving for remotes. + +------------------------------------------------------------------- +Thu Jun 20 12:00:42 UTC 2019 - + +- Update DPDK dependency to support DPDK 18.11.2. + +------------------------------------------------------------------- +Mon Jun 10 17:12:00 UTC 2019 - + +- Add upstream patches to fix bsc#1135884: + * 0001-rhel-secure-openvswitch-useropts.patch + * 0002-rhel-let-ctl-handle-runtime-directory.patch + +------------------------------------------------------------------- +Mon May 6 17:08:26 UTC 2019 - + +- Use temporary directory for python build. + +------------------------------------------------------------------- +Mon Apr 29 14:12:36 UTC 2019 - + +- Fix problem preventing new installs to run as non root (bsc#1132029), + including: + * Align with upstream so that no running configuration is changed on + upgrades, specifically to avoid changes on the user Open vSwitch runs + under. + * hugetblfs groups is created as system group. +- Add missing opnvswitch-ipsec package and systemd service. +- Add patch to use strongswan instead of libreswan for openvswitch-ipsec. + libreswan package not available currently. + * 0001-Use-strongswan-for-openvswitch-ipsec-service.patch +- Add missing ovs-delete-transient-ports systemd service. +- Align installed headers with upstream. +- Fix problem preventing rpm build '--with check'. +- Fix python environment that had directories pointing to /usr/local. +- Version bump to 2.11.1. Some of the changes are: + * netdev-tc-offloads: Fix probe tc block support + * rhel: Include all header files in the Fedora's devel package + * reconnect.c: Don't transition back to ACTIVE when forced to RECONNECT. + * OVN: Make periodic RAs consistent with RA responder. + * OVN: Always send prefix option in RAs + * OVN: Use offset instead of pointer into ofpbuf + * ofproto: fix the bug of bucket counter is not updated + * netdev-dpdk: Print netdev name for txq mapping. + * dpif-netdev-perf: Fix millisecond stats precision with slower TSC. + * ifupdown.sh: Add missing "--may-exist" option + * dpif-netdev-perf: Fix double update of perf histograms. + * dpdk: Stop dumping memzones to stdout. + * dpctl: Drop parser debug information. + * netdev-tc-offloads: Properly get the block id on flow del/get + * netdev-tc-offloads: Improve log message for icmpv6 offload not supported + * conntrack: Replace structure copy by memcpy(). + * conntrack: Lookup only 'UNNAT conns' in 'nat_clean()'. + * conntrack: Fix race for NAT cleanup. + * ovn-nbctl: Don't segfault when ovn-northd doesn't configure dynamic addresses. + * datapath-windows: Add annotations to find vport functions + * datapath-windows: Guard vport usage in user.c + * datapath-windows: Fix potential deadlock in event subscription + * datapath-windows: Fix race condition during port creation + * datapath-windows: Fix nbl cleanup when memory allocation fails + * netdev-linux: Remove ingress qdisc before trying to add shared block + * netdev-tc-offloads: Remove ingress qdisc on tc init flow api + * ovsdb-idl: Fix memory leak of idl->remote. + * travis: Remove 'sudo' configuration. + * OVN: Add port addresses to IPAM after all ports are joined. + * dpif-netlink: Free leaked ofpbuf by using ofpbuf_delete + * OVN: update RA next_announce according to {min, max}_interval + * rconn: Avoid occasional immediate connection failures. + * dpdk: Fix case-sensitivity of dpdk-init knob. + * NEWS: Clean up the 2.11.0 release notes a bit. + * conntrack: Fix L4 csum for V6 extension hdr pkts. + * packets: Change return type for 'packet_csum_upperlayer6()'. + * ovsdb-client: Fix typo. + * ovn-nbctl: Daemon mode should retry when IDL connection lost. + * ofctl: break the loop if ovs_pcap_read returns error + * netlink: added check to prevent netlink attribute overflow + +------------------------------------------------------------------- +Mon Mar 25 14:18:56 UTC 2019 - + +- Disable dpdk on ix86, aligned with dpdk package. + +------------------------------------------------------------------- +Thu Mar 21 15:12:55 UTC 2019 - Jan Engelhardt + +- Combine %service_* calls to reduce generated boilerplate. +- Reduce scriptlets' hard dependency on systemd. + +------------------------------------------------------------------- +Thu Feb 28 11:16:58 UTC 2019 - jcaamano@suse.com + +- Version bump to 2.11.0. Some of the changes are: + * Linux datapath: + - Support for the kernel versions 4.16.x and 4.17.x. + - Support for the kernel versions 4.18.x + * OpenFlow: + - OFPMP_TABLE_FEATURES_REQUEST can now modify table features. + * ovs-ofctl: + - "mod-table" command can now change OpenFlow table names. + * The environment variable OVS_SYSLOG_METHOD, if set, is now used + as the default syslog method. + * The environment variable OVS_CTL_TIMEOUT, if set, is now used + as the default timeout for control utilities. + * ovn: + - OVN-SB schema changed: duplicated IP with same Encapsulation type + is not allowed any more. Please refer to + Documentation/intro/install/ovn-upgrades.rst for the instructions + in case there are problems encountered when upgrading from an earlier + version. + - New support for IPSEC encrypted tunnels between hypervisors. + - ovn-ctl: allow passing user:group ids to the OVN daemons. + - IPAM/MACAM: + * add the capability to dynamically assign just L2 addresses + * add the capability to specify a static ip address and get the L2 one + allocated dynamically using the following syntax: + ovn-nbctl lsp-set-addresses "dynamic " + * DPDK: + - Add support for DPDK 18.11 + - Add support for port representors. + * Userspace datapath: + - Add option for simple round-robin based Rxq to PMD assignment. + It can be set with pmd-rxq-assign. + - Add support for Auto load balancing of PMDs (experimental) + - Added new per-port configurable option to manage EMC: + 'other_config:emc-enable'. + * Add 'symmetric_l3' hash function. + * OVS now honors 'updelay' and 'downdelay' for bonds with LACP configured. + * ovs-vswitchd: + - New configuration option "offload-rebalance", that enables dynamic + rebalancing of offloaded flows. + * The environment variable OVS_RESOLV_CONF, if set, is now used + as the DNS server configuration file. + * RHEL packaging: + - OVN packages are split from OVS packages. A new spec + file - ovn-fedora.spec.in is added to generate OVN packages. +- Revisit DISABLE_RESTART_ON_UPDATE and DISABLE_STOP_ON_REMOVAL options + (bsc#1117483). DISABLE_STOP_ON_REMOVAL is removed. DISABLE_RESTART_ON_UPDATE + is replaced by '%service_del_postun -n'. $FIRST_ARG is replaced by $1. +- Add extra openvswitch headers (bsc#1125897). + +------------------------------------------------------------------- +Fri Feb 15 16:16:32 UTC 2019 - jcaamano@suse.com + +- Obsolete old python[2]-openvswitch-test subpackages (bsc#1124435). + +------------------------------------------------------------------- +Thu Jan 24 16:52:16 UTC 2019 - jcaamano@suse.com + +- Fixed package name libopenvswitch-2_10-0 to libopenvswitch-2_11-0 + +------------------------------------------------------------------- +Thu Jan 24 11:34:15 UTC 2019 - Jaime Caamaño (jcaamano@suse.com) + +- Version bump to 2.11.0+git20190123.ad83fc9ab. Some of the changes are: + * Linux datapath: + - Support for the kernel versions 4.16.x and 4.17.x. + * OpenFlow: + - OFPMP_TABLE_FEATURES_REQUEST can now modify table features. + * ovs-ofctl: + - "mod-table" command can now change OpenFlow table names. + * The environment variable OVS_SYSLOG_METHOD, if set, is now used + as the default syslog method. + * The environment variable OVS_CTL_TIMEOUT, if set, is now used + as the default timeout for control utilities. + * ovn: + - OVN-SB schema changed: duplicated IP with same Encapsulation type + is not allowed any more. Please refer to + Documentation/intro/install/ovn-upgrades.rst for the instructions + in case there are problems encountered when upgrading from an earlier + version. + - New support for IPSEC encrypted tunnels between hypervisors. + - ovn-ctl: allow passing user:group ids to the OVN daemons. + - IPAM/MACAM: + * add the capability to dynamically assign just L2 addresses + * add the capability to specify a static ip address and get the L2 one + allocated dynamically using the following syntax: + ovn-nbctl lsp-set-addresses "dynamic " + * DPDK: + - Add support for DPDK 18.11 + - Add support for port representors. + * Userspace datapath: + - Add option for simple round-robin based Rxq to PMD assignment. + It can be set with pmd-rxq-assign. + - Add support for Auto load balancing of PMDs (experimental) + - Added new per-port configurable option to manage EMC: + 'other_config:emc-enable'. + * Add 'symmetric_l3' hash function. + * OVS now honors 'updelay' and 'downdelay' for bonds with LACP configured. + * ovs-vswitchd: + - New configuration option "offload-rebalance", that enables dynamic + rebalancing of offloaded flows. + * The environment variable OVS_RESOLV_CONF, if set, is now used + as the DNS server configuration file. + * RHEL packaging: + - OVN packages are split from OVS packages. A new spec + file - ovn-fedora.spec.in is added to generate OVN packages. +- Remove upstreamed patch: + * 0001-python-c-ext-Fix-memory-leak-in-Parser_finish.patch +- Remove DISABLE_RESTART_ON_UPDATE and DISABLE_STOP_ON_REMOVAL options (bsc#1117483). + +------------------------------------------------------------------- +Sun Jan 20 07:58:20 UTC 2019 - Thomas Bechtold + +- python2-ovs provides now also python-ovs which is the standard + for singlespec python packages. + +------------------------------------------------------------------- +Mon Nov 26 11:07:30 UTC 2018 - jcaamano@suse.com + +- Backport upstream fix for python json parser memory leak (bsc#1116437) + * 0001-python-c-ext-Fix-memory-leak-in-Parser_finish.patch + +------------------------------------------------------------------- +Thu Nov 8 11:17:38 UTC 2018 - Markos Chandras + +- Improve python packaging (bsc#1115085) + * Rename python*-openvswitch subpackages to python*-ovs to follow + the openSUSE policy that packages should be named after the modules + they install. + * Build the JSON C bindings and as a result the 'noarch' BuildArch + needs to be removed. + * Drop the python*-openvswitch-test packages and merge them with the + test subpackage + * Build the python bindings using setuptools + * Include the egg-info package. + * Use libopenvswitch as dependency to python bindings + +------------------------------------------------------------------- +Mon Oct 22 09:38:00 UTC 2018 - Markos Chandras + +- Version bump to 2.10.1. Some of the changes are: + * dpif-netdev.at: Add missing backslash. + * ofproto-dpif-xlate: Avoid deadlock on multicast snooping recursion. + * dpif-netdev-perf: Print SMC statistics. + * dpif-netdev-unixctl: Change 'masked' to 'megaflow'. + * ovn-controller: Support processing DHCPv6 information request message type + * ovn-ctl: Fix the wrong pidfile argument passed to ovsdb-servers + * ovndb-servers.ocf: Add ssl support for managing OVN DB resources with pacemaker using LB VIP. + * ovn-ctl: Allow passing ssl certs when starting OVN DBs in ssl mode. + * expr: Disallow < <= >= > comparisons against empty value set. + * expr: Set a limit on the depth of nested parentheses + * ovn: Fix IPv6 DAD failure for container ports + * dpif-netdev: Add vlan to mask for flow_put operation. + * ovs-save: Parse geneve tlv map correctly. + * extend-table: Fix a bug that iterates wrong table + * odp-util: Fix a use-after-free bug. + * ofp-packet: Fix NXT_RESUME with geneve tunnel metadata + * dpif-netlink: Fix null pointer. + * ofproto-dpif-xlate.c: Fix uninitialized variable warning. + * dpif: Remove support for multiple queues per port. + * dpif-netlink: don't allocate per thread netlink sockets + * ovsdb-types: Refactor structs so as to comply with C++ standard + * bfd: Make the tp_dst masking megaflow-friendly. + * ovsdb-data: Improve grammar in error message. + * condition: Reject <, <=, >=, > with optional scalar against empty set. + * condition: Fix ==, !=, includes, excludes on optional scalars. + * netdev: Properly clear 'details' when iterating in NETDEV_QOS_FOR_EACH. + * lex: Fix buffer overrun parsing overlong hexadecimal constants. + * sflow: Set agent address properly based on collector address. + * ovsdb-client: Fix a bug that uses wrong index + * ofproto: Fix build with some GCC versions. + * ofproto-dpif-xlate: Fix conntrack fields on NXT_RESUME + * ofproto: Handle OpenFlow version mismatch for requestforward with groups. + * ovs-save: save and restore groups on restart + * sparse: check if floatn-common.h is available. + * flow: Fix uninitialized flow fields in IPv6 error case. + * ofproto-dpif: Fix NXT_RESUME flow stats + * ovn: Add the documentation for the DHCP opt 'wpad' in proper section + * meta-flow: Make "nw_frag" a synonym for "ip_frag". + * gre: Rename fallback devices to avoid udev's interference + * ovsdb-server: Alleviate the possible data loss in an active/standby setup + * ovsdb-idlc: Use ALIGNED_CAST to avoid spurious warnings for index rows. + * ofproto-dpif-xlate: Fix translation of groups with no buckets. + * ovn: Add DHCP support for option 252. + * ofp-port: Don't leak on error in ofputil_pull_ofp14_port_stats(). + * ofp-print: Fix a memory leak reported by fuzz + * ovs-save: Don't always include the default flow during restore + * lib/tc: treat vlan id and prio as independent fields + * odp-util: Don't attempt to write IPv6 flow label bits that don't exist. + * lib/tc: reject offloading of non-Ethernet packets + * dhparams: Fix .c file generation with OpenSSL >= 1.1.1-pre9 + * ovs-ctl: Allow add-remote without vswitchd started. + * system-traffic: Fix conntrack per zone limit test. + * erspan: set erspan_ver to 1 by default when adding an erspan dev + * ovn.at: Skip ACL rate-limiting test on slow/overloaded systems. + * daemon-unix: Use same name for original or restarted children. + * dpif-netdev: Prevent unsafe access when retrieving meter stats. + * utilities: Drop shebang from bash completion script + * ofp-actions: Re-fix error path for parsing OpenFlow actions. + * nx-match: Avoid double-free on some error paths. + * netdev-dpdk: Support the link speed of XL710 + * ovn-northd: Support learning neighbor from ARP request. + * ovn-northd: LR respond ARP from valid subnet only. + * ovn: Fix the issue in IPv6 Neigh Solicitation responder for router IPs + * dpctl: Fix memory leak in dp_exists(). + * ofproto-dpif: Check for EBUSY as well + * tunnel, tests: Sort flow output in ERSPAN v1/v2 metadata + * erspan: add big endian bit fields. + +------------------------------------------------------------------- +Thu Sep 27 16:06:58 UTC 2018 - Markos Chandras + +- Use correct user for logrotate script (bsc#1104049, b096fa42ddc2) + +------------------------------------------------------------------- +Mon Sep 24 12:46:34 UTC 2018 - Markos Chandras + +- Fix package name for shared library. + +------------------------------------------------------------------- +Tue Aug 28 09:21:19 UTC 2018 - mchandras@suse.de + +- Version bump to 2.10.0. Some of the changes are: + * ovs-vswitchd and utilities now support DNS names in OpenFlow and + OVSDB remotes. + * ovs-vswitchd: + - New options --l7 and --l7-len to "ofproto/trace" command. + - Previous versions gave OpenFlow tables default names of the form + "table#". These are not helpful names for the purpose of accepting + and displaying table names, so now tables by default have no names. + - The "null" interface type, deprecated since 2013, has been removed. + - Add minimum network namespace support for Linux. + - New command "lacp/show-stats" + * ovs-ofctl: + - ovs-ofctl now accepts and display table names in place of numbers. By + default it always accepts names and in interactive use it displays them; + use --names or --no-names to override. See ovs-ofctl(8) for details. + * ovs-vsctl: New commands "add-bond-iface" and "del-bond-iface". + * ovs-dpctl: + - New commands "ct-set-limits", "ct-del-limits", and "ct-get-limits". + * OpenFlow: + - OFPT_ROLE_STATUS is now available in OpenFlow 1.3. + - OpenFlow 1.5 extensible statistics (OXS) now implemented. + - New OpenFlow 1.0 extensions for group support. + - Default selection method for select groups is now dp_hash with improved + accuracy. + * ovn: + - Implemented icmp4/icmp6/tcp_reset actions in order to drop the packet + and reply with a RST for TCP or ICMPv4/ICMPv6 unreachable message for + other IPv4/IPv6-based protocols whenever a reject ACL rule is hit. + - ACL match conditions can now match on Port_Groups as well as address + sets that are automatically generated by Port_Groups. ACLs can be + applied directly to Port_Groups as well. + - ovn-nbctl can now run as a daemon (long-lived, background process). + See ovn-nbctl(8) for details. + * DPDK: + - New 'check-dpdk' Makefile target to run a new system testsuite. + See Testing topic for the details. + - Add LSC interrupt support for DPDK physical devices. + - Allow init to fail and record DPDK status/version in OVS database. + - Add experimental flow hardware offload support + - Support both shared and per port mempools for DPDK devices. + * Userspace datapath: + - Commands ovs-appctl dpif-netdev/pmd-*-show can now work on a single PMD + - Detailed PMD performance metrics available with new command + ovs-appctl dpif-netdev/pmd-perf-show + - Supervision of PMD performance metrics and logging of suspicious + iterations + - Add signature match cache (SMC) as experimental feature. When turned on, + it improves throughput when traffic has many more flows than EMC size. + * ERSPAN: + - Implemented ERSPAN protocol (draft-foschiano-erspan-00.txt) for + both kernel datapath and userspace datapath. + - Added port-based and flow-based ERSPAN tunnel port support, added + OpenFlow rules matching ERSPAN fields. See ovs-fields(7). + +------------------------------------------------------------------- +Thu Aug 16 08:26:19 UTC 2018 - mchandras@suse.de + +- Fix conditional to only include vfio udev rules when building with + DPDK support +- Exclude %_docdir from main package which seems to be packaged by + default on older openSUSE releases. + +------------------------------------------------------------------- +Thu Jun 7 10:00:35 UTC 2018 - mchandras@suse.de + +- Restrict DPDK version to 18.02 since Open vSwitch 2.9 is not going + to work with any newer releases. + +------------------------------------------------------------------- +Tue May 29 08:06:29 UTC 2018 - mchandras@suse.de + +- Version bump to 2.9.2. Some of the changes are: + * OVSDB has new, experimental support for database clustering: + - New high-level documentation in ovsdb(7). + - New file format documentation for developers in ovsdb(5). + - Protocol documentation moved from ovsdb-server(1) to ovsdb-server(7). + - ovsdb-server now supports online schema conversion via + "ovsdb-client convert". + - ovsdb-server now always hosts a built-in database named _Server. See + ovsdb-server(5) for more details. + - ovsdb-client: New "get-schema-cksum", "query", "backup", "restore", + and "wait" commands. New --timeout option. + - ovsdb-tool: New "create-cluster", "join-cluster", "db-cid", "db-sid", + "db-local-address", "db-is-clustered", "db-is-standalone", "db-name", + "schema-name", "compare-versions", and "check-cluster" commands. + - ovsdb-server: New ovs-appctl commands for managing clusters. + - ovs-sandbox: New support for clustered databases. + * OVN: + - ovn-sbctl, ovn-nbctl: New options --leader-only, --no-leader-only. + * Bug fixes + +- Use openvswitch user/group for the log directory (3f556d66edb9) + +------------------------------------------------------------------- +Wed May 9 07:24:44 UTC 2018 - mchandras@suse.de + +- Add support for RedHat distributions. All SUSE macros are now + conditional and the spec file has been adapted based on the upstream + one (fate#324537) +- spec-cleaner fixes + +------------------------------------------------------------------- +Wed May 2 07:58:27 UTC 2018 - mchandras@suse.de + +- Move openvswitch user/group creation to %pre scriptlet. The default + ownership of the configuration files expects the user and group to + be available as early as possible (bsc#1091408) +- spec-cleaner fixes. + +------------------------------------------------------------------- +Mon Apr 23 09:33:02 UTC 2018 - mchandras@suse.de + +- Preserve 'enable' status of openvswitch.service file when upgrading + from naming scheme is broken, and as such a + device will not be available for use until a valid dpdk-devargs is + specified. + - Virtual DPDK Poll Mode Driver (vdev PMD) support. + * For the complete list of changes, please see: + - http://openvswitch.org/releases/NEWS-2.7.0 +- Add patch to fix DPDK configuration migration for < 2.6 installations + * 0001-utilities-Add-script-to-support-DPDK-option-migratio.patch +- Rework spec file + * Enable DPDK by default and drop openvswitch-dpdk* packages. DPDK is only + enabled on supported architectures though. + - Remove openvswitch-dpdk.changes + - Remove openvswitch-dpdk.spec + - Remove pre_checkin.sh + * Merge openvswitch and openvswitch-switch into a single package since there + was no compelling reason to keep the switch functionality in a separate + subpackage. + * Split OVN package to ovn-common, ovn-central, ovn-docker, ovn-host and + ovn-controller similar to the Debian and RedHat packages. + +------------------------------------------------------------------- +Fri Nov 25 16:36:40 UTC 2016 - mchandras@suse.de + +- Relax the DPDK dependency a bit so we can support stable and + possibly new minor releases as well. + +------------------------------------------------------------------- +Mon Nov 21 11:53:00 UTC 2016 - mchandras@suse.de + +- Do not restart the openvswitch service after a package update. + Restarting the systemd service may break connectivity so let the + user decide when it is the best time for such an action. (bsc#1002734) + +------------------------------------------------------------------- +Thu Nov 3 10:48:32 UTC 2016 - mchandras@suse.de + +- Version bump to 2.6.1. Some of the changes are: + * ovn: Do not reply to ARP or ND NS for a VM's own IP address. + * ovs-ofctl: Tolerate differences in IPv6 formatting. + * netdev-linux: double tagged packets should use 0x88a8 + * expr: Fix abort when simplifying "x != 0/0". + * dpif-netdev: Fix crash in dpif_netdev_execute(). + * ovn-controller: Container can have connection to a hosting VM. + * stream-ssl: Fix memory leak on error path. + * Other bug fixes. + +------------------------------------------------------------------- +Mon Oct 3 08:26:10 UTC 2016 - mchandras@suse.de + +- Version bump to 2.6.0. Some of the changes are: + * First supported release of OVN. See ovn-architecture(7) for more + details. + * ovsdb-server: + - New "monitor_cond" "monitor_cond_update" and "update2" extensions to + RFC 7047. + * OpenFlow: + - OpenFlow 1.3+ bundles now expire after 10 seconds since the + last time the bundle was either opened, modified, or closed. + - OpenFlow 1.3 Extension 230, adding OpenFlow Bundles support, is + now implemented. + - OpenFlow 1.3+ bundles are now supported for group mods as well as + flow mods and port mods. Both 'atomic' and 'ordered' bundle + flags are supported for group mods as well as flow mods. + - Internal OpenFlow rule representation for load and set-field + actions is now much more memory efficient. For a complex flow + table this can reduce rule memory consumption by 40%. + - Bundles are now much more memory efficient than in OVS 2.5. + Together with memory efficiency improvements in OpenFlow rule + representation, the peak OVS resident memory use during a + bundle commit for large complex set of flow mods can be only + 25% of that in OVS 2.5 (4x lower). + - OpenFlow 1.1+ OFPT_QUEUE_GET_CONFIG_REQUEST now supports OFPP_ANY. + - OpenFlow 1.4+ OFPMP_QUEUE_DESC is now supported. + - OpenFlow 1.4+ OFPT_TABLE_STATUS is now supported. + - New property-based packet-in message format NXT_PACKET_IN2 with support + for arbitrary user-provided data and for serializing flow table + traversal into a continuation for later resumption. + - New extension message NXT_SET_ASYNC_CONFIG2 to allow OpenFlow 1.4-like + control over asynchronous messages in earlier versions of OpenFlow. + - [...] + - For a complete list of changes, please see + http://openvswitch.org/releases/NEWS-2.6.0 +- Remove obsolete patches and files + * 0001-Remove-broken-pipe-warning-logs-from-ovsdb-server.lo.patch + * 0001-ovs-ctl-Add-new-DPDK_OPTIONS-environment-variable.patch + * openvswitch-2.5.0-detect-dpdk-installation.patch + * openvswitch-switch.logrotate + * openvswitch.service + +------------------------------------------------------------------- +Wed Sep 28 08:06:43 UTC 2016 - mchandras@suse.de + +- New upstream bugfix release 2.5.1 (bsc#1001657) + * DPDK: + - New appctl command 'dpif-netdev/pmd-rxq-show' to check the port/rxq + assignment. + - Type of log messages from PMD threads changed from INFO to DBG. + * ovs-pki: Changed message digest algorithm from SHA-1 to SHA-512 because + SHA-1 is no longer secure and some operating systems have started to + disable it in OpenSSL. + * Bug fixes + +------------------------------------------------------------------- +Tue Sep 6 10:11:49 UTC 2016 - mchandras@suse.de + +- Add new DPDK_OPTIONS environment variable to hold the dpdk + vswitchd options so that the systemd unit files can be used to + launch an ovs-vswitcd DPDK capable instance instead of doing + it manually. (bsc#987265) + * 0001-ovs-ctl-Add-new-DPDK_OPTIONS-environment-variable.patch + +------------------------------------------------------------------- +Sun Aug 14 11:05:59 CEST 2016 - ro@suse.de + +- enable openvswitch-dpdk on aarch64 since dpdk + builds on aarch64 now + +------------------------------------------------------------------- +Sun Aug 7 21:11:51 CEST 2016 - ro@suse.de + +- remove aarch from openvswitch-dpdk until we have a dpdk + that builds for aarch64 + +------------------------------------------------------------------- +Tue Jul 12 10:41:14 UTC 2016 - mchandras@suse.de + +- Add missing licenses (bsc#988513) +- Misc spec file cleanups highlighted by the spec-cleaner tool. +- Allow aarch64 builds for openvswitch-dpdk + +------------------------------------------------------------------- +Mon Jul 4 12:08:06 UTC 2016 - mchandras@suse.de + +- Allow the OvS daemon to run as non-root (bsc#987545) +- Add missing 'Conflicts' statements to all the subpackages as + required by the Factory review tools. + +------------------------------------------------------------------- +Wed Jun 29 15:17:07 UTC 2016 - mchandras@suse.de + +- Remove the ?_with_dpdk macro usage since this is not being set + without explicitly passing --with/--without during an OBS build. + This reverts back to using the %{with dpdk} style which is set + automatically based on %bcond_with* macros (bsc#989335). + +------------------------------------------------------------------- +Tue Jun 28 13:21:12 UTC 2016 - mchandras@suse.de + +- Fix subpackage dependencies to not require the non-existent python + DPDK subpackages (bsc#986835). We do not provide DPDK versions of + the python bindings so nothing should depend on these subpackages. + +------------------------------------------------------------------- +Wed Jun 22 15:07:01 UTC 2016 - jengelh@inai.de + +- Update rpm groups, acronym forms. + +------------------------------------------------------------------- +Tue Jun 21 14:10:15 UTC 2016 - mchandras@suse.de + +- Multiple fixes for the openvswitch-dpdk package (bsc#985878) + * Rename main package name to openvswitch-dpdk + * Do not build the python and kmp packages since they do not + depend on the DPDK capabilities + * Remove the open_virtual_switch capability. The + openvswitch-common will be used by reverse dependencies to + require either of the OvS packages. + * Provide virtual capabilities for all DPDK subpackages. + * Fix the dependencies in the python package to require either + of the OvS packages. + * Suggest the kmp package only if it's actually provided. + * Small cleanups. + +------------------------------------------------------------------- +Fri May 27 13:49:15 UTC 2016 - mchandras@suse.de + +- Add %check directive to run the openvswitch testsuite on demand. + The openvswitch contains hundreds of tests covering simple and + complex openvswitch configuration so it's beneficial to run them + during package builds. However, running the testsuite is not enabled + by default. Also add the following upstream patch: + * 0001-Remove-broken-pipe-warning-logs-from-ovsdb-server.lo.patch + +------------------------------------------------------------------- +Thu May 26 15:40:04 UTC 2016 - mchandras@suse.de + +- Build a DPDK-enabled Open vSwitch (fate#319170) + * Apply the following changes to the openvswitch.spec file + - Add support for building with DPDK capabilities + - Add conflicts between the two packages. + - Add new 'open_virtual_switch-*' capabilities for openvswitch, + openvswitch-switch, openvswitch-test packages which can be used + by reverse dependencies to select between the two openvswitch + implementations. + * Add pre_checkin.sh to generate the openvswitch_dpdk.spec file + based on the openvswitch.spec one. + * Add upstream openvswitch-2.5.0-detect-dpdk-installation.patch + patch to detect and link against a DPDK installation. + +------------------------------------------------------------------- +Mon May 23 18:33:13 UTC 2016 - jengelh@inai.de + +- Keep %prep small for speedier `quilt setup`. Kill __DATE__ from + source. Drop all .la files that are in %_libdir. + +------------------------------------------------------------------- +Fri May 20 09:54:16 UTC 2016 - mchandras@suse.de + +- Add missing %dir directive for /var/log/openvswitch + +------------------------------------------------------------------- +Thu May 19 10:13:41 UTC 2016 - dmueller@suse.com + +- remove aarch64 conditional, no longer needed + +------------------------------------------------------------------- +Thu May 5 09:00:26 UTC 2016 - mchandras@suse.de + +- Multiple spec file and package fixes. + * Drop obsolete log-check-module-loop.patch patch. + * Drop conditional code for older openSUSE releases. This also removes + all of the sysvinit files which were pulled in when the package was + originally developed. + * Drop support for building the GUI. The GUI code has been removed in + 7868fbc6c97c2 ("ovsdbmonitor: Remove.") upstream commit and it does + not exist since v2.2.0 so drop the code in the spec file. + * Use the upstream systemd service files for the OVN components instead + of maintaining our own downstream. + * Drop the unofficial ipsec support. It hasn't been enabled in years. + * Drop support for building the upstream kernel module since it's being + shipped with the kernel package in latest releases. Restore the + %bcond_with kmp to make it easier to build the external kernel module + if needed. + * Fix some suse-missing-rclink rpmlint warnings for the ovn subpackage + * Base our service unit to the upstream one. + * Stop silently enabling the GRE protocol in iptables by default. + * Install the upstream sysconfig file to pass more information to the + openvswitch service unit. + * Use make install instead of %makeinstall + * Drop brcompat leftovers. + * spec-cleaner fixes + +------------------------------------------------------------------- +Fri Apr 1 10:39:26 UTC 2016 - dmueller@suse.com + +- address dimstars concerns + +------------------------------------------------------------------- +Tue Mar 22 18:06:40 UTC 2016 - mchandras@suse.de + +- Prevent systemd from autogenerating a service file for + openvswitch-switch which conflicts with the opevswitch + one. (bsc#966762) + +------------------------------------------------------------------- +Fri Mar 18 10:20:02 UTC 2016 - kmroz@suse.com + +- Add missing %defattr to ovn files section. + +------------------------------------------------------------------- +Tue Mar 8 13:16:03 UTC 2016 - kmroz@suse.com + +- Add additional install requirements for python-openvswitch-test + package. + +------------------------------------------------------------------- +Fri Mar 4 14:38:16 UTC 2016 - kmroz@suse.com + +- Add support for building both 2.4.0 and 2.5.0 from the same spec + file. Needed to fix SLE11 builds as OVS-2.5.0 no longer supports + python < 2.7. SLE11 SP3 and SP4 use python 2.6. +- Added: openvswitch-2.4.0.tar.gz + +------------------------------------------------------------------- +Thu Mar 3 13:47:04 UTC 2016 - kmroz@suse.com + +- New upstream version 2.5.0 (LTS) + - Dropped support for Python older than version 2.7. As a consequence, + using Open vSwitch 2.5 or later on XenServer 6.5 or earlier (which + have Python 2.4) requires first installing Python 2.7. + - OpenFlow: + * Group chaining (where one OpenFlow group triggers another) is + now supported. + * OpenFlow 1.4+ "importance" is now considered for flow eviction. + * OpenFlow 1.4+ OFPTC_EVICTION is now implemented. + * OpenFlow 1.4+ OFPTC_VACANCY_EVENTS is now implemented. + * OpenFlow 1.4+ OFPMP_TABLE_DESC is now implemented. + * Allow modifying the ICMPv4/ICMPv6 type and code fields. + * OpenFlow 1.4+ OFPT_SET_ASYNC_CONFIG and OFPT_GET_ASYNC_CONFIG are + now implemented. + - ovs-ofctl: + * New "out_group" keyword for OpenFlow 1.1+ matching on output group. + - Tunnels: + * Geneve tunnels can now match and set options and the OAM bit. + * The nonstandard GRE64 tunnel extension has been dropped. + - Support Multicast Listener Discovery (MLDv1 and MLDv2). + - Add 'symmetric_l3l4' and 'symmetric_l3l4+udp' hash functions. + - sFlow agent now reports tunnel and MPLS structures. + - New 'check-system-userspace', 'check-kmod' and 'check-kernel' Makefile + targets to run a new system testsuite. These tests can be run inside + a Vagrant box. See INSTALL.md for details + - Mark --syslog-target argument as deprecated. It will be removed in + the next OVS release. + - Added --user option to all daemons + - Add support for connection tracking through the new "ct" action + and "ct_state"/"ct_zone"/"ct_mark"/"ct_label" match fields. Only + available on Linux kernels with the connection tracking module loaded. + - Add experimental version of OVN. OVN, the Open Virtual Network, is a + system to support virtual network abstraction. OVN complements the + existing capabilities of OVS to add native support for virtual network + abstractions, such as virtual L2 and L3 overlays and security groups. + - RHEL packaging: + * DPDK ports may now be created via network scripts (see README.RHEL). + - DPDK: + * Requires DPDK 2.2 + * Added multiqueue support to vhost-user + * Note: QEMU 2.5+ required for multiqueue support + - SELinux: + * Introduced SELinux policy package. + +- New package: openvswitch-ovn +- Removed: openvswitch-2.4.0.tar.gg +- Added: openvswitch-2.5.0.tar.gg +- Added: openvswitch-testcontroller.init +- Added: ovn-controller-vtep.service +- Added: ovn-controller.service +- Added: ovn-northd.service +- TODO: Explicit DPDK support not yet added to spec. +- Spec file work and cleanup. +- Includes fixes (or obsoletes) the following issues: + * bsc#948840, bsc#941466, bsc#936780, bnc#935750, bnc#867964 + +------------------------------------------------------------------- +Tue Mar 1 08:43:19 UTC 2016 - kmroz@suse.com + +- Tighten up openvswitch service ordering. + bsc#968205 (openSUSE), bsc#951314 (SLE). + +------------------------------------------------------------------- +Wed Feb 24 15:23:20 UTC 2016 - kmroz@suse.com + +- Don't install INSTALL.* files. + +------------------------------------------------------------------- +Wed Feb 24 13:45:52 UTC 2016 - kmroz@suse.com + +- Removed: openvswitch-switch.template + +------------------------------------------------------------------- +Wed Feb 24 12:53:50 UTC 2016 - kmroz@suse.com + +- New upstream version 2.4.0 + - Flow table modifications are now atomic, meaning that each packet + now sees a coherent version of the OpenFlow pipeline. For + example, if a controller removes all flows with a single OpenFlow + "flow_mod", no packet sees an intermediate version of the OpenFlow + pipeline where only some of the flows have been deleted. + - Added support for SFQ, FQ_CoDel and CoDel qdiscs. + - Add bash command-line completion support for ovs-vsctl Please check + utilities/ovs-command-compgen.INSTALL.md for how to use. + - The MAC learning feature now includes per-port fairness to mitigate + MAC flooding attacks. + - New support for a "conjunctive match" OpenFlow extension, which + allows constructing OpenFlow matches of the form "field1 in + {a,b,c...} AND field2 in {d,e,f...}" and generalizations. For details, + see documentation for the "conjunction" action in ovs-ofctl(8). + - Add bash command-line completion support for ovs-appctl/ovs-dpctl/ + ovs-ofctl/ovsdb-tool commands. Please check + utilities/ovs-command-compgen.INSTALL.md for how to use. + - The "learn" action supports a new flag "delete_learned" that causes + the learned flows to be deleted when the flow with the "learn" action + is deleted. + - Basic support for the Geneve tunneling protocol. It is not yet + possible to generate or match options. This is planned for a future + release. The protocol is documented at + http://tools.ietf.org/html/draft-gross-geneve-00 + - The OVS database now reports controller rate limiting statistics. + - sflow now exports information about LACP-based bonds, port names, and + OpenFlow port numbers, as well as datapath performance counters. + - ovs-dpctl functionality is now available for datapaths integrated + into ovs-vswitchd, via ovs-appctl. Some existing ovs-appctl + commands are now redundant and will be removed in a future + release. See ovs-vswitchd(8) for details. + - OpenFlow: + * OpenFlow 1.4 bundles are now supported for flow mods and port + mods. For flow mods, both 'atomic' and 'ordered' bundle flags + are trivially supported, as all bundled messages are executed + in the order they were added and all flow table modifications + are now atomic to the datapath. Port mods may not appear in + atomic bundles, as port status modifications are not atomic. + * IPv6 flow label and neighbor discovery fields are now modifiable. + * OpenFlow 1.5 extended registers are now supported. + * The OpenFlow 1.5 actset_output field is now supported. + * OpenFlow 1.5 Copy-Field action is now supported. + * OpenFlow 1.5 masked Set-Field action is now supported. + * OpenFlow 1.3+ table features requests are now supported (read-only). + * Nicira extension "move" actions may now be included in action sets. + * "resubmit" actions may now be included in action sets. The resubmit + is executed last, and only if the action set has no "output" or "group" + action. + * OpenFlow 1.4+ flow "importance" is now maintained in the flow table. + * A new Netronome extension to OpenFlow 1.5+ allows control over the + fields hashed for OpenFlow select groups. See "selection_method" and + related options in ovs-ofctl(8) for details. + - ovs-ofctl has a new '--bundle' option that makes the flow mod commands + ('add-flow', 'add-flows', 'mod-flows', 'del-flows', and 'replace-flows') + use an OpenFlow 1.4 bundle to operate the modifications as a single + atomic transaction. If any of the flow mods in a transaction fail, none + of them are executed. All flow mods in a bundle appear to datapath + lookups simultaneously. + - ovs-ofctl 'add-flow' and 'add-flows' commands now accept arbitrary flow + mods as an input by allowing the flow specification to start with an + explicit 'add', 'modify', 'modify_strict', 'delete', or 'delete_strict' + keyword. A missing keyword is treated as 'add', so this is fully + backwards compatible. With the new '--bundle' option all the flow mods + are executed as a single atomic transaction using an OpenFlow 1.4 bundle. + - ovs-pki: Changed message digest algorithm from MD5 to SHA-1 because + MD5 is no longer secure and some operating systems have started to disable + it in OpenSSL. + - ovsdb-server: New OVSDB protocol extension allows inequality tests on + "optional scalar" columns. See ovsdb-server(1) for details. + - ovs-vsctl now permits immutable columns in a new row to be modified in + the same transaction that creates the row. + - test-controller has been renamed ovs-testcontroller at request of users + who find it useful for testing basic OpenFlow setups. It is still not + a necessary or desirable part of most Open vSwitch deployments. + - Support for travis-ci.org based continuous integration builds has been + added. Build failures are reported to build@openvswitch.org. See INSTALL.md + file for additional details. + - Support for the Rapid Spanning Tree Protocol (IEEE 802.1D-2004). + The implementation has been tested successfully against the Ixia Automated + Network Validation Library (ANVL). + - Stats are no longer updated on fake bond interface. + - Keep active bond slave selection across OVS restart. + - A simple wrapper script, 'ovs-docker', to integrate OVS with Docker + containers. If and when there is a native integration of Open vSwitch + with Docker, the wrapper script will be retired. + - Added support for DPDK Tunneling. VXLAN, GRE, and Geneve are supported + protocols. This is generic tunneling mechanism for userspace datapath. + - Support for multicast snooping (IGMPv1, IGMPv2 and IGMPv3) + - Support for Linux kernels up to 4.0.x + - The documentation now use the term 'destination' to mean one of syslog, + console or file for vlog logging instead of the previously used term + 'facility'. + - Support for VXLAN Group Policy extension + - Initial support for the IETF Auto-Attach SPBM draft standard. This + contains rudimentary support for the LLDP protocol as needed for + Auto-Attach. + - The default OpenFlow and OVSDB ports are now the IANA-assigned + numbers. OpenFlow is 6653 and OVSDB is 6640. + - Support for DPDK vHost. + - Support for outer UDP checksums in Geneve and VXLAN. + - The kernel vports with dependencies are no longer part of the overall + openvswitch.ko but built and loaded automatically as individual kernel + modules (vport-*.ko). + - Support for STT tunneling. + - Support to configure method (--syslog-method argument) that determines + how daemons will talk with syslog. + - Support for "ovs-appctl vlog/list-pattern" command that lets to query + logging message format for each destination. + - GRE64 and ipsec_gre64 tunnel protocol is deprecated and will be removed + from OVS v2.5 release. + * The openvswitch-testcontroller package is new. It reintroduces the + simple OpenFlow controller that was packaged with Open vSwitch prior to + version 2.1, at request of users who find it useful for testing basic + OpenFlow setups. It is still not a necessary or desirable part of most + Open vSwitch deployments. + +- Fixed: log-check-module-loop.patch to work with new version. +- Removed: openvswitch-2.3.1.tar.gz +- Added: openvswitch-2.4.0.tar.gz +- Spec file work and cleanup. + +------------------------------------------------------------------- +Sun Jan 10 17:55:22 UTC 2016 - antoine.belvire@laposte.net + +- Add calls to /sbin/ldconfig in %post and %postun +- Fix typo in Url + +------------------------------------------------------------------- +Sun Dec 28 21:27:49 UTC 2014 - andrea@opensuse.org + +- new upstream version 2.3.1 + - Compatibility with autoconf 2.63 (previously >=2.64) + - ovs-pki: Changed message digest algorithm from MD5 to SHA-1 because + MD5 is no longer secure and some operating systems have started to disable + it in OpenSSL. + - Keep active bond slave selection across OVS restart. + +* v2.3.0 - 14 Aug 2014 + - OpenFlow 1.1, 1.2, and 1.3 are now enabled by default in + ovs-vswitchd. + - Linux kernel datapath now has an exact match cache optimizing the + flow matching process. + - Datapath flows now have partially wildcarded tranport port field + matches. This reduces userspace upcalls, but increases the + number of different masks in the datapath. The kernel datapath + exact match cache removes the overhead of matching the incoming + packets with the larger number of masks, but when paired with an + older kernel module, some workloads may perform worse with the + new userspace. + +* v2.2.0 - Internal Release + - Internal ports are no longer brought up by default, because it + should be an administrator task to bring up devices as they are + configured properly. + - ovs-vsctl now reports when ovs-vswitchd fails to create a new port or + bridge. + - The "ovsdbmonitor" graphical tool has been removed, because it was + poorly maintained and not widely used. + - New "check-ryu" Makefile target for running Ryu tests for OpenFlow + controllers against Open vSwitch. See INSTALL for details. + - Added IPFIX support for SCTP flows and templates for ICMPv4/v6 flows. + - Upon the receipt of a SIGHUP signal, ovs-vswitchd no longer reopens its + log file (it will terminate instead). Please use 'ovs-appctl vlog/reopen' + instead. + - Support for Linux kernels up to 3.14. From Kernel 3.12 onwards OVS uses + tunnel API for GRE and VXLAN. + - Added experimental DPDK support. + - Added support for custom vlog patterns in Python + +- removed datapath-Add-support-for-Linux-3.12.patch no more required +- removed sle11-device-ops-backport.diff , not used before + +------------------------------------------------------------------- +Tue Oct 21 11:24:25 UTC 2014 - dmueller@suse.com + +- fix rcX link + +------------------------------------------------------------------- +Tue Sep 23 08:40:15 UTC 2014 - dmueller@suse.com + +- disable shipped kmp module build for newer distros + +------------------------------------------------------------------- +Mon Sep 22 07:11:35 UTC 2014 - dmueller@suse.com + +- update to 2.1.3: + datapath: Drop packets when interdev is not up + Fix two memory leaks. + tests: Remove extraneous parenthesis from test name. + build: Allow building with autoconf 2.63 + ovsdb: Don't add ovsdb-server.c to libovsdb. + stp: Make stp-disabled port forward stp bpdu packets. + dpif-linux: Fix bad backport in previous commit. + dpif-linux: Avoid null dereference if all ports disappear. + ofp-msgs: Correct code for queue configuration messages in OpenFlow 1.0. + ofp-util: Fix null pointer dereference in ofputil_pull_buckets(). + tests: Disable glibc memory checking under glibc <= 2.11. + datapath/flow_netlink: Fix NDP flow mask validation + datapath: Change u64_stats_* to use _irq instead of _bh(). + datapath: Use exact lookup for flow_get and flow_del. + json: Fix parsing of strings that end with a backslash. + dpif: When executing actions needs help, use "set" action to set tunnel. + datapath: Rehash 16-bit skbuff hashes into 32 bits. + upcall: Configure datapath max-idle through ovs-vsctl. + upcall: Add appctl call to set flow_limit. + stream-ssl: Enable TLSv1.1 and TLSv1.2. + lib/classifier: Fix use of uninitialized memory. + lib/classifier: Clarify trie_lookup_value(). + ovs-lib: allow non-root users to check service status + rhel: Add Patch Port support to initscripts + rhel: support persistent mac addresses on OVS bridges + netflow: Fold netflow_expire() into netflow_flow_clear(). + ofproto: Fix memory leak in ofproto_destroy(). + ofproto: Send monitor updates if a flow mod changes a rules actions + lib/match: Add mask bits for nd_target for ICMPv6 + bridge: Initialize dscp for mgmt connections. + datapath: Fix build from stats backport. + openvswitch: fix a possible deadlock and lockdep warning + AUTHORS: Fix spelling of Anoob Soman's name. + ofproto-dpif-xlate: Fix null pointer dereference + ovs-ctl: Don't decrease max open fds if already set higher + Makefiles: Fix invocation of dot2pic when builddir != srcdir. + dot2pic: Stop assuming the path of the interpreter + dot2pic: Use "> $@; mv $@.tmp $@" notation to make this reliably fail + tunnel: Fix bug where misconfiguration persists. + netdev: Safely increment refcount in netdev_open(). + datapath: Fix feature check for HAVE_RXHASH. + datapath: clear l4_rxhash in skb_clear_hash. + ofproto-dpif-xlate: Fix in_port=controller case for NORMAL action + +------------------------------------------------------------------- +Fri May 2 03:38:11 UTC 2014 - e.istomin@edss.ee + +- updated to 2.1.2. + This contains bug fixes related to sending packet-in messages to the controller. + +------------------------------------------------------------------- +Tue Apr 29 17:16:22 UTC 2014 - e.istomin@edss.ee + +- updated to 2.1.1. This release removes the "ovsdbmonitor" program and contains bug fixes. + +------------------------------------------------------------------- +Wed Apr 2 14:25:35 UTC 2014 - kmroz@suse.com + +- Prevent ovsdb-server from entering an infinite loop when + processing logging levels during bringup. + added: log-check-module-loop.patch + +------------------------------------------------------------------- +Thu Mar 27 12:56:32 UTC 2014 - dmueller@suse.com + +- update to 2.1.0: + - Address prefix tracking support for flow tables. New columns + "prefixes" in OVS-DB table "Flow_Table" controls which packet + header fields are used for address prefix tracking. Prefix + tracking allows the classifier to skip rules with longer than + necessary prefixes, resulting in better wildcarding for datapath + flows. Default configuration is to not use any fields for prefix + tracking. However, if any flow tables contain both exact matches + and masked matches for IP address fields, OVS performance may be + increased by using this feature. + * As of now, the fields for which prefix lookup can be enabled + are: 'tun_id', 'tun_src', 'tun_dst', 'nw_src', 'nw_dst' (or + aliases 'ip_src' and 'ip_dst'), 'ipv6_src', and 'ipv6_dst'. + (Using this feature for 'tun_id' would only make sense if the + tunnel IDs have prefix structure similar to IP addresses.) + * There is a maximum number of fields that can be enabled for any + one flow table. Currently this limit is 3. + * Examples: + $ ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- \ + --id=@N1 create Flow_Table name=table0 + $ ovs-vsctl set Bridge br0 flow_tables:1=@N1 -- \ + --id=@N1 create Flow_Table name=table1 + $ ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src + $ ovs-vsctl set Flow_Table table1 prefixes=[] + - TCP flags matching: OVS now supports matching of TCP flags. This + has an adverse performance impact when using OVS userspace 1.10 + or older (no megaflows support) together with the new OVS kernel + module. It is recommended that the kernel and userspace modules + both are upgraded at the same time. + - The default OpenFlow and OVSDB ports will change to + IANA-assigned numbers in a future release. Consider updating + your installations to specify port numbers instead of using the + defaults. + - OpenFlow: + * The OpenFlow 1.1+ "Write-Actions" instruction is now supported. + * OVS limits the OpenFlow port numbers it assigns to port 32767 and + below, leaving port numbers above that range free for assignment + by the controller. + * ovs-vswitchd now honors changes to the "ofport_request" column + in the Interface table by changing the port's OpenFlow port + number. + - ovs-vswitchd.conf.db.5 man page will contain graphviz/dot + diagram only if graphviz package was installed at the build time. + - Support for Linux kernels up to 3.11 + - ovs-dpctl: + The "show" command also displays mega flow mask stats. + - ovs-ofctl: + * New command "ofp-parse-pcap" to dump OpenFlow from PCAP files. + - ovs-controller has been renamed test-controller. It is no longer + packaged or installed by default, because too many users assumed + incorrectly that ovs-controller was a necessary or desirable part + of an Open vSwitch deployment. + - Added vlog option to export to a UDP syslog sink. + - ovsdb-client: + * The "monitor" command can now monitor all tables in a database, + instead of being limited to a single table. + - The flow-eviction-threshold has been replaced by the flow-limit which is a + hard limit on the number of flows in the datapath. It defaults to 200,000 + flows. OVS automatically adjusts this number depending on network + conditions. + +------------------------------------------------------------------- +Thu Mar 27 12:55:44 UTC 2014 - dmueller@suse.com + +- allow to use kmod as well + +------------------------------------------------------------------- +Mon Feb 3 17:13:36 UTC 2014 - dmueller@suse.com + +- another fix in logrotate + +------------------------------------------------------------------- +Mon Jan 27 10:42:05 UTC 2014 - dmueller@suse.com + +- fix logrotate configuration + +------------------------------------------------------------------- +Tue Jan 21 08:48:03 UTC 2014 - dmueller@suse.com + +- add openvswitch.service for systemd distros + +------------------------------------------------------------------- +Tue Jan 14 15:03:56 UTC 2014 - dmueller@suse.com + +- add kernel-312.diff (build against Kernel 3.12.x) + +------------------------------------------------------------------- +Fri Jan 3 17:54:10 UTC 2014 - dmueller@suse.com + +- do not build with valgrind-devel on aarch64 (doesn't exist) + +------------------------------------------------------------------- +Thu Dec 5 13:14:11 UTC 2013 - dmueller@suse.com + +- update to 2.0.0: + - The ovs-vswitchd process is no longer single-threaded. Multiple + threads are now used to handle flow set up and asynchronous + logging. + - OpenFlow: + * Experimental support for OpenFlow 1.1 (in addition to 1.2 and + 1.3, which had experimental support in 1.10). + * New support for matching outer source and destination IP address + of tunneled packets, for tunnel ports configured with the newly + added "remote_ip=flow" and "local_ip=flow" options. + * Support for matching on metadata 'pkt_mark' for interacting with + other system components. On Linux this corresponds to the skb + mark. + * Support matching, rewriting SCTP ports + - The Interface table in the database has a new "ifindex" column to + report the interface's OS-assigned ifindex. + - New "check-oftest" Makefile target for running OFTest against Open + vSwitch. See README-OFTest for details. + - The flow eviction threshold has been moved to the Open_vSwitch table. + - Database names are now mandatory when specifying ovsdb-server options + through database paths (e.g. Private key option with the database name + should look like "--private-key=db:Open_vSwitch,SSL,private_key"). + - Added ovs-dev.py, a utility script helpful for Open vSwitch developers. + - Support for Linux kernels up to 3.10 + - ovs-ofctl: + * New "ofp-parse" for printing OpenFlow messages read from a file. + - Added configurable flow caching support to IPFIX exporter. + - Dropped support for Linux pre-2.6.32. + - Log file timestamps and ovsdb commit timestamps are now reported + with millisecond resolution. (Previous versions only reported + whole seconds.) + +------------------------------------------------------------------- +Wed Dec 4 11:44:02 CET 2013 - jsuchome@suse.cz + +- added try-restart action to openvswitch-switch init script + (bnc#849222) + +------------------------------------------------------------------- +Wed Nov 20 02:51:57 UTC 2013 - kmroz@suse.com + +- Incorporate ubuntu Linux 3.11 fix to prevent kernel datapath panics. + Addresses bnc#851395 + + added datapath-add-support-for-linux-3.11.patch +------------------------------------------------------------------- +Tue Oct 1 07:21:16 UTC 2013 - speilicke@suse.com + +- Let openvswitch-switch depend on util-linux instead of uuid-runtime + (Debian package name). The ovs-ctl / ovs-pki tools use /usr/bin/uuidgen + +------------------------------------------------------------------- +Tue Sep 24 13:17:25 UTC 2013 - bwiedemann@suse.com + +- add vlan_apichange.patch to compensate kernel API changes + between 3.8 and 3.11 in commits f646968f and 86a9bad3 + +------------------------------------------------------------------- +Fri Sep 13 15:25:40 UTC 2013 - dmueller@suse.com + +- update to 1.11.0: + * http://openvswitch.org/releases/NEWS-1.11.0 +- remove accept-newer-kernel-versions.diff + +------------------------------------------------------------------- +Fri Sep 13 10:09:18 UTC 2013 - dmueller@suse.com + +- sign modules for secure boot (bnc#839838) + +------------------------------------------------------------------- +Tue Jul 2 17:08:11 UTC 2013 - tpaszkowski@novell.com + +- Build openvswitch kernel module for xen kernel flavor. + +------------------------------------------------------------------- +Sun Jun 16 05:30:24 UTC 2013 - vuntz@suse.com + +- Add openvswitch-ipsec.init, Module.supported, + Module.supported.updates and README.packager as sources: they + were not listed as such. +- Install openvswitch-ipsec.init if we build ipsec support. + +------------------------------------------------------------------- +Thu Jun 6 14:28:07 UTC 2013 - tpaszkowski@novell.com + +- mark openvswitch module shipped with package as supported + +------------------------------------------------------------------- +Fri May 17 11:58:32 UTC 2013 - dmueller@suse.com + +- only call boot.sh for newer distros +- build parallel +- accept-newer-kernel-versions.diff: + Accept newer kernel versions +- sle11-device-ops-backport.diff + Handle sle11 device ops backport + +------------------------------------------------------------------- +Fri May 3 14:28:00 UTC 2013 - e.istomin@edss.ee + +- New upstream version 1.10.0 + http://openvswitch.org/releases/NEWS-1.10.0 +- Removed openvswitch-1.7.0-stp-fwd-delay.patch because of bridge compatibility support removing + +------------------------------------------------------------------- +Wed Apr 3 09:30:20 UTC 2013 - tpaszkowski@novell.com + +- %make_install macro no longer works on SLE11. Spec file now uses %makeinstall. + + +------------------------------------------------------------------- +Tue Mar 26 11:21:37 UTC 2013 - speilicke@suse.com + +- Use build conditionals instead of %define and disable GUI by default + everywhere + +------------------------------------------------------------------- +Thu Mar 21 13:23:36 UTC 2013 - tpaszkowski@novell.com + +- Fix openvswitch-controller init script +- Add openflow-controller sysconfig file with default binding to ptcp: + +------------------------------------------------------------------- +Tue Mar 12 13:36:57 UTC 2013 - tpaszkowski@suse.com + +- ipsec build temporary disabled + +------------------------------------------------------------------- +Fri Mar 8 14:16:57 UTC 2013 - tpaszkowski@suse.com + +- Provides and Obsolete for former openvswitch-common package + +------------------------------------------------------------------- +Thu Mar 7 21:49:09 UTC 2013 - tpaszkowski@suse.com + +- always build in openvswitch kernel module (gre tunelling not present + within the standard kernel module) +- removed unnedded build rquirements (move to appropriate subpackage) +- moved common stuff to main pkg +- added group filed to packages and sub packages +- switch pkg suggest kernel module pkg +- moved python test stuff to python-openvswitch-test sub pkg +- moved ui interface requirements to ovsdbmonitor sub pkg +- ovsdbmonitor will not be build on sles (for now) +- sub pkg test require python-twisted (ovs-test) +- don't call boot.sh on sles11 (old autoconf). Shipped configuration stuff + is ok (we don't patch plenty of stuff) +- ovs-parse-backtrace now part of main pkg +- addes ovs-l3ping,ovs-vlan-test to test sub pkg + + +------------------------------------------------------------------- +Thu Feb 28 22:17:11 UTC 2013 - e.istomin@edss.ee + +- New upstream version 1.9.0 + http://openvswitch.org/releases/NEWS-1.9.0 + +------------------------------------------------------------------- +Thu Nov 15 08:59:41 UTC 2012 - rhafer@suse.com + +- New patch openvswitch-1.7.1-ovs-pki-permissions.patch: Avoid + creating world writeable directory (bnc#774332, CVE-2012-3449) + +------------------------------------------------------------------- +Sun Sep 9 15:33:08 UTC 2012 - on@morlock.nu + +- New upstream version 1.7.1 + * This release only contain bug fixes. + +------------------------------------------------------------------- +Tue Jul 31 12:41:19 UTC 2012 - on@morlock.nu + +- New upstream version 1.7.0 + * kernel modules are renamed. openvswitch_mod.ko is now + openvswitch.ko and brcompat_mod.ko is now brcompat.ko. + * Increased the number of NXM registers to 8. + * Added ability to configure DSCP setting for manager and controller + connections. By default, these connections have a DSCP value of + Internetwork Control (0xc0). + * Added the granular link health statistics, 'cfm_health', to an + interface. + * OpenFlow: + - Added support to mask nd_target for ICMPv6 neighbor discovery flows. + - Added support for OpenFlow 1.3 port description (OFPMP_PORT_DESC) + multipart messages. + * ovs-ofctl: + - Added the "dump-ports-desc" command to retrieve port + information using the new port description multipart messages. + * ovs-test: + - Added support for spawning ovs-test server from the client. + - Now ovs-test is able to automatically create test bridges and ports. + * "ovs-dpctl dump-flows" now prints observed TCP flags in TCP flows. + * Tripled flow setup performance. + * The "coverage/log" command previously available through ovs-appctl + has been replaced by "coverage/show". The new command replies with + coverage counter values, instead of logging them. +- Adjusted openvswitch-1.1.0-stp-fwd-delay.patch (new filename) + +------------------------------------------------------------------- +Thu Jul 26 11:47:36 UTC 2012 - rhafer@suse.com + +- The kernel modules where renamed in recent kernels. Backported a + patch from the 1.7 branch to use the new kernel names when + building on openSUSE > 12.1. + +------------------------------------------------------------------- +Tue Jun 26 15:09:02 UTC 2012 - on@morlock.nu + +- New upstream version 1.6.1 + * Added support for bitwise matching on TCP and UDP ports. + * Support for limiting the number of flows in an OpenFlow flow + table, with configurable policy for evicting flows upon + overflow. + * Added an OpenFlow extension that allows controllers more precise + control over which messages they receive asynchronously. + * CFM module CCM broadcasts can now be tagged with an 802.1p priority. + * Load balancing for bonds can be disabled. + +------------------------------------------------------------------- +Wed Jun 6 15:04:45 UTC 2012 - on@morlock.nu + +- New upstream version 1.5.0 + * OpenFlow: + - Added support for querying, modifying, and deleting flows + based on flow cookie when using NXM. + - Added new NXM_PACKET_IN format. + * ovs-ofctl: + - Added daemonization support to the monitor and snoop commands. + * ovs-vsctl: + - The "find" command supports new set relational operators + {=}, {!=}, {<}, {>}, {<=}, and {>=}. + * ovsdb-tool now uses the typical database and schema installation + directories as defaults. + +------------------------------------------------------------------- +Thu May 10 22:32:34 UTC 2012 - on@morlock.nu + +- New upstream version 1.4.1 + * The default MAC learning timeout has been increased from 60 seconds + to 300 seconds. The MAC learning timeout is now configurable. + * Bug fixes + +------------------------------------------------------------------- +Thu Apr 5 10:08:32 UTC 2012 - on@morlock.nu + +- Build KMP packages from kernel-source on openSuSE > 12.1. + +------------------------------------------------------------------- +Tue Mar 13 12:16:43 UTC 2012 - mvidner@suse.com + +- Specify defattr for pki subpackage to fix 11.4 build. + +------------------------------------------------------------------- +Thu Mar 1 13:35:52 UTC 2012 - dmacvicar@suse.de + +- Rewrite the package based on the debian version instead + * current package was tied to xenserver config without + even requiring it + * instead of one big package depending even on qt4, there + are -switch, -controller, -test subpackages now + +------------------------------------------------------------------- +Mon Feb 20 23:39:50 UTC 2012 - on@morlock.nu + +- New upstream version 1.4.0 + * Compatible with Open vSwitch kernel module included in Linux 3.3. + * Don't require the "normal" action to use mirrors. + * New "VLAN splinters" feature to work around buggy device driver in old Linux versions. + * Added ability to match ECN and TTL in IPv4 and IPv6 headers. + * Added ability to match IPv6 flow label. + * Added ability to modify ECN bits and TTL in IPv4 headers. + * And many others. See the full change log here: + http://openvswitch.org/releases/NEWS-1.4.0 + +------------------------------------------------------------------- +Fri Sep 2 09:11:21 UTC 2011 - andrea@opensuse.org + +- new uopstream version 1.2.1 + * The release only contains bug fixes for the 1.2.0 release + +------------------------------------------------------------------- +Mon Aug 8 17:47:58 UTC 2011 - andrea@opensuse.org + +- new upstream version 1.2.0 + * New abstraction layer to make better use of switching ASICs + * Packaging for Red Hat (RHEL) 5.6 and 6.0 + * Datapath support for Linux kernels up to 3.0 + * And many others. See the full change log here: + http://openvswitch.org/releases/ChangeLog-1.2.0 +- rebased openvswitch-1.1.0-suse.patch as + openvswitch-1.2.0-suse.patch to apply to the files +------------------------------------------------------------------- +Thu Jun 23 06:49:16 UTC 2011 - andrea@opensuse.org + +- new upstream version 1.1.1 + * bug fix release + +------------------------------------------------------------------- +Wed May 18 10:09:45 UTC 2011 - andrea@opensuse.org + +- re-enabled kmp package since openvswitch_mod.ko and + brcompat_mod.ko are not available on suse kernel rpms + +------------------------------------------------------------------- +Tue May 17 12:04:05 UTC 2011 - andrea@opensuse.org + +- new upstream version 1.1.0 (stable) +- spec file clean up +- added as dependency all python modules to enable additional + functionalities +- rebase patches +- build pyside support only if pyside is available + +------------------------------------------------------------------- +Fri Dec 31 15:26:59 UTC 2010 - pmullaney@novell.com + +- updates for build issues +- fixes for libvirt integration + +------------------------------------------------------------------- +Sat Dec 11 19:57:28 UTC 2010 - pmullaney@novell.com + +- initial version 1.1 + diff --git a/openvswitch.spec b/openvswitch.spec new file mode 100644 index 0000000..6feeef4 --- /dev/null +++ b/openvswitch.spec @@ -0,0 +1,1351 @@ +# +# spec file for package openvswitch +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# +# needssslcertforbuild + + +%define skip_python2 1 +%define ovs_lname libopenvswitch-3_3-0 +%define ovn_lname libovn-24_03-0 +%define ovs_version 3.3.1 +%define ovn_version 24.03.3 +%define ovs_dir ovs-%{ovs_version} +%define ovn_dir ovn-%{ovn_version} +%define rpmstate %{_rundir}/openvswitch-rpm-state- +%define _dpdkv 23.11.1 +%define name_tag ${nil} +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif +%ifarch aarch64 x86_64 ppc64le +%if 0%{?suse_version} +# DPDK enabled only SUSE/openSUSE +%bcond_without dpdk +%else +# DPDK disabled elsewhere even if supported by the architecture. +%bcond_with dpdk +%endif +%else +# No DPDK support on these architectures +%bcond_with dpdk +%endif +# The testsuite is somewhat fragile for continuous testing in OBS +# but keep it here as an option +%bcond_with check +# Disable building the external kernel datapath by default +%bcond_with kmp +# Disable building with AF_XDP support, specify '--without afxdp' when building +%bcond_with afxdp +Name: openvswitch +Version: %{ovs_version} +Release: 0 +Summary: A multilayer virtual network switch +# All code is Apache-2.0 except +# - lib/sflow* which is SISSL +# - utilities/bugtool which is LGPL-2.1 +License: Apache-2.0 AND LGPL-2.1-only AND SISSL +Group: Productivity/Networking/System +URL: http://openvswitch.org/ +Source0: http://openvswitch.org/releases/openvswitch-%{version}.tar.gz +Source1: https://github.com/ovn-org/ovn/archive/v%{ovn_version}.tar.gz#/ovn-%{ovn_version}.tar.gz +Source2: preamble +Source10: openvswitch-user.conf +Source89: Module.supported.updates +Source99: openvswitch-rpmlintrc +# OVS patches +# PATCH-FIX-OPENSUSE: Use-strongswan-for-openvswitch-ipsec-service.patch +Patch0: 0001-Use-strongswan-for-openvswitch-ipsec-service.patch +# PATCH-FIX-OPENSUSE: 0001-Run-openvswitch-as-openvswitch-openvswitch.patch +Patch1: 0001-Run-openvswitch-as-openvswitch-openvswitch.patch +# PATCH-FIX-OPENSUSE: 0001-Don-t-change-permissions-of-dev-hugepages.patch +Patch2: 0001-Don-t-change-permissions-of-dev-hugepages.patch +# PATCH-FIX-OPENSUSE: 0001-Use-double-hash-for-OVS_USER_ID-comment.patch +Patch3: 0001-Use-double-hash-for-OVS_USER_ID-comment.patch +# PATCH-FEATURE-UPSTREAM install-ovsdb-tools.patch -- Install some tools required for building OVN +Patch4: install-ovsdb-tools.patch +#OVN patches +# PATCH-FIX-OPENSUSE: 0001-Run-ovn-as-openvswitch-openvswitch.patch +Patch20: 0001-Run-ovn-as-openvswitch-openvswitch.patch +BuildRequires: autoconf +BuildRequires: %{python_module setuptools} +BuildRequires: automake +BuildRequires: fdupes +BuildRequires: graphviz +BuildRequires: libtool +BuildRequires: make +BuildRequires: pkgconfig +BuildRequires: python3 +BuildRequires: python3-Sphinx +BuildRequires: python3-devel +BuildRequires: unbound-devel +BuildRequires: pkgconfig(libcap-ng) +BuildRequires: pkgconfig(openssl) +Requires: modutils +# ovs-ctl / ovs-pki use /usr/bin/uuidgen: +Requires: util-linux +Provides: openvswitch-common = %{version} +Obsoletes: openvswitch-common < 2.7.0 +Provides: openvswitch-controller = %{version} +Obsoletes: openvswitch-controller < 2.7.0 +# openvswitch-switch has been merged to the main package +# so we need to provide a migration path +Provides: %{name}-dpdk = %{version} +Provides: %{name}-dpdk-switch = %{version} +Provides: %{name}-switch = %{version} +Obsoletes: %{name}-dpdk < 2.7.0 +Obsoletes: %{name}-dpdk-switch < 2.7.0 +Obsoletes: %{name}-switch < 2.7.0 +%if 0%{?suse_version} +BuildRequires: libopenssl-devel +BuildRequires: python-rpm-macros +BuildRequires: sysuser-tools +Requires(post): %fillup_prereq +Requires(pre): shadow +Suggests: logrotate +%{?systemd_ordering} +%sysusers_requires +%else +BuildRequires: environment-modules +BuildRequires: openssl-devel +BuildRequires: python3-rpm-macros +BuildRequires: systemd-units +Requires(post): systemd-units +Requires(postun): systemd-units +Requires(pre): shadow-utils +Requires(preun): systemd-units +%endif +# Needed by the testsuite +%if %{with check} +BuildRequires: procps +%endif +%if %{with kmp} +Suggests: openvswitch-kmp +%endif +%if %{with dpdk} +# We need to be a bit strict with the dpdk version since +# it's very possible for DPDK to change it's API between +# releases. +BuildRequires: dpdk-devel >= %{_dpdkv} +BuildRequires: libmnl-devel +BuildRequires: libnuma-devel +BuildRequires: libpcap-devel +BuildRequires: rdma-core-devel +%endif + +%description +Open vSwitch is a multilayer virtual network Ethernet switch. It is +enables network automation through programmatic extension, and +supports standard management interfaces and protocols (e.g. NetFlow, +sFlow, RSPAN, ERSPAN, CLI, LACP, 802.1ag). In addition, it supports +distribution across multiple physical servers similar to VMware’s +vNetwork distributed vswitch or Cisco’s Nexus 1000V. + +%if %{with kmp} +%package kmp +Summary: Open vSwitch kernel modules +License: GPL-2.0-or-later +Group: System/Kernel +BuildRequires: %{kernel_module_package_buildreqs} +%suse_kernel_module_package -p %{_sourcedir}/preamble ec2 xenpae vmi um + +%description kmp +Kernel modules supporting the openvswitch datapath. +%endif + +%package -n %{ovs_lname} +Summary: Open vSwitch core libraries +License: Apache-2.0 +Group: System/Libraries +%if %{with dpdk} +Requires: dpdk >= %{_dpdkv} +Requires: libdpdk-24 >= %{_dpdkv} +%endif + +%description -n %{ovs_lname} +Contains the shared libraries used by Open vSwitch and any eventual extensions. + +%package doc +Summary: Open vSwitch Documentation +License: Apache-2.0 +Group: System/Libraries +BuildArch: noarch + +%description doc +Contains additional documentation for the Open vSwitch. + +%package devel +Summary: Development files for Open vSwitch +License: Apache-2.0 +Group: Development/Libraries/C and C++ +Requires: %{ovs_lname} = %{version} +# Required for ovsdb-ildc +Requires: python3-ovs = %{version} +Provides: %{name}-dpdk-devel = %{version} +Obsoletes: %{name}-dpdk-devel < 2.7.0 + +%description devel +Devel libraries and headers for Open vSwitch. + +%package pki +Summary: Open vSwitch public key infrastructure dependency package +License: Apache-2.0 +Group: Productivity/Networking/System +Requires: %{name} = %{version} +Requires: openssl(cli) +Provides: %{name}-dpdk-pki = %{version} +Obsoletes: %{name}-dpdk-pki < 2.7.0 + +%description pki +openvswitch-pki provides PKI (public key infrastructure) support for +Open vSwitch switches and controllers, reducing the risk of +man-in-the-middle attacks on the Open vSwitch network infrastructure. + +Open vSwitch is a full-featured software-based Ethernet switch. + +%package vtep +Summary: Open vSwitch VTEP emulator +License: Apache-2.0 +Group: Productivity/Networking/System +Requires: %{name} = %{version} +Requires: %{name}-switch = %{version} +# Since openvswitch/scripts/ovs-vtep requires various ovs python modules. +Requires: python3-ovs = %{version} +Provides: %{name}-dpdk-vtep = %{version} +Obsoletes: %{name}-dpdk-vtep < 2.7.0 + +%description vtep +A VTEP (VXLAN Tunnel EndPoint) emulator that uses Open vSwitch for +forwarding. + +Open vSwitch is a full-featured software-based Ethernet switch. + +%package ipsec +Summary: Open vSwitch IPsec tunneling support +License: Apache-2.0 +Group: Productivity/Networking/System +Requires: %{name} = %{version} +Requires: python3-ovs = %{version} +Requires: strongswan + +%description ipsec +This package provides IPsec tunneling support for OVS tunnels. + +%package -n python3-ovs +Summary: Python3 bindings for Open vSwitch +License: Apache-2.0 +Group: Productivity/Networking/System +Requires: %{ovs_lname} = %{version} +Requires: python3 +Requires: python3-sortedcontainers +Provides: python3-%{name} = %{version} +Obsoletes: python3-%{name} < 2.10.1 + +%description -n python3-ovs +This package contains the Python3 bindings for Open vSwitch database. + +%package test +Summary: Open vSwitch test package +License: Apache-2.0 +Group: Productivity/Networking/System +Requires: %{name} = %{version} +Requires: python3 +Requires: python3-Twisted +Requires: python3-ovs = %{version} +Provides: python3-%{name}-test = %{version} +Obsoletes: python3-%{name}-test < 2.13.0 + +%description test +Open vSwitch is a software-based Ethernet switch. + +This package contains utilities that are useful to diagnose +performance and connectivity issues in Open vSwitch setup. + +%package -n ovn +Version: %{ovn_version} +Release: 0 +Summary: Open Virtual Network diagnostic utilities +License: Apache-2.0 +Group: Productivity/Networking/System +URL: http://ovn.org/ +Requires: %{name} = %{ovs_version} +# openvswitch-ovn has been split into openvswitch-ovn-{central,common,docker,host,vtep} +Provides: %{name}-dpdk-ovn = %{ovn_version} +Provides: %{name}-ovn = %{ovn_version} +Provides: %{name}-ovn-common = %{ovn_version} +Obsoletes: %{name}-dpdk-ovn < 2.7.0 +Obsoletes: %{name}-ovn < 2.7.0 +Obsoletes: %{name}-ovn-common < 2.13.0 +%if 0%{?suse_version} +Suggests: logrotate +%endif + +%description -n ovn +OVN, the Open Virtual Network, is a system to support virtual network +abstraction. OVN complements the existing capabilities of OVS to add +native support for virtual network abstractions, such as virtual L2 and L3 +overlays and security groups. + +%package -n ovn-central +Version: %{ovn_version} +Release: 0 +Summary: Open Virtual Network support for Open vSwitch +License: Apache-2.0 +Group: Productivity/Networking/System +URL: http://ovn.org/ +Requires: %{name} = %{ovs_version} +Requires: ovn = %{ovn_version} +# openvswitch-ovn has been split into openvswitch-ovn-{central,common,docker,host,vtep} +Provides: %{name}-dpdk-ovn:%{_bindir}/ovn-northd +Provides: %{name}-ovn-central = %{ovn_version} +Provides: %{name}-ovn:%{_bindir}/ovn-northd +Obsoletes: %{name}-ovn-central < 2.13.0 + +%description -n ovn-central +This subpackage contains the OVN database and northbound daemon. + +%package -n ovn-host +Version: %{ovn_version} +Release: 0 +Summary: Open Virtual Network support for Open vSwitch +License: Apache-2.0 +Group: Productivity/Networking/System +URL: http://ovn.org/ +Requires: %{name} = %{ovs_version} +Requires: ovn = %{ovn_version} +# openvswitch-ovn has been split into openvswitch-ovn-{central,common,docker,host,vtep} +Provides: %{name}-dpdk-ovn:%{_bindir}/ovn-controller +Provides: %{name}-ovn-host = %{ovn_version} +Provides: %{name}-ovn:%{_bindir}/ovn-controller +Obsoletes: %{name}-ovn-host < 2.13.0 + +%description -n ovn-host +This subpackage contains the OVN host controller. + +%package -n ovn-vtep +Version: %{ovn_version} +Release: 0 +Summary: Open Virtual Network VTEP controller for Open vSwitch +License: Apache-2.0 +Group: Productivity/Networking/System +URL: http://ovn.org/ +Requires: %{name} = %{ovs_version} +Requires: ovn = %{ovn_version} +# openvswitch-ovn has been split into openvswitch-ovn-{central,common,docker,host,vtep} +Provides: %{name}-dpdk-ovn:%{_bindir}/ovn-controller-vtep +Provides: %{name}-ovn-vtep = %{ovn_version} +Provides: %{name}-ovn:%{_bindir}/ovn-controller-vtep +Obsoletes: %{name}-ovn-vtep < 2.13.0 + +%description -n ovn-vtep +This subpackage contains the OVN VTEP (VXLAN Tunnel Endpoint) controller. + +%package -n ovn-docker +Version: %{ovn_version} +Release: 0 +Summary: Docker network plugins for OVN +License: Apache-2.0 +Group: Productivity/Networking/System +URL: http://ovn.org/ +Requires: %{name} = %{ovs_version} +Requires: ovn = %{ovn_version} +Requires: python3-openvswitch = %{ovs_version} +# openvswitch-ovn has been split into openvswitch-ovn-{central,common,docker,host,vtep} +Provides: %{name}-dpdk-ovn:%{_bindir}/ovn-docker-overlay-driver +Provides: %{name}-ovn-docker = %{ovn_version} +Provides: %{name}-ovn:%{_bindir}/ovn-docker-overlay-driver +Obsoletes: %{name}-ovn-docker < 2.13.0 + +%description -n ovn-docker +This subpackage contains the OVN Docker network plugins. + +%package -n ovn-doc +Version: %{ovn_version} +Release: 0 +Summary: Open Virtual Network Documentation +License: Apache-2.0 +Group: System/Libraries +BuildArch: noarch + +%description -n ovn-doc +Contains additional documentation for OVN. + +%package -n %{ovn_lname} +Version: %{ovn_version} +Release: 0 +Summary: Open Virtual Network core libraries +License: Apache-2.0 +Group: System/Libraries + +%description -n %{ovn_lname} +This subpackage contains the OVN shared libraries. + +%package -n ovn-devel +Version: %{ovn_version} +Release: 0 +Summary: Development files for Open Virtual Network +License: Apache-2.0 +Group: Development/Libraries/C and C++ +Requires: %{ovn_lname} = %{ovn_version} +# ovn-devel was split form openvswitch-devel +Provides: %{name}-devel:%{_includedir}/ovn + +%description -n ovn-devel +Devel libraries and headers for Open Virtual Network. + +%prep +%setup -q -n %{name}-%{ovs_version} -a 1 +%patch -P 0 -p1 +%patch -P 1 -p1 +%patch -P 2 -p1 +%patch -P 3 -p1 +%patch -P 4 -p1 +# remove python/ovs/dirs.py - this is generated from template to have proper paths +rm python/ovs/dirs.py +cd %{ovn_dir} +%patch -P 20 -p1 + +%build +mkdir %ovs_dir +# We build both OVS and OVN. OVN is already on its own subdir ovn_dir. +# Move OVS sources to ovs_dir +find $PWD -maxdepth 1 ! -path $PWD ! -name %ovs_dir -a ! -name %ovn_dir -exec mv -t %ovs_dir {} + + +# Init OVS config. +pushd %ovs_dir +# only call boot.sh for distros with autoconf >= 2.64 +bash -x boot.sh +popd + +# Build kernel modules if needed. +%if %{with kmp} + mkdir kmp + export EXTRA_CFLAGS='-DVERSION=\"%{ovs_version}\"' + for flavor in %{flavors_to_build}; do + rm -rf kmp/$flavor + cp -r %ovs_dir kmp/$flavor + cp -a %{SOURCE89} kmp/$flavor/datapath/linux/Module.supported + pushd kmp/$flavor + %configure \ + --with-logdir=%{_localstatedir}/log/openvswitch \ + --with-rundir=%{_rundir}/openvswitch \ + --with-linux=%{_prefix}/src/linux-obj/%{_target_cpu}/$flavor \ + --with-linux-source=%{_prefix}/src/linux + cd datapath/linux + make %{?_smp_mflags} + popd + done +%endif + +# Build OVS. +pushd %ovs_dir + +# This currently has no effect as the @dpdk section has been patched out of the +# service file. Run it anyway, in case a new section that we need appears over +# time. +python3 build-aux/dpdkstrip.py \ +%if %{with dpdk} + --dpdk \ +%else + --nodpdk \ +%endif + < rhel/usr_lib_systemd_system_ovs-vswitchd.service.in \ + > rhel/usr_lib_systemd_system_ovs-vswitchd.service + +%configure \ + --disable-static \ + --enable-shared \ + --enable-libcapng \ + --enable-ssl \ +%if %{with dpdk} + --with-dpdk=shared \ +%endif +%if %{with afxdp} + --enable-afxdp \ +%else + --disable-afxdp \ +%endif + --with-dbdir=%{_sharedstatedir}/openvswitch \ + --with-rundir=%{_rundir}/openvswitch \ + --with-logdir=%{_localstatedir}/log/openvswitch \ + --with-pkidir=%{_sharedstatedir}/openvswitch/pki \ + PYTHON3=%{_bindir}/python3 +%make_build +popd + +# Build OVN. +pushd %ovn_dir + +bash -x boot.sh +%configure \ + --with-ovs-source=../%{ovs_dir} \ + --disable-static \ + --enable-shared \ + --enable-libcapng \ + --enable-ssl \ + --with-dbdir=%{_sharedstatedir}/ovn \ + --with-rundir=%{_rundir}/ovn \ + --with-logdir=%{_localstatedir}/log/ovn \ + --with-pkidir=%{_sharedstatedir}/openvswitch/pki \ + PYTHON3=%{_bindir}/python3 \ + LDFLAGS=-L../%{ovs_dir}/lib/.libs +%make_build +popd +%sysusers_generate_pre %{SOURCE10} openvswitch openvswitch.conf + +%check +%if %{with check} +touch resolv.conf +export OVS_RESOLV_CONF=$(pwd)/resolv.conf +mv python/build python/pb +ln -s _build.tmp python/build + +pushd %ovs_dir +# Recheck tests before we declare them broken. If that fails, dump +# the log and exit. >2.5.0 uses the RECHECK env variable so this +# needs to be taken into consideration for future releases. +if ! make check TESTSUITEFLAGS="%{?_smp_mflags}" && + ! make check RECHECK=yes; then + cat tests/testsuite.log + exit 1 +fi +popd + +pushd $ovn_dir +if ! make check TESTSUITEFLAGS="%{?_smp_mflags}" && + ! make check RECHECK=yes; then + cat tests/testsuite.log + exit 1 +fi +popd +%endif + +%install + +# Intall kernel modules. +%if %{with kmp} +export NO_BRP_STALE_LINK_ERROR=yes +export INSTALL_MOD_PATH=%{buildroot} +export INSTALL_MOD_DIR=updates +export BRP_PESIGN_FILES="*.ko /lib/firmware" +for flavor in %{flavors_to_build}; do + pushd kmp/$flavor/datapath/linux + make -C %{_prefix}/src/linux-obj/%{_target_cpu}/$flavor modules_install M=$PWD + popd +done +%endif + +# Install OVS dist files on temp buildroot. +mkdir -p buildroot/ovs +pushd %ovs_dir +%make_install DESTDIR=$(pwd)/../buildroot/ovs +popd + +# Clean up OVS files +rm -f buildroot/ovs%{_libdir}/*.a +rm -f buildroot/ovs%{_libdir}/*.la + +# Install OVN dist files on temp build root. +mkdir -p buildroot/ovn +pushd %ovn_dir +%make_install DESTDIR=$(pwd)/../buildroot/ovn +popd + +# Clean up OVN files +rm -f buildroot/ovn%{_datadir}/ovn/scripts/ovs* +rm -rf buildroot/ovn%{_datadir}/ovn/bugtool-plugins +rm -f buildroot/ovn%{_libdir}/*.a +rm -f buildroot/ovn%{_libdir}/*.la + +# Remove known OVS dupes from OVN. +rm -f buildroot/ovn%{_mandir}/man5/ovs* +rm -f buildroot/ovn%{_mandir}/man7/ovs* + +# Verify no duplicates and move dist files to real buildroot +dupes=$(find buildroot -mindepth 2 -type f -printf '%p\n' | cut -d'/' -f3- | sort | uniq -c | grep -Ev "^ *1 " || true) +[ -n "$dupes" ] && exit 1 +cp -an buildroot/ovn/* %{buildroot}/ +cp -an buildroot/ovs/* %{buildroot}/ + +# Install OVS additional files +pushd %ovs_dir + +# Install extra headers not included with 'make install' +copy_headers() { + src=$1 + dst=%{buildroot}/$2 + install -d -m 0755 $dst + install -m 0644 $src/*.h $dst +} +copy_headers include/sparse %{_includedir}/openvswitch/sparse +copy_headers include/sparse/arpa %{_includedir}/openvswitch/sparse/arpa +copy_headers include/sparse/netinet %{_includedir}/openvswitch/sparse/netinet +copy_headers include/sparse/sys %{_includedir}/openvswitch/sparse/sys +copy_headers lib %{_includedir}/openvswitch/lib + +for service in openvswitch \ + ovsdb-server \ + ovs-vswitchd \ + ovs-delete-transient-ports \ + openvswitch-ipsec; do + install -D -m 644 rhel/usr_lib_systemd_system_${service}.service \ + %{buildroot}%{_unitdir}/${service}.service + ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc${service} +done + +# This changes group ownership of any vfio device to 'hugetlbfs' through udev. +# That's probably not the most appropriate name for such a group and also +# should probably be coordinated system wide. +#%%if %%{with dpdk} +# install -p -D -m 0644 rhel/usr_lib_udev_rules.d_91-vfio.rules \ +# %%{buildroot}%%{_prefix}/lib/udev/rules.d/91-vfio.rules +#%%endif + +%if 0%{?suse_version} +install -D -m 644 rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template \ + %{buildroot}%{_fillupdir}/sysconfig.openvswitch + +# Fix installation path +mkdir -p %{buildroot}/%{_datadir}/bash-completion/completions/ +mv %{buildroot}/%{_sysconfdir}/bash_completion.d/ovs-* %{buildroot}/%{_datadir}/bash-completion/completions/ +chmod 0644 %{buildroot}/%{_datadir}/bash-completion/completions/* + +# fixing W: # interpreter +find %{buildroot}/%{_datadir}/openvswitch/scripts/ -name "*.py" -exec sed -i 's|env python|python|' \{\} + + +%else +install -D -m 644 rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template \ + %{buildroot}%{_sysconfdir}/sysconfig/openvswitch +install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig/network-scripts/ +install -p -m 0755 rhel/etc_sysconfig_network-scripts_ifdown-ovs \ + %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdown-ovs +install -p -m 0755 rhel/etc_sysconfig_network-scripts_ifup-ovs \ + %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifup-ovs +%endif + +install -d -m 0755 %{buildroot}/%{_rundir}/openvswitch +install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d +install -d -m 0755 %{buildroot}%{_localstatedir}/log/openvswitch + +install -p -D -m 0644 rhel/etc_openvswitch_default.conf \ + %{buildroot}/%{_sysconfdir}/openvswitch/default.conf +install -m 644 rhel/etc_logrotate.d_openvswitch \ + %{buildroot}%{_sysconfdir}/logrotate.d/openvswitch + +install -m 644 vswitchd/vswitch.ovsschema \ + %{buildroot}%{_datadir}/openvswitch/vswitch.ovsschema + +# Copy documentation. +mkdir -p %{buildroot}%{_docdir}/%{name} +cp -r Documentation/* %{buildroot}%{_docdir}/%{name} +rm -rf %{buildroot}%{_docdir}/%{name}/_build +rm %{buildroot}%{_docdir}/%{name}/automake.mk +rm %{buildroot}%{_docdir}/%{name}/conf.py +popd + +# Tests +mkdir -p %{buildroot}%{python3_sitelib} +cp -a %{buildroot}%{_datadir}/openvswitch/python/ovstest \ + %{buildroot}%{python3_sitelib} + +# Python subpackage +# Build on a temporary directory. +mkdir python3-ovs && pushd $_ +# Some build files are in sources while others are generated directly on +# buildroot as part of make_install (dirs.py). Copy them first. +cp -an ../%{ovs_dir}/python/* $(pwd)/ +rm -rf %{buildroot}%{_datadir}/openvswitch/python +export LDFLAGS="${LDFLAGS} -L %{buildroot}%{_libdir}" +export CPPFLAGS="-I ../../include" + +%if 0%{?suse_version} +# SLES +%{python3_build} +%{python3_install} +%else +# RHEL +%py3_build +%py3_install +%endif + +# Done with OVS additional files. +popd + +%python_expand %fdupes %{buildroot}%{$python_sitearch} +# Install OVN aditional files. +pushd %ovn_dir + +for service in ovn-controller \ + ovn-controller-vtep \ + ovn-northd; do + install -D -m 644 rhel/usr_lib_systemd_system_${service}.service \ + %{buildroot}%{_unitdir}/${service}.service + ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc${service} +done + +%if 0%{?suse_version} +install -D -m 644 rhel/usr_share_ovn_scripts_systemd_sysconfig.template \ + %{buildroot}%{_fillupdir}/sysconfig.ovn +%else +install -D -m 644 rhel/usr_share_ovn_scripts_systemd_sysconfig.template \ + %{buildroot}%{_sysconfdir}/sysconfig/ovn +%endif + +# firewalld +install -d %{buildroot}%{_prefix}/lib/firewalld/services/ +install -p -m 0644 rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \ + %{buildroot}%{_prefix}/lib/firewalld/services/ovn-central-firewall-service.xml +install -p -m 0644 rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml \ + %{buildroot}%{_prefix}/lib/firewalld/services/ovn-host-firewall-service.xml + +install -p -D -m 0644 rhel/etc_logrotate.d_ovn \ + %{buildroot}%{_sysconfdir}/logrotate.d/ovn +install -d -m 0755 %{buildroot}%{_localstatedir}/log/ovn + +# Copy documentation. +mkdir -p %{buildroot}%{_docdir}/ovn +cp -r Documentation/* %{buildroot}%{_docdir}/ovn +rm -rf %{buildroot}%{_docdir}/ovn/_build +rm %{buildroot}%{_docdir}/ovn/automake.mk +rm %{buildroot}%{_docdir}/ovn/conf.py + +# Done with OVN additional files. +popd + +install -D -m 0644 %{SOURCE10} %{buildroot}%{_sysusersdir}/openvswitch.conf + +%if %{suse_version} >= 1600 +%python3_fix_shebang_path %{buildroot}%{_datadir}/%{name}/ovsdb/* +%python3_fix_shebang_path %{buildroot}%{_datadir}/%{name}/scripts/* +%python3_fix_shebang_path %{buildroot}%{_datadir}/%{name}/scripts/usdt/* +%python3_fix_shebang_path %{buildroot}%{_datadir}/%{name}/scripts/ovsdb/* +%endif + +%pre -f openvswitch.pre +%if 0%{?suse_version} + %service_add_pre ovsdb-server.service ovs-vswitchd.service openvswitch.service ovs-delete-transient-ports.service +%endif +if [ "$1" -ge 1 ]; then + # Save the "enabled" state across the transition of + # ownership of openvswitch.service from openvswitch-switch to + # openvswitch. + if [ x$(systemctl is-enabled openvswitch.service 2>/dev/null ||:) = "xenabled" ]; then + touch %{rpmstate}openvswitch || : + fi +fi + +%pre ipsec +%if 0%{?suse_version} + %service_add_pre openvswitch-ipsec.service +%endif + +%preun +%if 0%{?suse_version} + %service_del_preun ovsdb-server.service ovs-vswitchd.service openvswitch.service ovs-delete-transient-ports.service +%else + %if 0%{?systemd_preun:1} + %systemd_preun %{name}.service + %else + # Package install, not upgrade + if [ $1 -eq 0 ]; then + /bin/systemctl --no-reload disable %{name}.service >/dev/null 2>&1 || : + /bin/systemctl stop %{name}.service >/dev/null 2>&1 || : + fi + %endif +%endif + +%preun ipsec +%if 0%{?suse_version} + %service_del_preun openvswitch-ipsec.service +%endif + +%preun test +%if 0%{?suse_version} + %service_del_preun openvswitch-testcontroller +%else + %if 0%{?systemd_post:1} + %systemd_preun openvswitch-testcontroller.service + %else + # Package install, not upgrade + if [ $1 -eq 0 ]; then + /bin/systemctl --no-reload disable openvswitch-testcontroller.service >/dev/null 2>&1 || : + /bin/systemctl stop openvswitch-testcontroller.service >/dev/null 2>&1 || : + fi + %endif +%endif + +%post +if [ $1 -eq 1 ]; then + # Follow the upstream strategy that no running openvswitch + # configuration is changed on upgrade so use fillup only for new installs. + %{?suse_version: %fillup_only -n openvswitch} +fi + +%if 0%{?suse_version} + %service_add_post ovsdb-server.service ovs-vswitchd.service openvswitch.service ovs-delete-transient-ports.service +%else + %if 0%{?systemd_post:1} + %systemd_post openvswitch.service + %else + # Package install, not upgrade + if [ $1 -eq 1 ]; then + /bin/systemctl daemon-reload >dev/null || : + fi + %endif +%endif + +%post ipsec +%if 0%{?suse_version} + %service_add_post openvswitch-ipsec.service +%endif + +%post -n %{ovs_lname} -p /sbin/ldconfig + +%postun +# Do not restart the openvswitch service on package updates. +# Restarting the service may break the existing network state. +# For example, openflow rules are not automatically re-installed +# after an OvS update if no SDN controller is used. Moreover, restaring +# the OvS can break remote administration during the update so let the +# admin decide when it's the best time for an OvS restart. +# 5771f476573445710834234a6a9f7bd999a027e7 ("fedora: do not restart the service on a pkg upgrade") +%if 0%{?suse_version} + %service_del_postun_without_restart ovsdb-server.service ovs-vswitchd.service openvswitch.service ovs-delete-transient-ports.service +%else + %if 0%{?systemd_postun:1} + %systemd_postun openvswitch.service + %else + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + %endif +%endif + +%postun ipsec +%if 0%{?suse_version} + %service_del_postun_without_restart openvswitch-ipsec.service +%endif + +%postun test +%if 0%{?suse_version} + %service_del_postun_without_restart openvswitch-testcontroller +%else + %if 0%{?systemd_postun:1} + %systemd_postun openvswitch-testcontroller.service + %else + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + %endif +%endif + +%postun -n %{ovs_lname} -p /sbin/ldconfig + +%posttrans +# Save the "enabled" state across the transition of ownership +# of openvswitch.service from openvswitch-switch to +# openvswitch. +if [ -e %{rpmstate}openvswitch ]; then + rm -f %{rpmstate}openvswitch + systemctl enable openvswitch.service +fi + +ovsdbdir_regex="^[[:space:]]*OVS_DBDIR[[:space:]]*=" +ovsuserid_regex="^[[:space:]]*OVS_USER_ID[[:space:]]*=" +ovsvar_valueregex="[^=]*=[[:space:]]*["'"'"']{0,1}([^"'"'"']*)["'"'"']{0,1}[[:space:]]*$" +conf="%{_sysconfdir}/sysconfig/openvswitch" +ovsdbdir=$(grep -E "${ovsdbdir_regex}" "${conf}" | tail -1 | sed -E --posix 's|'"${ovsvar_valueregex}"'|\1|') +ovsuserid=$(grep -E "${ovsuserid_regex}" "${conf}" | tail -1 | sed -E --posix 's|'"${ovsvar_valueregex}"'|\1|') + +# Default DB path changed from /etc/openvswitch to /var/lib/openvswitch. +# But try to keep the old path for upgraded users already making use of it. +if [ -z "$ovsdbdir" ]; then + ovsdbpid=$(systemctl is-active --quiet ovsdb-server && systemctl show -p MainPID --value ovsdb-server || echo 0) + if [ $ovsdbpid -gt 0 ] && [ -n "$(find /proc/$ovsdbpid/fd/ -type l -lname '%{_sysconfdir}/openvswitch/conf.db')" ]; then + # We have ovsdb-server pid from the unit file with DB open at the old path. + ovsdbdir="%{_sysconfdir}/openvswitch" + sed -i -e '1{r /dev/stdin' -e 'N}' "%{_sysconfdir}/sysconfig/openvswitch" << EOF + +# OVS_DBDIR was automatically inserted here on openvswitch package upgrade to +# preserve the currently used /etc/openvswitch as the database directory. +# Note that new installs use /var/lib/openvswitch as the default database +# directory by omission. +OVS_DBDIR="%{_sysconfdir}/openvswitch" + +EOF + fi +fi + +# Default OVS user changed from root:root to openvswitch:openvswitch. +# But try to keep root:root for upgraded users already making use of it. +# Use .conf.db.~lock~ instead of conf.db as conf.db might have been moved +# to a backup on a previous run attempt. +if [ -z "$ovsuserid" -a -n "$ovsdbdir" -a -f "$ovsdbdir/.conf.db.~lock~" ]; then + ovsuserid=$(stat -c "%{U}:%G" "$ovsdbdir/.conf.db.~lock~") + if [ "$ovsuserid" = "root:root" ]; then + sed -i -e '1{r /dev/stdin' -e 'N}' "%{_sysconfdir}/sysconfig/openvswitch" << EOF + +# OVS_USER_ID was automatically inserted here on openvswitch package upgrade to +# preserve the currently used root:root as the openvswitch running credentials. +# Note that new installs use openvswitch:openvswitch as the default openvswitch +# running credentials by omission. +OVS_USER_ID="root:root" + +EOF + fi +fi + +%pre -n ovn-central +%if 0%{?suse_version} +%service_add_pre ovn-northd.service +%endif +# Save the "enabled" state across the transition of +# ownership of ovn-northd.service from openvswitch-ovn-central to +# ovn-central. +if [ "$1" -ge 1 ]; then + if [ x$(systemctl is-enabled ovn-northd.service 2>/dev/null ||:) = "xenabled" ]; then + touch %{rpmstate}ovn-northd + fi +fi + +%pre -n ovn-host +%if 0%{?suse_version} +%service_add_pre ovn-controller.service +%endif +# Save the "enabled" state across the transition of +# ownership of ovn-controller.service from openvswitch-ovn-host to +# ovn-host. +if [ "$1" -ge 1 ]; then + if [ x$(systemctl is-enabled ovn-controller.service 2>/dev/null ||:) = "xenabled" ]; then + touch %{rpmstate}ovn-controller + fi +fi + +%pre -n ovn-vtep +%if 0%{?suse_version} +%service_add_pre ovn-controller-vtep.service +%endif +# Save the "enabled" state across the transition of +# ownership of ovn-controller-vtep.service from openvswitch-ovn-vtep to +# ovn-vtep. +if [ "$1" -ge 1 ]; then + if [ x$(systemctl is-enabled ovn-controller-vtep.service 2>/dev/null ||:) = "xenabled" ]; then + touch %{rpmstate}ovn-controller-vtep + fi +fi + +%preun -n ovn-central +%if 0%{?suse_version} + %service_del_preun ovn-northd.service +%else + %if 0%{?systemd_preun:1} + %systemd_preun ovn-northd.service + %else + # Package install, not upgrade + if [ $1 -eq 0 ]; then + /bin/systemctl --no-reload disable ovn-northd.service >/dev/null 2>&1 || : + /bin/systemctl stop ovn-northd.service >/dev/null 2>&1 || : + fi + %endif +%endif + +%preun -n ovn-host +%if 0%{?suse_version} + %service_del_preun ovn-controller.service +%else + %if 0%{?systemd_preun:1} + %systemd_preun ovn-controller.service + %else + # Package install, not upgrade + if [ $1 -eq 0 ]; then + /bin/systemctl --no-reload disable ovn-controller.service >/dev/null 2>&1 || : + /bin/systemctl stop ovn-controller.service >/dev/null 2>&1 || : + fi + %endif +%endif + +%preun -n ovn-vtep +%if 0%{?suse_version} + %service_del_preun ovn-controller-vtep.service +%else + %if 0%{?systemd_preun:1} + %systemd_preun ovn-controller-vtep.service + %else + # Package install, not upgrade + if [ $1 -eq 0 ]; then + /bin/systemctl --no-reload disable ovn-controller-vtep.service >/dev/null 2>&1 || : + /bin/systemctl stop ovn-controller-vtep.service >/dev/null 2>&1 || : + fi + %endif +%endif + +%post -n ovn +if [ $1 -eq 1 ]; then + # Follow the upstream strategy that no running openvswitch + # configuration is changed on upgrade so use fillup only for new installs. + %{?suse_version: %fillup_only -n ovn} +fi + +%post -n ovn-central +%if 0%{?suse_version} + %service_add_post ovn-northd.service +%else + %if 0%{?systemd_post:1} + %systemd_post ovn-northd.service + %else + # Package install, not upgrade + if [ $1 -eq 1 ]; then + /bin/systemctl daemon-reload >dev/null || : + fi + %endif +%endif + +%post -n ovn-host +%if 0%{?suse_version} + %service_add_post ovn-controller.service +%else + %if 0%{?systemd_post:1} + %systemd_post ovn-controller.service + %else + # Package install, not upgrade + if [ $1 -eq 1 ]; then + /bin/systemctl daemon-reload >dev/null || : + fi + %endif +%endif + +%post -n ovn-vtep +%if 0%{?suse_version} + %service_add_post ovn-controller-vtep.service +%else + %if 0%{?systemd_post:1} + %systemd_post ovn-controller-vtep.service + %else + # Package install, not upgrade + if [ $1 -eq 1 ]; then + /bin/systemctl daemon-reload >dev/null || : + fi + %endif +%endif + +%post -n %{ovn_lname} -p /sbin/ldconfig + +%postun -n ovn-central +%if 0%{?suse_version} + %service_del_postun_without_restart ovn-northd.service +%else + %if 0%{?systemd_postun:1} + %systemd_postun ovn-northd.service + %else + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + %endif +%endif + +%postun -n ovn-host +%if 0%{?suse_version} + %service_del_postun_without_restart ovn-controller.service +%else + %if 0%{?systemd_postun:1} + %systemd_postun ovn-controller.service + %else + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + %endif +%endif + +%postun -n ovn-vtep +%if 0%{?suse_version} + %service_del_postun_without_restart ovn-controller-vtep.service +%else + %if 0%{?systemd_postun:1} + %systemd_postun ovn-controller-vtep.service + %else + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + %endif +%endif + +%postun -n %{ovn_lname} -p /sbin/ldconfig + +%posttrans -n ovn-central +# Save the "enabled" state across the transition of +# ownership of ovn-northd.service from openvswitch-ovn-central to +# ovn-central. +if [ -e %{rpmstate}ovn-northd ]; then + rm %{rpmstate}ovn-northd + systemctl enable ovn-northd.service +fi + +%posttrans -n ovn-host +# Save the "enabled" state across the transition of +# ownership of ovn-northd.service from openvswitch-ovn-central to +# ovn-central. +if [ -e %{rpmstate}ovn-controller ]; then + rm %{rpmstate}ovn-controller + systemctl enable ovn-controller.service +fi + +%posttrans -n ovn-vtep +# Save the "enabled" state across the transition of +# ownership of ovn-controller.service from openvswitch-ovn-host to +# ovn-host. +if [ -e %{rpmstate}ovn-controller-vtep ]; then + rm %{rpmstate}ovn-controller-vtep + systemctl enable ovn-controller-vtep.service +fi + +%files +%defattr(-,root,openvswitch, 775) +%dir %{_sysconfdir}/openvswitch +%defattr(-,openvswitch,openvswitch) +%dir %{_localstatedir}/log/openvswitch +%config %ghost %{_sysconfdir}/openvswitch/system-id.conf +# This is no longer the DB path for new installs but we still need this for +# upgrades that preserve the old DB path. +%ghost %{_sysconfdir}/openvswitch/.conf.db.~lock~ +%defattr(-,root,root) +%config(noreplace) %{_sysconfdir}/openvswitch/default.conf +%{_bindir}/ovs-appctl +%{_bindir}/ovs-docker +%{_bindir}/ovs-dpctl +%{_bindir}/ovs-dpctl-top +%{_bindir}/ovs-ofctl +%{_bindir}/ovs-parse-backtrace +%{_bindir}/ovs-vsctl +%{_bindir}/ovsdb-client +%{_bindir}/ovsdb-tool +%{_sbindir}/ovs-bugtool +%{_sbindir}/ovs-vswitchd +%{_sbindir}/ovsdb-server +%dir %{_datadir}/openvswitch +%dir %{_datadir}/openvswitch/scripts +%dir %{_datadir}/openvswitch/scripts/usdt +%{_datadir}/openvswitch/bugtool-plugins +%{_datadir}/openvswitch/scripts/ovs-bugtool-* +%{_datadir}/openvswitch/scripts/ovs-check-dead-ifs +%{_datadir}/openvswitch/scripts/ovs-ctl +%{_datadir}/openvswitch/scripts/ovs-kmod-ctl +%{_datadir}/openvswitch/scripts/ovs-lib +%{_datadir}/openvswitch/scripts/ovs-save +%{_datadir}/openvswitch/scripts/usdt/* +%{_datadir}/openvswitch/vswitch.ovsschema +%{_datadir}/openvswitch/local-config.ovsschema +%{_mandir}/man1/ovsdb-client.1%{?ext_man} +%{_mandir}/man1/ovsdb-server.1%{?ext_man} +%{_mandir}/man1/ovsdb-tool.1%{?ext_man} +%{_mandir}/man5/ovs-vswitchd.conf.db.5%{?ext_man} +%{_mandir}/man5/ovsdb-server.5%{?ext_man} +%{_mandir}/man5/ovsdb.5%{?ext_man} +%{_mandir}/man7/ovs-actions.7%{?ext_man} +%{_mandir}/man7/ovs-fields.7%{?ext_man} +%{_mandir}/man7/ovsdb.7%{?ext_man} +%{_mandir}/man7/ovsdb-server.7%{?ext_man} +%{_mandir}/man8/ovs-appctl.8%{?ext_man} +%{_mandir}/man8/ovs-bugtool.8%{?ext_man} +%{_mandir}/man8/ovs-ctl.8%{?ext_man} +%{_mandir}/man8/ovs-dpctl-top.8%{?ext_man} +%{_mandir}/man8/ovs-dpctl.8%{?ext_man} +%{_mandir}/man8/ovs-kmod-ctl.8%{?ext_man} +%{_mandir}/man8/ovs-ofctl.8%{?ext_man} +%{_mandir}/man8/ovs-parse-backtrace.8%{?ext_man} +%{_mandir}/man8/ovs-vsctl.8%{?ext_man} +%{_mandir}/man8/ovs-vswitchd.8%{?ext_man} +%{_mandir}/man5/ovsdb.local-config.5.gz +%config(noreplace) %{_sysconfdir}/logrotate.d/openvswitch +%{_sbindir}/rcovsdb-server +%{_sbindir}/rcovs-vswitchd +%{_sbindir}/rcopenvswitch +%{_sbindir}/rcovs-delete-transient-ports +%{_unitdir}/openvswitch.service +%{_unitdir}/ovs-vswitchd.service +%{_unitdir}/ovsdb-server.service +%{_unitdir}/ovs-delete-transient-ports.service +%if 0%{?suse_version} +%{_fillupdir}/sysconfig.openvswitch +%{_datadir}/bash-completion/completions/ovs-appctl-bashcomp.bash +%{_datadir}/bash-completion/completions/ovs-vsctl-bashcomp.bash +%{_sysusersdir}/openvswitch.conf +%else +%config(noreplace) %{_sysconfdir}/sysconfig/openvswitch +%{_sysconfdir}/bash_completion.d/ovs-appctl-bashcomp.bash +%{_sysconfdir}/bash_completion.d/ovs-vsctl-bashcomp.bash +%{_sysconfdir}/sysconfig/network-scripts/ifup-ovs +%{_sysconfdir}/sysconfig/network-scripts/ifdown-ovs +%endif +%ghost %attr(755,root,root) %{_rundir}/openvswitch +%ghost %attr(644,root,root) %{_rundir}/openvswitch.useropts +%exclude %{_docdir}/%{name} +%doc %ovs_dir/AUTHORS.rst %ovs_dir/CONTRIBUTING.rst %ovs_dir/NEWS %ovs_dir/README.rst +%license %ovs_dir/LICENSE %ovs_dir/NOTICE + +%files doc +%exclude %{_docdir}/%{name}/AUTHORS.rst +%exclude %{_docdir}/%{name}/CONTRIBUTING.rst +%exclude %{_docdir}/%{name}/NEWS +%exclude %{_docdir}/%{name}/README.rst +%{_docdir}/%{name}/ + +%files -n %{ovs_lname} +%{_libdir}/libofproto-3*.so.* +%{_libdir}/libopenvswitch-3*.so.* +%{_libdir}/libovsdb-3*.so.* +%{_libdir}/libsflow-3*.so.* +%{_libdir}/libvtep-3*.so.* + +%files pki +%{_mandir}/man8/ovs-pki.8%{?ext_man} +%{_bindir}/ovs-pki + +%files vtep +%{_bindir}/vtep-ctl +%{_mandir}/man5/vtep.5%{?ext_man} +%{_mandir}/man8/vtep-ctl.8%{?ext_man} +%{_datadir}/openvswitch/scripts/ovs-vtep +%{_datadir}/openvswitch/vtep.ovsschema + +%files ipsec +%{_datadir}/openvswitch/scripts/ovs-monitor-ipsec +%{_sbindir}/rcopenvswitch-ipsec +%{_unitdir}/openvswitch-ipsec.service + +%files -n python3-ovs +%{python3_sitearch}/ovs/ +%{python3_sitearch}/ovs-*.egg-info + +%files test +%{_bindir}/ovs-l3ping +%{_bindir}/ovs-pcap +%{_bindir}/ovs-test +%{_bindir}/ovs-testcontroller +%{_bindir}/ovs-tcpdump +%{_bindir}/ovs-tcpundump +%{_bindir}/ovs-vlan-test +%{_mandir}/man1/ovs-pcap.1%{?ext_man} +%{_mandir}/man1/ovs-tcpundump.1%{?ext_man} +%{_mandir}/man8/ovs-l3ping.8%{?ext_man} +%{_mandir}/man8/ovs-tcpdump.8%{?ext_man} +%{_mandir}/man8/ovs-testcontroller.8%{?ext_man} +%{_mandir}/man8/ovs-test.8%{?ext_man} +%{_mandir}/man8/ovs-vlan-test.8%{?ext_man} +%{python3_sitelib}/ovstest/ + +%files devel +%{_libdir}/libofproto.so +%{_libdir}/libopenvswitch.so +%{_libdir}/libovsdb.so +%{_libdir}/libsflow.so +%{_libdir}/libvtep.so +%{_includedir}/openflow/ +%{_includedir}/openvswitch/ +%{_libdir}/pkgconfig/*.pc +# Devel tools required for OVN +%{_bindir}/ovsdb-idlc +%{_mandir}/man1/ovsdb-idlc.1%{?ext_man} +%dir %{_datadir}/openvswitch/ovsdb +%{_datadir}/openvswitch/ovsdb/ovsdb-doc +%{_datadir}/openvswitch/ovsdb/ovsdb-dot + +%files -n ovn +%defattr(-,openvswitch,openvswitch) +%dir %{_localstatedir}/log/ovn +%defattr(-,root,root) +%if 0%{?suse_version} +%{_fillupdir}/sysconfig.ovn +%else +%config(noreplace) %{_sysconfdir}/sysconfig/ovn +%endif +%{_bindir}/ovn-nbctl +%{_bindir}/ovn-sbctl +%{_bindir}/ovn-trace +%{_bindir}/ovn-detrace +%{_bindir}/ovn_detrace.py +%{_bindir}/ovn-appctl +%{_bindir}/ovn-ic-nbctl +%{_bindir}/ovn-ic-sbctl +%{_bindir}/ovn-debug +%dir %{_datadir}/ovn +%dir %{_datadir}/ovn/scripts +%{_datadir}/ovn/scripts/ovn-ctl +%{_datadir}/ovn/scripts/ovn-lib +%{_datadir}/ovn/scripts/ovndb-servers.ocf +%{_datadir}/ovn/scripts/ovn-bugtool-nbctl-show +%{_datadir}/ovn/scripts/ovn-bugtool-sbctl-lflow-list +%{_datadir}/ovn/scripts/ovn-bugtool-sbctl-show +%{_mandir}/man5/ovn-nb.5%{?ext_man} +%{_mandir}/man5/ovn-sb.5%{?ext_man} +%{_mandir}/man8/ovn-ic-nbctl.8%{?ext_man} +%{_mandir}/man8/ovn-ic-sbctl.8%{?ext_man} +%{_mandir}/man8/ovn-ic.8%{?ext_man} +%{_mandir}/man5/ovn-ic-nb.5%{?ext_man} +%{_mandir}/man5/ovn-ic-sb.5%{?ext_man} +%{_mandir}/man1/ovn-detrace.1%{?ext_man} +%{_mandir}/man8/ovn-appctl.8%{?ext_man} +%{_mandir}/man7/ovn-architecture.7%{?ext_man} +%{_mandir}/man8/ovn-ctl.8%{?ext_man} +%{_mandir}/man8/ovn-nbctl.8%{?ext_man} +%{_mandir}/man8/ovn-trace.8%{?ext_man} +%{_mandir}/man8/ovn-sbctl.8%{?ext_man} +%{_mandir}/man8/ovn-debug.8%{?ext_man} +%config(noreplace) %{_sysconfdir}/logrotate.d/ovn +%doc %ovn_dir/AUTHORS.rst %ovn_dir/CONTRIBUTING.rst %ovn_dir/NEWS %ovn_dir/README.rst +%license %ovn_dir/LICENSE %ovn_dir/NOTICE + +%files -n ovn-docker +%{_bindir}/ovn-docker-overlay-driver +%{_bindir}/ovn-docker-underlay-driver + +%files -n ovn-central +# Can't use libexecdir because it differs between +# RedHat and SUSE and firewalld expects things in /usr/lib +%dir %{_prefix}/lib/firewalld +%dir %{_prefix}/lib/firewalld/services +%{_bindir}/ovn-northd +%{_bindir}/ovn-ic +%{_mandir}/man8/ovn-northd.8%{?ext_man} +%{_datadir}/ovn/ovn-nb.ovsschema +%{_datadir}/ovn/ovn-sb.ovsschema +%{_datadir}/ovn/ovn-ic-nb.ovsschema +%{_datadir}/ovn/ovn-ic-sb.ovsschema +%{_unitdir}/ovn-northd.service +%{_sbindir}/rcovn-northd +%{_prefix}/lib/firewalld/services/ovn-central-firewall-service.xml + +%files -n ovn-host +# Can't use libexecdir because it differs between +# RedHat and SUSE and firewalld expects things in /usr/lib +%dir %{_prefix}/lib/firewalld +%dir %{_prefix}/lib/firewalld/services +%{_bindir}/ovn-controller +%{_mandir}/man8/ovn-controller.8%{?ext_man} +%{_unitdir}/ovn-controller.service +%{_sbindir}/rcovn-controller +%{_prefix}/lib/firewalld/services/ovn-host-firewall-service.xml + +%files -n ovn-vtep +%{_bindir}/ovn-controller-vtep +%{_mandir}/man8/ovn-controller-vtep.8%{?ext_man} +%{_unitdir}/ovn-controller-vtep.service +%{_sbindir}/rcovn-controller-vtep + +%files -n ovn-doc +%exclude %{_docdir}/ovn/AUTHORS.rst +%exclude %{_docdir}/ovn/CONTRIBUTING.rst +%exclude %{_docdir}/ovn/NEWS +%exclude %{_docdir}/ovn/README.rst +%{_docdir}/ovn/ + +%files -n %{ovn_lname} +%{_libdir}/libovn-*.so.* + +%files -n ovn-devel +%{_libdir}/libovn.so +%{_includedir}/ovn/ + +%changelog diff --git a/ovn-23.03.0.tar.gz b/ovn-23.03.0.tar.gz new file mode 100644 index 0000000..b10d294 --- /dev/null +++ b/ovn-23.03.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6c351ef0b1b0a19594c2d9b3cd541da1c6aab6606b371504ba46da75b3a09e30 +size 1955554 diff --git a/ovn-24.03.3.tar.gz b/ovn-24.03.3.tar.gz new file mode 100644 index 0000000..ea83b9e --- /dev/null +++ b/ovn-24.03.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0a23800f941c0755cf402d447f999aae8371b99e6e64a9bb6ec2e57d24f21348 +size 2010176 diff --git a/preamble b/preamble new file mode 100644 index 0000000..e568a07 --- /dev/null +++ b/preamble @@ -0,0 +1,3 @@ +Requires: kernel-%1 +Enhances: kernel-%1 +Supplements: packageand(kernel-%1:%{-n*})