[ovs-git] [openvswitch/ovs] efd8a1: datapath: Account for "rename vlan_tx_* helpers si...

GitHub noreply at github.com
Tue Feb 3 20:59:13 UTC 2015


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: efd8a18e8d57a6129bb40fcd25b19cb18c4a3447
      https://github.com/openvswitch/ovs/commit/efd8a18e8d57a6129bb40fcd25b19cb18c4a3447
  Author: Thomas Graf <tgraf at noironetworks.com>
  Date:   2015-02-03 (Tue, 03 Feb 2015)

  Changed paths:
    M datapath/actions.c
    M datapath/datapath.c
    M datapath/flow.c
    M datapath/linux/compat/gso.c
    M datapath/linux/compat/include/linux/if_vlan.h
    M datapath/linux/compat/netdevice.c
    M datapath/linux/compat/skbuff-openvswitch.c
    M datapath/linux/compat/vxlan.c
    M datapath/vport-geneve.c
    M datapath/vport-gre.c
    M datapath/vport-internal_dev.c
    M datapath/vport.c

  Log Message:
  -----------
  datapath: Account for "rename vlan_tx_* helpers since "tx" is misleading there"

Upstream commit:
    net: rename vlan_tx_* helpers since "tx" is misleading there

    The same macros are used for rx as well. So rename it.

    Signed-off-by: Jiri Pirko <jiri at resnulli.us>
    Signed-off-by: David S. Miller <davem at davemloft.net>

Upstream: df8a39d ("net: rename vlan_tx_* helpers since "tx" is misleading there")
Signed-off-by: Thomas Graf <tgraf at noironetworks.com>
Acked-by: Pravin B Shelar <pshelar at nicira.com>


  Commit: ababf4247ad92505ae5f9f7ea03cb374a8ad4b1e
      https://github.com/openvswitch/ovs/commit/ababf4247ad92505ae5f9f7ea03cb374a8ad4b1e
  Author: Thomas Graf <tgraf at noironetworks.com>
  Date:   2015-02-03 (Tue, 03 Feb 2015)

  Changed paths:
    M datapath/linux/compat/include/net/vxlan.h
    M datapath/linux/compat/vxlan.c

  Log Message:
  -----------
  datapath: Account for now exposed VXLAN definitions

This brings the compat version of vxlan_udp_encap_recv() and
vxlan_xmit_skb() in line with upstream commit:

	commit 3bf3947526c1053ddf2523f261395d682718f56c
	Author: Tom Herbert <therbert at google.com>
	Date:   Thu Jan 8 12:31:18 2015 -0800

    vxlan: Improve support for header flags

    This patch cleans up the header flags of VXLAN in anticipation of
    defining some new ones:

    - Move header related definitions from vxlan.c to vxlan.h
    - Change VXLAN_FLAGS to be VXLAN_HF_VNI (only currently defined flag)
    - Move check for unknown flags to after we find vxlan_sock, this
      assumes that some flags may be processed based on tunnel
      configuration
    - Add a comment about why the stack treating unknown set flags as an
      error instead of ignoring them

    Signed-off-by: Tom Herbert <therbert at google.com>
    Signed-off-by: David S. Miller <davem at davemloft.net>

Upstream: 3bf394 ("vxlan: Improve support for header flags")
Signed-off-by: Thomas Graf <tgraf at noironetworks.com>
Acked-by: Pravin B Shelar <pshelar at nicira.com>


  Commit: 3174a818a125e7a2b5c37cb60839d6ea5c5b8c8c
      https://github.com/openvswitch/ovs/commit/3174a818a125e7a2b5c37cb60839d6ea5c5b8c8c
  Author: Thomas Graf <tgraf at noironetworks.com>
  Date:   2015-02-03 (Tue, 03 Feb 2015)

  Changed paths:
    M acinclude.m4
    M datapath/linux/compat/include/net/vxlan.h
    M datapath/linux/compat/vxlan.c
    M datapath/vport-vxlan.c

  Log Message:
  -----------
  datapath: Account for "vxlan: Group Policy extension"

Upstream commit:
    vxlan: Group Policy extension

    Implements supports for the Group Policy VXLAN extension [0] to provide
    a lightweight and simple security label mechanism across network peers
    based on VXLAN. The security context and associated metadata is mapped
    to/from skb->mark. This allows further mapping to a SELinux context
    using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
    tc, etc.

    The group membership is defined by the lower 16 bits of skb->mark, the
    upper 16 bits are used for flags.

    SELinux allows to manage label to secure local resources. However,
    distributed applications require ACLs to implemented across hosts. This
    is typically achieved by matching on L2-L4 fields to identify the
    original sending host and process on the receiver. On top of that,
    netlabel and specifically CIPSO [1] allow to map security contexts to
    universal labels.  However, netlabel and CIPSO are relatively complex.
    This patch provides a lightweight alternative for overlay network
    environments with a trusted underlay. No additional control protocol
    is required.
          Host 1:                       Host 2:
     Group A        Group B        Group B     Group A
    +-----+   +-------------+    +-------+   +-----+
    | lxc |   | SELinux CTX |    | httpd |   | VM  |
    +--+--+   +--+----------+    +---+---+   +--+--+
    \---+---/                     \----+---/
        |                              |
    +---+---+                      +---+---+
    | vxlan |                      | vxlan |
    +---+---+                      +---+---+
        +------------------------------+

    Backwards compatibility:
    A VXLAN-GBP socket can receive standard VXLAN frames and will assign
    the default group 0x0000 to such frames. A Linux VXLAN socket will
    drop VXLAN-GBP  frames. The extension is therefore disabled by default
    and needs to be specifically enabled:
  ip link add [...] type vxlan [...] gbp

    In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
    must run on a separate port number.

    Examples:
     iptables:
      host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
      host2# iptables -I INPUT -m mark --mark 0x200 -j DROP

     OVS:
      # ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
      # ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'

    [0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
    [1] http://lwn.net/Articles/204905/

    Signed-off-by: Thomas Graf <tgraf at suug.ch>
    Signed-off-by: David S. Miller <davem at davemloft.net>

Upstream: 351149 ("vxlan: Group Policy extension")
Signed-off-by: Thomas Graf <tgraf at noironetworks.com>
Acked-by: Pravin B Shelar <pshelar at nicira.com>


  Commit: 2311260fc1a5ea70a1c77a9a3532388e33b6a2ed
      https://github.com/openvswitch/ovs/commit/2311260fc1a5ea70a1c77a9a3532388e33b6a2ed
  Author: Thomas Graf <tgraf at noironetworks.com>
  Date:   2015-02-03 (Tue, 03 Feb 2015)

  Changed paths:
    M datapath/linux/compat/include/net/vxlan.h
    M datapath/linux/compat/vxlan.c
    M datapath/vport-vxlan.c

  Log Message:
  -----------
  datapath: Account for "vxlan: add x-netns support"

Upstream commit:
    vxlan: add x-netns support

    This patch allows to switch the netns when packet is encapsulated or
    decapsulated.
    The vxlan socket is openned into the i/o netns, ie into the netns where
    encapsulated packets are received. The socket lookup is done into this netns to
    find the corresponding vxlan tunnel. After decapsulation, the packet is
    injecting into the corresponding interface which may stand to another netns.

    When one of the two netns is removed, the tunnel is destroyed.

    Configuration example:
    ip netns add netns1
    ip netns exec netns1 ip link set lo up
    ip link add vxlan10 type vxlan id 10 group 239.0.0.10 dev eth0 dstport 0
    ip link set vxlan10 netns netns1
    ip netns exec netns1 ip addr add 192.168.0.249/24 broadcast 192.168.0.255 dev vxlan10
    ip netns exec netns1 ip link set vxlan10 up

    Signed-off-by: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
    Signed-off-by: David S. Miller <davem at davemloft.net>

Upstream: f01ec1c017de ("vxlan: add x-netns support")
Signed-off-by: Thomas Graf <tgraf at noironetworks.com>
Acked-by: Pravin B Shelar <pshelar at nicira.com>


  Commit: 4b1632249fc13b3a12cc093a88f19096b0a38486
      https://github.com/openvswitch/ovs/commit/4b1632249fc13b3a12cc093a88f19096b0a38486
  Author: Thomas Graf <tgraf at noironetworks.com>
  Date:   2015-02-03 (Tue, 03 Feb 2015)

  Changed paths:
    M datapath/flow.c
    M datapath/flow.h
    M datapath/flow_netlink.c

  Log Message:
  -----------
  datapath: Rename GENEVE_TUN_OPTS() to TUN_METADATA_OPTS()

Backport of upstream commit:

    openvswitch: Rename GENEVE_TUN_OPTS() to TUN_METADATA_OPTS()

    Also factors out Geneve validation code into a new separate function
    validate_and_copy_geneve_opts().

    A subsequent patch will introduce VXLAN options. Rename the existing
    GENEVE_TUN_OPTS() to reflect its extended purpose of carrying generic
    tunnel metadata options.

    Signed-off-by: Thomas Graf <tgraf at suug.ch>
    Signed-off-by: David S. Miller <davem at davemloft.net>

Upstream: d91641d ("openvswitch: Rename GENEVE_TUN_OPTS() to TUN_METADATA_OPTS()")
Signed-off-by: Thomas Graf <tgraf at noironetworks.com>
Acked-by: Pravin B Shelar <pshelar at nicira.com>


  Commit: ec959cdcb9f7e1e534ffafaed85790fec8b279ca
      https://github.com/openvswitch/ovs/commit/ec959cdcb9f7e1e534ffafaed85790fec8b279ca
  Author: Thomas Graf <tgraf at noironetworks.com>
  Date:   2015-02-03 (Tue, 03 Feb 2015)

  Changed paths:
    M datapath/flow_netlink.c

  Log Message:
  -----------
  datapath: Allow for any level of nesting in flow attributes

Upstream commit:
    openvswitch: Allow for any level of nesting in flow attributes

    nlattr_set() is currently hardcoded to two levels of nesting. This change
    introduces struct ovs_len_tbl to define minimal length requirements plus
    next level nesting tables to traverse the key attributes to arbitrary depth.

    Signed-off-by: Thomas Graf <tgraf at suug.ch>
    Signed-off-by: David S. Miller <davem at davemloft.net>

Upstream: 81bfe3 ("openvswitch: Allow for any level of nesting in flow attributes")
Signed-off-by: Thomas Graf <tgraf at noironetworks.com>
Acked-by: Pravin B Shelar <pshelar at nicira.com>


Compare: https://github.com/openvswitch/ovs/compare/4fe0f2039168...ec959cdcb9f7


More information about the git mailing list