diff --git a/.travis.yml b/.travis.yml index ff2fa2e4810..4d7bbd85730 100644 --- a/.travis.yml +++ b/.travis.yml @@ -19,6 +19,8 @@ addons: - python-sphinx - libelf-dev - selinux-policy-dev + - libunbound-dev + - libunbound-dev:i386 before_install: ./.travis/${TRAVIS_OS_NAME}-prepare.sh diff --git a/Documentation/intro/install/general.rst b/Documentation/intro/install/general.rst index 474c9e86157..fe30c19ad57 100644 --- a/Documentation/intro/install/general.rst +++ b/Documentation/intro/install/general.rst @@ -93,6 +93,10 @@ need the following software: - Python 2.7. You must also have the Python ``six`` library version 1.4.0 or later. +- Unbound library, from http://www.unbound.net, is optional but recommended if + you want to enable ovs-vswitchd and other utilities to use DNS names when + specifying OpenFlow and OVSDB remotes. If unbound library is already + installed, then Open vSwitch will automatically build with support for it. On Linux, you may choose to compile the kernel module that comes with the Open vSwitch distribution or to use the kernel module built into the Linux kernel diff --git a/Documentation/ref/ovsdb.7.rst b/Documentation/ref/ovsdb.7.rst index bcdcd717aeb..39d85b6e577 100644 --- a/Documentation/ref/ovsdb.7.rst +++ b/Documentation/ref/ovsdb.7.rst @@ -379,11 +379,11 @@ the opposite arrangement as well. OVSDB supports the following active connection methods: -ssl:: - The specified SSL or TLS on the host at the given . +ssl:: + The specified SSL or TLS on the given . -tcp:: - The specified TCP on the host at the given . +tcp:: + The specified TCP on the given . unix: On Unix-like systems, connect to the Unix domain server socket named @@ -427,9 +427,9 @@ All IP-based connection methods accept IPv4 and IPv6 addresses. To specify an IPv6 address, wrap it in square brackets, e.g. ``ssl:[::1]:6640``. Passive IP-based connection methods by default listen for IPv4 connections only; use ``[::]`` as the address to accept both IPv4 and IPv6 connections, -e.g. ``pssl:6640:[::]``. DNS names are not accepted. On Linux, use -``%`` to designate a scope for IPv6 link-level addresses, -e.g. ``ssl:[fe80::1234%eth0]:6653``. +e.g. ``pssl:6640:[::]``. DNS names are also accepted if built with unbound +library. On Linux, use ``%`` to designate a scope for IPv6 link-level +addresses, e.g. ``ssl:[fe80::1234%eth0]:6653``. The may be omitted from connection methods that use a port number. The default for TCP-based connection methods is 6640, e.g. ``pssl:`` is diff --git a/NEWS b/NEWS index cd15a332c47..abf5441ab24 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,7 @@ Post-v2.9.0 -------------------- + - ovs-vswitchd and utilities now support DNS names in OpenFlow and + OVSDB remotes. - ovs-vswitchd: * New options --l7 and --l7-len to "ofproto/trace" command. * Previous versions gave OpenFlow tables default names of the form diff --git a/configure.ac b/configure.ac index f0e4b51274d..af570b32012 100644 --- a/configure.ac +++ b/configure.ac @@ -135,6 +135,7 @@ OVS_CHECK_LINUX_HOST OVS_LIBTOOL_VERSIONS OVS_CHECK_CXX AX_FUNC_POSIX_MEMALIGN +OVS_CHECK_UNBOUND OVS_CHECK_INCLUDE_NEXT([stdio.h string.h]) AC_CONFIG_FILES([ diff --git a/debian/control b/debian/control index a4c031d85f1..9ae248f2789 100644 --- a/debian/control +++ b/debian/control @@ -16,7 +16,8 @@ Build-Depends: graphviz, python-all (>= 2.7), python-twisted-conch, python-zopeinterface, - python-six + python-six, + libunbound-dev Standards-Version: 3.9.3 Homepage: http://openvswitch.org/ @@ -307,6 +308,7 @@ Multi-Arch: same Depends: libopenvswitch (>= ${binary:Version}), libssl-dev, + libunbound-dev, ${misc:Depends} Conflicts: openvswitch-dev Replaces: openvswitch-dev diff --git a/lib/automake.mk b/lib/automake.mk index 3bec3fd5631..fb43aa1413b 100644 --- a/lib/automake.mk +++ b/lib/automake.mk @@ -465,6 +465,13 @@ else lib_libopenvswitch_la_SOURCES += lib/stream-nossl.c endif +lib_libopenvswitch_la_SOURCES += lib/dns-resolve.h +if HAVE_UNBOUND +lib_libopenvswitch_la_SOURCES += lib/dns-resolve.c +else +lib_libopenvswitch_la_SOURCES += lib/dns-resolve-stub.c +endif + pkgconfig_DATA += \ lib/libopenvswitch.pc \ lib/libsflow.pc diff --git a/lib/dns-resolve-stub.c b/lib/dns-resolve-stub.c new file mode 100644 index 00000000000..edf8337be1d --- /dev/null +++ b/lib/dns-resolve-stub.c @@ -0,0 +1,36 @@ +/* + * Copyright (c) 2017, 2018 Nicira, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include "dns-resolve.h" +#include "compiler.h" + +void +dns_resolve_init(void) +{ +} + +bool +dns_resolve(const char *name OVS_UNUSED, char **addr) +{ + *addr = NULL; + return false; +} + +void +dns_resolve_destroy(void) +{ +} diff --git a/lib/dns-resolve.c b/lib/dns-resolve.c new file mode 100644 index 00000000000..f1f91129609 --- /dev/null +++ b/lib/dns-resolve.c @@ -0,0 +1,310 @@ +/* + * Copyright (c) 2017, 2018 Nicira, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include "dns-resolve.h" +#include +#include +#include +#include +#include +#include +#include +#include "hash.h" +#include "openvswitch/hmap.h" +#include "openvswitch/vlog.h" +#include "timeval.h" + +VLOG_DEFINE_THIS_MODULE(dns_resolve); + +/* Guard all_reqs__ and resolve_state of each request. */ +static struct ovs_mutex dns_mutex__ = OVS_MUTEX_INITIALIZER; +static struct hmap all_reqs__; +static struct ub_ctx *ub_ctx__; + +static bool thread_is_daemon; + +static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); + +enum resolve_state { + RESOLVE_INVALID, + RESOLVE_PENDING, + RESOLVE_GOOD, + RESOLVE_ERROR +}; + +struct resolve_request { + struct hmap_node hmap_node; /* node for all_reqs__ */ + char *name; /* the domain name to be resolved */ + char *addr; /* the resolved ip address */ + enum resolve_state state; /* state of this request */ + time_t time; /* resolving time */ + struct ub_result *ub_result; /* the stored unbound result */ +}; + +static struct resolve_request *resolve_find_or_new__(const char *name) + OVS_REQUIRES(dns_mutex__); +static bool resolve_check_expire__(struct resolve_request *req) + OVS_REQUIRES(dns_mutex__); +static bool resolve_check_valid__(struct resolve_request *req) + OVS_REQUIRES(dns_mutex__); +static bool resolve_async__(struct resolve_request *req, int qtype) + OVS_REQUIRES(dns_mutex__); +static void resolve_callback__(void *req, int err, struct ub_result *) + OVS_REQUIRES(dns_mutex__); +static bool resolve_result_to_addr__(struct ub_result *result, char **addr); +static bool dns_resolve_sync__(const char *name, char **addr); + +/* Pass a true 'is_daemon' if you don't want the DNS-resolving to block the + * running thread. + */ +void +dns_resolve_init(bool is_daemon) +{ + ub_ctx__ = ub_ctx_create(); + if (ub_ctx__ == NULL) { + VLOG_ERR_RL(&rl, "Failed to create libunbound context, " + "so asynchronous DNS resolving is disabled."); + return; + } + + int retval; +#ifdef __linux__ + retval = ub_ctx_resolvconf(ub_ctx__, "/etc/resolv.conf"); + if (retval != 0) { + VLOG_WARN_RL(&rl, "Failed to read /etc/resolv.conf: %s", + ub_strerror(retval)); + } +#endif + + /* Handles '/etc/hosts' on Linux and 'WINDIR/etc/hosts' on Windows. */ + retval = ub_ctx_hosts(ub_ctx__, NULL); + if (retval != 0) { + VLOG_WARN_RL(&rl, "Failed to read etc/hosts: %s", + ub_strerror(retval)); + } + + ub_ctx_async(ub_ctx__, true); + hmap_init(&all_reqs__); + thread_is_daemon = is_daemon; +} + +/* Returns true on success. Otherwise, returns false and the error information + * can be found in logs. If there is no error information, then the resolving + * is in process and the caller should call again later. The value of '*addr' + * is always nullified if false is returned. If this function is called under + * daemon-context, the resolving will undergo asynchronously. Otherwise, a + * synchronouse resolving will take place. + * + * This function is thread-safe. + * + * The caller is responsible for freeing the returned '*addr'. + */ +bool +dns_resolve(const char *name, char **addr) + OVS_EXCLUDED(dns_mutex__) +{ + bool success = false; + + if (!thread_is_daemon) { + return dns_resolve_sync__(name, addr); + } + + *addr = NULL; + ovs_mutex_lock(&dns_mutex__); + + if (ub_ctx__ == NULL) { + goto unlock; + } + + /* ub_process is inside lock as it invokes resolve_callback__. */ + int retval = ub_process(ub_ctx__); + if (retval != 0) { + VLOG_ERR_RL(&rl, "dns-resolve error: %s", ub_strerror(retval)); + goto unlock; + } + + struct resolve_request *req; + req = resolve_find_or_new__(name); + if (resolve_check_valid__(req)) { + *addr = xstrdup(req->addr); + success = true; + } else if (req->state != RESOLVE_PENDING) { + success = resolve_async__(req, ns_t_a); + } +unlock: + ovs_mutex_unlock(&dns_mutex__); + return success; +} + +void +dns_resolve_destroy(void) +{ + if (ub_ctx__ != NULL) { + /* Outstanding requests will be killed. */ + ub_ctx_delete(ub_ctx__); + ub_ctx__ = NULL; + + struct resolve_request *req; + HMAP_FOR_EACH(req, hmap_node, &all_reqs__) { + ub_resolve_free(req->ub_result); + free(req->addr); + free(req->name); + free(req); + } + hmap_destroy(&all_reqs__); + } +} + +static struct resolve_request * +resolve_find_or_new__(const char *name) + OVS_REQUIRES(dns_mutex__) +{ + struct resolve_request *req; + + HMAP_FOR_EACH_IN_BUCKET(req, hmap_node, hash_string(name, 0), + &all_reqs__) { + if (!strcmp(name, req->name)) { + return req; + } + } + + req = xzalloc(sizeof *req); + req->name = xstrdup(name); + req->state = RESOLVE_INVALID; + hmap_insert(&all_reqs__, &req->hmap_node, hash_string(req->name, 0)); + return req; +} + +static bool +resolve_check_expire__(struct resolve_request *req) + OVS_REQUIRES(dns_mutex__) +{ + return time_now() > req->time + req->ub_result->ttl; +} + +static bool +resolve_check_valid__(struct resolve_request *req) + OVS_REQUIRES(dns_mutex__) +{ + return (req != NULL + && req->state == RESOLVE_GOOD + && !resolve_check_expire__(req)); +} + +static bool +resolve_async__(struct resolve_request *req, int qtype) + OVS_REQUIRES(dns_mutex__) +{ + if (qtype == ns_t_a || qtype == ns_t_aaaa) { + int retval; + retval = ub_resolve_async(ub_ctx__, req->name, + qtype, ns_c_in, req, + resolve_callback__, NULL); + if (retval != 0) { + req->state = RESOLVE_ERROR; + return false; + } else { + req->state = RESOLVE_PENDING; + return true; + } + } + return false; +} + +static void +resolve_callback__(void *req_, int err, struct ub_result *result) + OVS_REQUIRES(dns_mutex__) +{ + struct resolve_request *req = req_; + + if (err != 0 || (result->qtype == ns_t_aaaa && !result->havedata)) { + req->state = RESOLVE_ERROR; + VLOG_ERR_RL(&rl, "%s: failed to resolve", req->name); + return; + } + + /* IPv4 address is empty, try IPv6. */ + if (result->qtype == ns_t_a && !result->havedata) { + ub_resolve_free(result); + resolve_async__(req, ns_t_aaaa); + return; + } + + char *addr; + if (!resolve_result_to_addr__(result, &addr)) { + req->state = RESOLVE_ERROR; + VLOG_ERR_RL(&rl, "%s: failed to resolve", req->name); + return; + } + + ub_resolve_free(req->ub_result); + free(req->addr); + + req->ub_result = result; + req->addr = addr; + req->state = RESOLVE_GOOD; + req->time = time_now(); +} + +static bool +resolve_result_to_addr__(struct ub_result *result, char **addr) +{ + int af = result->qtype == ns_t_a ? AF_INET : AF_INET6; + char buffer[INET6_ADDRSTRLEN]; + + /* XXX: only the first returned IP is used. */ + if (inet_ntop(af, result->data[0], buffer, sizeof buffer)) { + *addr = xstrdup(buffer); + } else { + *addr = NULL; + } + + return (*addr != NULL); +} + +static bool +dns_resolve_sync__(const char *name, char **addr) +{ + *addr = NULL; + + if (ub_ctx__ == NULL) { + dns_resolve_init(false); + if (ub_ctx__ == NULL) { + return false; + } + } + + struct ub_result *result; + int retval = ub_resolve(ub_ctx__, name, ns_t_a, ns_c_in, &result); + if (retval != 0) { + return false; + } else if (!result->havedata) { + ub_resolve_free(result); + + retval = ub_resolve(ub_ctx__, name, ns_t_aaaa, ns_c_in, &result); + if (retval != 0) { + return false; + } else if (!result->havedata) { + ub_resolve_free(result); + return false; + } + } + + bool success = resolve_result_to_addr__(result, addr); + ub_resolve_free(result); + return success; +} diff --git a/lib/dns-resolve.h b/lib/dns-resolve.h new file mode 100644 index 00000000000..9cfa366a5d7 --- /dev/null +++ b/lib/dns-resolve.h @@ -0,0 +1,26 @@ +/* + * Copyright (c) 2017, 2018 Nicira, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef DNS_RESOLVE_H +#define DNS_RESOLVE_H 1 + +#include + +void dns_resolve_init(bool is_daemon); +bool dns_resolve(const char *name, char **addr); +void dns_resolve_destroy(void); + +#endif /* dns-resolve.h */ diff --git a/lib/socket-util.c b/lib/socket-util.c index c960d62d706..504f4cd5955 100644 --- a/lib/socket-util.c +++ b/lib/socket-util.c @@ -48,6 +48,7 @@ #include "netlink-protocol.h" #include "netlink-socket.h" #endif +#include "dns-resolve.h" VLOG_DEFINE_THIS_MODULE(socket_util); @@ -56,6 +57,12 @@ static int getsockopt_int(int fd, int level, int option, const char *optname, static struct sockaddr_in *sin_cast(const struct sockaddr *); static struct sockaddr_in6 *sin6_cast(const struct sockaddr *); static const struct sockaddr *sa_cast(const struct sockaddr_storage *); +static bool parse_sockaddr_components(struct sockaddr_storage *ss, + char *host_s, + const char *port_s, + uint16_t default_port, + const char *s, + bool resolve_host); /* Sets 'fd' to non-blocking mode. Returns 0 if successful, otherwise a * positive errno value. */ @@ -419,11 +426,31 @@ inet_parse_port_host_tokens(char *s, char **portp, char **hostp) inet_parse_tokens__(s, 1, hostp, portp); } +static bool +parse_sockaddr_components_dns(struct sockaddr_storage *ss OVS_UNUSED, + char *host_s, + const char *port_s OVS_UNUSED, + uint16_t default_port OVS_UNUSED, + const char *s OVS_UNUSED) +{ + char *tmp_host_s; + + dns_resolve(host_s, &tmp_host_s); + if (tmp_host_s != NULL) { + parse_sockaddr_components(ss, tmp_host_s, port_s, + default_port, s, false); + free(tmp_host_s); + return true; + } + return false; +} + static bool parse_sockaddr_components(struct sockaddr_storage *ss, char *host_s, const char *port_s, uint16_t default_port, - const char *s) + const char *s, + bool resolve_host) { struct sockaddr_in *sin = sin_cast(sa_cast(ss)); int port; @@ -445,7 +472,6 @@ parse_sockaddr_components(struct sockaddr_storage *ss, sin6->sin6_family = AF_INET6; sin6->sin6_port = htons(port); if (!addr || !*addr || !ipv6_parse(addr, &sin6->sin6_addr)) { - VLOG_ERR("%s: bad IPv6 address \"%s\"", s, addr ? addr : ""); goto exit; } @@ -468,13 +494,19 @@ parse_sockaddr_components(struct sockaddr_storage *ss, sin->sin_family = AF_INET; sin->sin_port = htons(port); if (host_s && !ip_parse(host_s, &sin->sin_addr.s_addr)) { - VLOG_ERR("%s: bad IPv4 address \"%s\"", s, host_s); - goto exit; + goto resolve; } } return true; +resolve: + if (resolve_host && parse_sockaddr_components_dns(ss, host_s, port_s, + default_port, s)) { + return true; + } else if (!resolve_host) { + VLOG_ERR("%s: bad IP address \"%s\"", s, host_s); + } exit: memset(ss, 0, sizeof *ss); return false; @@ -505,7 +537,8 @@ inet_parse_active(const char *target_, int default_port, VLOG_ERR("%s: port must be specified", target_); ok = false; } else { - ok = parse_sockaddr_components(ss, host, port, default_port, target_); + ok = parse_sockaddr_components(ss, host, port, default_port, + target_, true); } if (!ok) { memset(ss, 0, sizeof *ss); @@ -625,7 +658,8 @@ inet_parse_passive(const char *target_, int default_port, VLOG_ERR("%s: port must be specified", target_); ok = false; } else { - ok = parse_sockaddr_components(ss, host, port, default_port, target_); + ok = parse_sockaddr_components(ss, host, port, default_port, + target_, true); } if (!ok) { memset(ss, 0, sizeof *ss); @@ -747,7 +781,7 @@ inet_parse_address(const char *target_, struct sockaddr_storage *ss) { char *target = xstrdup(target_); char *host = unbracket(target); - bool ok = parse_sockaddr_components(ss, host, NULL, 0, target_); + bool ok = parse_sockaddr_components(ss, host, NULL, 0, target_, false); if (!ok) { memset(ss, 0, sizeof *ss); } diff --git a/lib/stream.c b/lib/stream.c index 63c59234408..4e15fe0c8aa 100644 --- a/lib/stream.c +++ b/lib/stream.c @@ -126,11 +126,11 @@ stream_usage(const char *name, bool active, bool passive, printf("\n"); if (active) { printf("Active %s connection methods:\n", name); - printf(" tcp:IP:PORT " - "PORT at remote IP\n"); + printf(" tcp:HOST:PORT " + "PORT at remote HOST\n"); #ifdef HAVE_OPENSSL - printf(" ssl:IP:PORT " - "SSL PORT at remote IP\n"); + printf(" ssl:HOST:PORT " + "SSL PORT at remote HOST\n"); #endif printf(" unix:FILE " "Unix domain socket named FILE\n"); diff --git a/lib/vconn-active.man b/lib/vconn-active.man index 395879c8a58..9438ac0793c 100644 --- a/lib/vconn-active.man +++ b/lib/vconn-active.man @@ -1,10 +1,10 @@ -.IP "\fBssl:\fIip\fR[\fB:\fIport\fR]" -.IQ "\fBtcp:\fIip\fR[\fB:\fIport\fR]" -The specified \fIport\fR on the host at the given \fIip\fR, which must -be expressed as an IP address (not a DNS name) in IPv4 or IPv6 address -format. Wrap IPv6 addresses in square brackets, -e.g. \fBtcp:[::1]:6653\fR. On Linux, use \fB%\fIdevice\fR to -designate a scope for IPv6 link-level addresses, +.IP "\fBssl:\fIhost\fR[\fB:\fIport\fR]" +.IQ "\fBtcp:\fIhost\fR[\fB:\fIport\fR]" +The specified \fIport\fR on the given \fIhost\fR, which can +be expressed either as a DNS name (if built with unbound library) +or an IP address in IPv4 or IPv6 address format. Wrap IPv6 addresses +in square brackets, e.g. \fBtcp:[::1]:6653\fR. On Linux, use +\fB%\fIdevice\fR to designate a scope for IPv6 link-level addresses, e.g. \fBtcp:[fe80::1234%eth0]:6653\fR. For \fBssl\fR, the \fB\-\-private\-key\fR, \fB\-\-certificate\fR, and \fB\-\-ca\-cert\fR options are mandatory. diff --git a/lib/vconn-passive.man b/lib/vconn-passive.man index 1ffa183972b..d02e75f81f5 100644 --- a/lib/vconn-passive.man +++ b/lib/vconn-passive.man @@ -1,12 +1,12 @@ -.IP "\fBpssl:\fR[\fIport\fR][\fB:\fIip\fR]" -.IQ "\fBptcp:\fR[\fIport\fR][\fB:\fIip\fR]" +.IP "\fBpssl:\fR[\fIport\fR][\fB:\fIhost\fR]" +.IQ "\fBptcp:\fR[\fIport\fR][\fB:\fIhost\fR]" Listens for OpenFlow connections on \fIport\fR. The default \fIport\fR is 6653. By default, connections are allowed from any IPv4 -address. Specify \fIip\fR as an IPv4 address or a bracketed IPv6 +address. Specify \fIhost\fR as an IPv4 address or a bracketed IPv6 address (e.g. \fBptcp:6653:[::1]\fR). On Linux, use \fB%\fIdevice\fR to designate a scope for IPv6 link-level addresses, -e.g. \fBptcp:6653:[fe80::1234%eth0]\fR. DNS names may -not be used. For \fBpssl\fR, the +e.g. \fBptcp:6653:[fe80::1234%eth0]\fR. DNS names can +be used if built with unbound library. For \fBpssl\fR, the \fB\-\-private\-key\fR,\fB\-\-certificate\fR, and \fB\-\-ca\-cert\fR options are mandatory. .IP diff --git a/lib/vconn.c b/lib/vconn.c index c311843b24e..e95ecbfa78a 100644 --- a/lib/vconn.c +++ b/lib/vconn.c @@ -139,11 +139,11 @@ vconn_usage(bool active, bool passive, bool bootstrap OVS_UNUSED) printf("\n"); if (active) { printf("Active OpenFlow connection methods:\n"); - printf(" tcp:IP[:PORT] " - "PORT (default: %d) at remote IP\n", OFP_PORT); + printf(" tcp:HOST[:PORT] " + "PORT (default: %d) at remote HOST\n", OFP_PORT); #ifdef HAVE_OPENSSL - printf(" ssl:IP[:PORT] " - "SSL PORT (default: %d) at remote IP\n", OFP_PORT); + printf(" ssl:HOST[:PORT] " + "SSL PORT (default: %d) at remote HOST\n", OFP_PORT); #endif printf(" unix:FILE Unix domain socket named FILE\n"); } diff --git a/m4/openvswitch.m4 b/m4/openvswitch.m4 index 3f301b23bd0..8c62de763bc 100644 --- a/m4/openvswitch.m4 +++ b/m4/openvswitch.m4 @@ -669,3 +669,13 @@ AC_DEFUN([OVS_CHECK_CXX], enable_cxx=false fi AM_CONDITIONAL([HAVE_CXX], [$enable_cxx])]) + +dnl Checks for unbound library. +AC_DEFUN([OVS_CHECK_UNBOUND], + [AC_CHECK_LIB(unbound, ub_ctx_create, [HAVE_UNBOUND=yes]) + if test "$HAVE_UNBOUND" = yes; then + AC_DEFINE([HAVE_UNBOUND], [1], [Define to 1 if unbound is detected.]) + LIBS="$LIBS -lunbound" + fi + AM_CONDITIONAL([HAVE_UNBOUND], [test "$HAVE_UNBOUND" = yes]) + AC_SUBST([HAVE_UNBOUND])]) diff --git a/ovn/controller-vtep/ovn-controller-vtep.8.xml b/ovn/controller-vtep/ovn-controller-vtep.8.xml index ca9b082a087..2c706e46ea0 100644 --- a/ovn/controller-vtep/ovn-controller-vtep.8.xml +++ b/ovn/controller-vtep/ovn-controller-vtep.8.xml @@ -39,28 +39,28 @@

  • - ssl:ip:port + ssl:host:port

    - The specified SSL port on the host at the given - ip, which must be expressed as an IP address (not a DNS - name) in IPv4 or IPv6 address format. If ip is an IPv6 - address, then wrap ip with square brackets, e.g.: - ssl:[::1]:6640. The --private-key, - --certificate and either of --ca-cert - or --bootstrap-ca-cert options are mandatory when this - form is used. + The specified SSL port on the give host, which + can either be a DNS name (if built with unbound library) or an IP + address (IPv4 or IPv6). If host is an IPv6 address, then + wrap host with square brackets, e.g.: ssl:[::1]:6640. + The --private-key, --certificate and either + of --ca-cert or --bootstrap-ca-cert options + are mandatory when this form is used.

  • - tcp:ip:port + tcp:host:port

    - Connect to the given TCP port on ip, where - ip can be IPv4 or IPv6 address. If ip is an - IPv6 address, then wrap ip with square brackets, e.g.: - tcp:[::1]:6640. + Connect to the given TCP port on host, where + host can be a DNS name (if built with unbound library) or + IP address (IPv4 or IPv6). If host is an IPv6 address, + then wrap host with square brackets, + e.g.: tcp:[::1]:6640.

  • diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml index 6aed6102a56..d6d70bedea9 100644 --- a/ovn/ovn-nb.xml +++ b/ovn/ovn-nb.xml @@ -2062,14 +2062,14 @@ The following connection methods are currently supported:

    -
    ssl:ip[:port]
    +
    ssl:host[:port]

    The specified SSL port on the host at the given - ip, which must be expressed as an IP address - (not a DNS name). A valid SSL configuration must be provided - when this form is used, this configuration can be specified - via command-line options or the table. + host, which can either be a DNS name (if built with + unbound library) or an IP address. A valid SSL configuration must + be provided when this form is used, this configuration can be + specified via command-line options or the table.

    If port is not specified, it defaults to 6640. @@ -2080,30 +2080,29 @@

    -
    tcp:ip[:port]
    +
    tcp:host[:port]

    The specified TCP port on the host at the given - ip, which must be expressed as an IP address (not a - DNS name), where ip can be IPv4 or IPv6 address. If - ip is an IPv6 address, wrap it in square brackets, - e.g. tcp:[::1]:6640. + host, which can either be a DNS name (if built with + unbound library) or an IP address. If host is an IPv6 + address, wrap it in square brackets, e.g. tcp:[::1]:6640.

    If port is not specified, it defaults to 6640.

    -
    pssl:[port][:ip]
    +
    pssl:[port][:host]

    Listens for SSL connections on the specified TCP port. Specify 0 for port to have the kernel automatically - choose an available port. If ip, which must be - expressed as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP address - (either IPv4 or IPv6 address). If ip is an IPv6 - address, wrap in square brackets, - e.g. pssl:6640:[::1]. If ip is not + choose an available port. If host, which can either + be a DNS name (if built with unbound library) or an IP address, + is specified, then connections are restricted to the resolved or + specified local IPaddress (either IPv4 or IPv6 address). If + host is an IPv6 address, wrap in square brackets, + e.g. pssl:6640:[::1]. If host is not specified then it listens only on IPv4 (but not IPv6) addresses. A valid SSL configuration must be provided when this form is used, this can be specified either via command-line options or the @@ -2117,17 +2116,17 @@ part of Open vSwitch.

    -
    ptcp:[port][:ip]
    +
    ptcp:[port][:host]

    Listens for connections on the specified TCP port. Specify 0 for port to have the kernel automatically - choose an available port. If ip, which must be - expressed as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP address - (either IPv4 or IPv6 address). If ip is an IPv6 - address, wrap it in square brackets, - e.g. ptcp:6640:[::1]. If ip is not + choose an available port. If host, which can either + be a DNS name (if built with unbound library) or an IP address, + is specified, then connections are restricted to the resolved or + specified local IP address (either IPv4 or IPv6 address). If + host is an IPv6 address, wrap it in square brackets, + e.g. ptcp:6640:[::1]. If host is not specified then it listens only on IPv4 addresses.

    diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml index b17110e4832..f9724d398ce 100644 --- a/ovn/ovn-sb.xml +++ b/ovn/ovn-sb.xml @@ -2840,14 +2840,14 @@ tcp.flags = RST; The following connection methods are currently supported:

    -
    ssl:ip[:port]
    +
    ssl:host[:port]

    - The specified SSL port on the host at the given - ip, which must be expressed as an IP address - (not a DNS name). A valid SSL configuration must be provided - when this form is used, this configuration can be specified - via command-line options or the table. + The specified SSL port on the given host, + which can either be a DNS name (if built with unbound library) or + an IP address. A valid SSL configuration must be provided when + this form is used, this configuration can be specified via + command-line options or the table.

    If port is not specified, it defaults to 6640. @@ -2858,30 +2858,29 @@ tcp.flags = RST;

    -
    tcp:ip[:port]
    +
    tcp:host[:port]

    - The specified TCP port on the host at the given - ip, which must be expressed as an IP address (not a - DNS name), where ip can be IPv4 or IPv6 address. If - ip is an IPv6 address, wrap it in square brackets, - e.g. tcp:[::1]:6640. + The specified TCP port on the given host, + which can either be a DNS name (if built with unbound library) or + an IP address (IPv4 or IPv6). If host is an IPv6 + address, wrap it in square brackets, e.g. tcp:[::1]:6640.

    If port is not specified, it defaults to 6640.

    -
    pssl:[port][:ip]
    +
    pssl:[port][:host]

    Listens for SSL connections on the specified TCP port. Specify 0 for port to have the kernel automatically - choose an available port. If ip, which must be - expressed as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP address - (either IPv4 or IPv6 address). If ip is an IPv6 - address, wrap in square brackets, - e.g. pssl:6640:[::1]. If ip is not + choose an available port. If host, which can either + be a DNS name (if built with unbound library) or an IP address, + is specified, then connections are restricted to the resolved or + specified local IP address (either IPv4 or IPv6 address). If + host is an IPv6 address, wrap in square brackets, + e.g. pssl:6640:[::1]. If host is not specified then it listens only on IPv4 (but not IPv6) addresses. A valid SSL configuration must be provided when this form is used, this can be specified either via command-line options or the @@ -2895,17 +2894,17 @@ tcp.flags = RST; part of Open vSwitch.

    -
    ptcp:[port][:ip]
    +
    ptcp:[port][:host]

    Listens for connections on the specified TCP port. Specify 0 for port to have the kernel automatically - choose an available port. If ip, which must be - expressed as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP address - (either IPv4 or IPv6 address). If ip is an IPv6 - address, wrap it in square brackets, - e.g. ptcp:6640:[::1]. If ip is not + choose an available port. If host, which can either + be a DNS name (if built with unbound library) or an IP address, + is specified, then connections are restricted to the resolved or + specified local IP address (either IPv4 or IPv6 address). If + host is an IPv6 address, wrap it in square brackets, + e.g. ptcp:6640:[::1]. If host is not specified then it listens only on IPv4 addresses.

    diff --git a/python/ovs/stream.py b/python/ovs/stream.py index d6c447a9736..5996497a50c 100644 --- a/python/ovs/stream.py +++ b/python/ovs/stream.py @@ -702,8 +702,8 @@ def usage(name): return """ Active %s connection methods: unix:FILE Unix domain socket named FILE - tcp:IP:PORT TCP socket to IP with port no of PORT - ssl:IP:PORT SSL socket to IP with port no of PORT + tcp:HOST:PORT TCP socket to HOST with port no of PORT + ssl:HOST:PORT SSL socket to HOST with port no of PORT Passive %s connection methods: punix:FILE Listen on Unix domain socket FILE""" % (name, name) diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index 2b01c5768e9..8c18d39c20f 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -87,8 +87,9 @@ BuildRequires: libpcap-devel numactl-devel BuildRequires: dpdk-devel >= 17.05.1 Provides: %{name}-dpdk = %{version}-%{release} %endif +BuildRequires: unbound unbound-devel -Requires: openssl hostname iproute module-init-tools +Requires: openssl hostname iproute module-init-tools unbound #Upstream kernel commit 4f647e0a3c37b8d5086214128614a136064110c3 #Requires: kernel >= 3.15.0-0 diff --git a/rhel/openvswitch.spec.in b/rhel/openvswitch.spec.in index 9dca3873beb..43121429d18 100644 --- a/rhel/openvswitch.spec.in +++ b/rhel/openvswitch.spec.in @@ -38,6 +38,7 @@ BuildRequires: openssl-devel BuildRequires: checkpolicy, selinux-policy-devel BuildRequires: autoconf, automake, libtool BuildRequires: python-sphinx +BuildRequires: unbound-devel %bcond_without check %bcond_with check_datapath_kernel diff --git a/vswitchd/ovs-vswitchd.c b/vswitchd/ovs-vswitchd.c index 46da45db9c7..71919693730 100644 --- a/vswitchd/ovs-vswitchd.c +++ b/vswitchd/ovs-vswitchd.c @@ -51,6 +51,7 @@ #include "openvswitch/vconn.h" #include "openvswitch/vlog.h" #include "lib/vswitch-idl.h" +#include "lib/dns-resolve.h" VLOG_DEFINE_THIS_MODULE(vswitchd); @@ -81,6 +82,7 @@ main(int argc, char *argv[]) set_program_name(argv[0]); ovsthread_id_init(); + dns_resolve_init(true); ovs_cmdl_proctitle_init(argc, argv); service_start(&argc, &argv); remote = parse_options(argc, argv, &unixctl_path); @@ -141,6 +143,7 @@ main(int argc, char *argv[]) service_stop(); vlog_disable_async(); ovsrcu_exit(); + dns_resolve_destroy(); return 0; } diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml index 76094852d4e..8f4263d1691 100644 --- a/vswitchd/vswitch.xml +++ b/vswitchd/vswitch.xml @@ -4431,26 +4431,25 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ controllers:

    -
    ssl:ip[:port]
    +
    ssl:host[:port]

    The specified SSL port on the host at the - given ip, which must be expressed as an IP - address (not a DNS name). The column in the - table must point to a valid SSL configuration when this form - is used.

    + given host, which can either be a DNS name (if built + with unbound library) or an IP address. The column in the table must + point to a valid SSL configuration when this form is used.

    If port is not specified, it defaults to 6653.

    SSL support is an optional feature that is not always built as part of Open vSwitch.

    -
    tcp:ip[:port]
    +
    tcp:host[:port]

    The specified TCP port on the host at the given - ip, which must be expressed as an IP address (not a - DNS name), where ip can be IPv4 or IPv6 address. If - ip is an IPv6 address, wrap it in square brackets, - e.g. tcp:[::1]:6653. + host, which can either be a DNS name (if built with + unbound library) or an IP address (IPv4 or IPv6). If host + is an IPv6 address, wrap it in square brackets, e.g. + tcp:[::1]:6653.

    If port is not specified, it defaults to 6653. @@ -4462,19 +4461,19 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ controllers:

    -
    pssl:[port][:ip]
    +
    pssl:[port][:host]

    Listens for SSL connections on the specified TCP port. - If ip, which must be expressed as an IP address (not a - DNS name), is specified, then connections are restricted to the - specified local IP address (either IPv4 or IPv6). If - ip is an IPv6 address, wrap it in square brackets, - e.g. pssl:6653:[::1]. + If host, which can either be a DNS name (if built with + unbound library) or an IP address, is specified, then connections + are restricted to the resolved or specified local IP address + (either IPv4 or IPv6). If host is an IPv6 address, + wrap it in square brackets, e.g. pssl:6653:[::1].

    If port is not specified, it defaults to - 6653. If ip is not specified then it listens only on + 6653. If host is not specified then it listens only on IPv4 (but not IPv6) addresses. The column in the table must point to a @@ -4488,16 +4487,17 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ part of Open vSwitch.

    -
    ptcp:[port][:ip]
    +
    ptcp:[port][:host]

    Listens for connections on the specified TCP port. If - ip, which must be expressed as an IP address (not a - DNS name), is specified, then connections are restricted to the - specified local IP address (either IPv4 or IPv6). If - ip is an IPv6 address, wrap it in square brackets, - e.g. ptcp:6653:[::1]. If ip is not - specified then it listens only on IPv4 addresses. + host, which can either be a DNS name (if built with + unbound library) or an IP address, is specified, then connections + are restricted to the resolved or specified local IP address + (either IPv4 or IPv6). If host is an IPv6 address, wrap + it in square brackets, e.g. ptcp:6653:[::1]. If + host is not specified then it listens only on IPv4 + addresses.

    If port is not specified, it defaults to 6653. @@ -4834,12 +4834,12 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ The following connection methods are currently supported:

    -
    ssl:ip[:port]
    +
    ssl:host[:port]

    The specified SSL port on the host at the given - ip, which must be expressed as an IP address - (not a DNS name). The host, which can either be a DNS name (if built with + unbound library) or an IP address. The column in the table must point to a valid SSL configuration when this form is used. @@ -4853,30 +4853,30 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \

    -
    tcp:ip[:port]
    +
    tcp:host[:port]

    The specified TCP port on the host at the given - ip, which must be expressed as an IP address (not a - DNS name), where ip can be IPv4 or IPv6 address. If - ip is an IPv6 address, wrap it in square brackets, - e.g. tcp:[::1]:6640. + host, which can either be a DNS name (if built with + unbound library) or an IP address (IPv4 or IPv6). If host + is an IPv6 address, wrap it in square brackets, e.g. + tcp:[::1]:6640.

    If port is not specified, it defaults to 6640.

    -
    pssl:[port][:ip]
    +
    pssl:[port][:host]

    Listens for SSL connections on the specified TCP port. Specify 0 for port to have the kernel automatically - choose an available port. If ip, which must be - expressed as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP address - (either IPv4 or IPv6 address). If ip is an IPv6 - address, wrap in square brackets, - e.g. pssl:6640:[::1]. If ip is not + choose an available port. If host, which can either + be a DNS name (if built with unbound library) or an IP address, + is specified, then connections are restricted to the resolved or + specified local IP address (either IPv4 or IPv6 address). If + host is an IPv6 address, wrap in square brackets, + e.g. pssl:6640:[::1]. If host is not specified then it listens only on IPv4 (but not IPv6) addresses. The column in the table must point to a valid SSL @@ -4890,17 +4890,17 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ part of Open vSwitch.

    -
    ptcp:[port][:ip]
    +
    ptcp:[port][:host]

    Listens for connections on the specified TCP port. Specify 0 for port to have the kernel automatically - choose an available port. If ip, which must be - expressed as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP address - (either IPv4 or IPv6 address). If ip is an IPv6 - address, wrap it in square brackets, - e.g. ptcp:6640:[::1]. If ip is not + choose an available port. If host, which can either + be a DNS name (if built with unbound library) or an IP address, + is specified, then connections are restricted to the resolved or + specified local IP address (either IPv4 or IPv6 address). If + host is an IPv6 address, wrap it in square brackets, + e.g. ptcp:6640:[::1]. If host is not specified then it listens only on IPv4 addresses.

    diff --git a/vtep/vtep.xml b/vtep/vtep.xml index 62075ca882d..927efed5fa6 100644 --- a/vtep/vtep.xml +++ b/vtep/vtep.xml @@ -116,12 +116,12 @@ The following connection methods are currently supported:

    -
    ssl:ip[:port]
    +
    ssl:host[:port]

    - The specified SSL port (default: 6640) on the host at - the given ip, which must be expressed as an IP address - (not a DNS name). + The specified SSL port (default: 6640) on the given + host, which can either be a DNS name (if built with + unbound library) or an IP address.

    SSL key and certificate configuration happens outside the @@ -129,27 +129,29 @@

    -
    tcp:ip[:port]
    +
    tcp:host[:port]
    - The specified TCP port (default: 6640) on the host at - the given ip, which must be expressed as an IP address - (not a DNS name). + The specified TCP port (default: 6640) on the given + host, which can either be a DNS name (if built with + unbound library) or an IP address.
    -
    pssl:[port][:ip]
    +
    pssl:[port][:host]

    Listens for SSL connections on the specified TCP port - (default: 6640). If ip, which must be expressed as an - IP address (not a DNS name), is specified, then connections are - restricted to the specified local IP address. + (default: 6640). If host, which can either be a DNS + name (if built with unbound library) or an IP address, is + specified, then connections are restricted to the resolved or + specified local IP address.

    -
    ptcp:[port][:ip]
    +
    ptcp:[port][:host]
    Listens for connections on the specified TCP port - (default: 6640). If ip, which must be expressed as an - IP address (not a DNS name), is specified, then connections are - restricted to the specified local IP address. + (default: 6640). If host, which can either be a DNS + name (if built with unbound library) or an IP address, is + specified, then connections are restricted to the resolved or + specified local IP address.