Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2218113/?format=api
{ "id": 2218113, "url": "http://patchwork.ozlabs.org/api/patches/2218113/?format=api", "web_url": "http://patchwork.ozlabs.org/project/openvswitch/patch/ac733944f5344be527d5484c47d9eea2a1e9c03e.1774960196.git.tredaelli@redhat.com/", "project": { "id": 47, "url": "http://patchwork.ozlabs.org/api/projects/47/?format=api", "name": "Open vSwitch", "link_name": "openvswitch", "list_id": "ovs-dev.openvswitch.org", "list_email": "ovs-dev@openvswitch.org", "web_url": "http://openvswitch.org/", "scm_url": "git@github.com:openvswitch/ovs.git", "webscm_url": "https://github.com/openvswitch/ovs", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<ac733944f5344be527d5484c47d9eea2a1e9c03e.1774960196.git.tredaelli@redhat.com>", "list_archive_url": null, "date": "2026-03-31T12:34:21", "name": "[ovs-dev,v2,1/5] stream: Add \"pfd:\" passive stream for pre-opened file descriptors.", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "078bdb237a507e5f04d0e2ca8f26a98b81bb64cf", "submitter": { "id": 70949, "url": "http://patchwork.ozlabs.org/api/people/70949/?format=api", "name": "Timothy Redaelli", "email": "tredaelli@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/openvswitch/patch/ac733944f5344be527d5484c47d9eea2a1e9c03e.1774960196.git.tredaelli@redhat.com/mbox/", "series": [ { "id": 498188, "url": "http://patchwork.ozlabs.org/api/series/498188/?format=api", "web_url": "http://patchwork.ozlabs.org/project/openvswitch/list/?series=498188", "date": "2026-03-31T12:34:22", "name": "Add systemd socket activation for ovsdb-server", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/498188/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2218113/comments/", "check": "warning", "checks": "http://patchwork.ozlabs.org/api/patches/2218113/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<ovs-dev-bounces@openvswitch.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "dev@openvswitch.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "ovs-dev@lists.linuxfoundation.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=OuDJnmJ4;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=140.211.166.136; helo=smtp3.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)", "smtp3.osuosl.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key)\n header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=OuDJnmJ4", "smtp2.osuosl.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com", "smtp2.osuosl.org;\n dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com\n header.a=rsa-sha256 header.s=mimecast20190719 header.b=OuDJnmJ4" ], "Received": [ "from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4flSHt0z7Xz1yGT\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 31 Mar 2026 23:35:06 +1100 (AEDT)", "from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id B03C560F61;\n\tTue, 31 Mar 2026 12:35:03 +0000 (UTC)", "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Ckti35mlAUBZ; Tue, 31 Mar 2026 12:35:02 +0000 (UTC)", "from lists.linuxfoundation.org (lf-lists.osuosl.org\n [IPv6:2605:bc80:3010:104::8cd3:938])\n\tby smtp3.osuosl.org (Postfix) with ESMTPS id 6004360F6E;\n\tTue, 31 Mar 2026 12:35:02 +0000 (UTC)", "from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id 37E1FC054B;\n\tTue, 31 Mar 2026 12:35:02 +0000 (UTC)", "from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 12BB0C054D\n for <dev@openvswitch.org>; Tue, 31 Mar 2026 12:35:00 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id CBBBE40691\n for <dev@openvswitch.org>; Tue, 31 Mar 2026 12:34:59 +0000 (UTC)", "from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 5oMw8WGsbpoH for <dev@openvswitch.org>;\n Tue, 31 Mar 2026 12:34:58 +0000 (UTC)", "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.133.124])\n by smtp2.osuosl.org (Postfix) with ESMTPS id A8B7940692\n for <dev@openvswitch.org>; Tue, 31 Mar 2026 12:34:58 +0000 (UTC)", "from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-556-wibR8qcLP1OzKM8FUhVflw-1; Tue,\n 31 Mar 2026 08:34:53 -0400", "from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 07E581956065; Tue, 31 Mar 2026 12:34:52 +0000 (UTC)", "from aldebaran.char-dominant.ts.net (unknown [10.44.32.65])\n by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id C9B191955F42; Tue, 31 Mar 2026 12:34:50 +0000 (UTC)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections -\n client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 6004360F6E", "OpenDKIM Filter v2.11.0 smtp2.osuosl.org A8B7940692" ], "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124;\n helo=us-smtp-delivery-124.mimecast.com; envelope-from=tredaelli@redhat.com;\n receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp2.osuosl.org A8B7940692", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1774960497;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=KVYzjT/VmK5pDXTQZQ1N+3KkDBJj3laStxGErcCzKnk=;\n b=OuDJnmJ4BO9wyojtu9l2WASRga8wdvKn+mR7oyyBamqCYPaQbxyThygGO2hnIIOB9fTEtx\n WA92qOETliGn8ggGVSAcJRoaXRM/6AFdhKt/Vqr5zra6pqT27J8rm33HvLTXjz6gXgxLaL\n F3D0gja5wrvM4omgaik7Avq2fWQylus=", "X-MC-Unique": "wibR8qcLP1OzKM8FUhVflw-1", "X-Mimecast-MFC-AGG-ID": "wibR8qcLP1OzKM8FUhVflw_1774960492", "To": "dev@openvswitch.org", "Date": "Tue, 31 Mar 2026 14:34:21 +0200", "Message-ID": "\n <ac733944f5344be527d5484c47d9eea2a1e9c03e.1774960196.git.tredaelli@redhat.com>", "In-Reply-To": "<cover.1774960196.git.tredaelli@redhat.com>", "References": "<cover.1774960196.git.tredaelli@redhat.com>", "MIME-Version": "1.0", "X-Scanned-By": "MIMEDefang 3.0 on 10.30.177.12", "X-Mimecast-Spam-Score": "0", "X-Mimecast-MFC-PROC-ID": "CEo0vcT64KqmAzgAkyYRG1d1A0jfBVKPXvX_X_iTwcs_1774960492", "X-Mimecast-Originator": "redhat.com", "Subject": "[ovs-dev] [PATCH v2 1/5] stream: Add \"pfd:\" passive stream for\n pre-opened file descriptors.", "X-BeenThere": "ovs-dev@openvswitch.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "<ovs-dev.openvswitch.org>", "List-Unsubscribe": "<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>", "List-Archive": "<http://mail.openvswitch.org/pipermail/ovs-dev/>", "List-Post": "<mailto:ovs-dev@openvswitch.org>", "List-Help": "<mailto:ovs-dev-request@openvswitch.org?subject=help>", "List-Subscribe": "<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>", "From": "Timothy Redaelli via dev <ovs-dev@openvswitch.org>", "Reply-To": "Timothy Redaelli <tredaelli@redhat.com>", "Cc": "Lubomir Rintel <lkundrak@v3.sk>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "ovs-dev-bounces@openvswitch.org", "Sender": "\"dev\" <ovs-dev-bounces@openvswitch.org>" }, "content": "Add a new \"pfd:\" passive stream class that accepts a pre-opened file\ndescriptor number. This is the core building block for systemd socket\nactivation, where systemd opens and binds the listening socket before\nstarting the service.\n\nThe pfd_open() function validates that the file descriptor refers to\na listening stream socket via getsockopt(SO_TYPE) and\ngetsockopt(SO_ACCEPTCONN), sets it non-blocking, and wraps it in an\nfd_pstream. Unlike punix:, the unlink_path is NULL because the\nservice does not own the socket file. Use str_to_long() for parsing\nthe file descriptor number.\n\nFor security, pfd: remotes are restricted to the command line\n(--remote=pfd:N). Runtime addition via ovsdb-server/add-remote or\nthe database is rejected at three entry points\n(ovsdb_server_add_remote, add_manager_options, query_db_remotes),\npreventing an attacker with database write access from hijacking\narbitrary file descriptors.\n\nReported-at: https://issues.redhat.com/browse/FDP-3413\nCo-authored-by: Lubomir Rintel <lkundrak@v3.sk>\nSigned-off-by: Lubomir Rintel <lkundrak@v3.sk>\nSigned-off-by: Timothy Redaelli <tredaelli@redhat.com>\n---\n Documentation/ref/ovsdb.7.rst | 12 ++++++++\n lib/stream-provider.h | 1 +\n lib/stream-unix.c | 52 +++++++++++++++++++++++++++++++++++\n lib/stream.c | 5 ++++\n ovsdb/ovsdb-server.c | 23 +++++++++++++++-\n 5 files changed, 92 insertions(+), 1 deletion(-)", "diff": "diff --git a/Documentation/ref/ovsdb.7.rst b/Documentation/ref/ovsdb.7.rst\nindex 42541dd7e..cf1ef3736 100644\n--- a/Documentation/ref/ovsdb.7.rst\n+++ b/Documentation/ref/ovsdb.7.rst\n@@ -709,6 +709,18 @@ punix:<file>\n <file> to mimic the behavior of a Unix domain socket. The ACLs of the named\n pipe include LocalSystem, Administrators, and Creator Owner.\n \n+pfd:<fd>\n+ Listen on a pre-opened file descriptor <fd>. The file descriptor must\n+ refer to a bound, listening Unix domain stream socket. This is intended\n+ for use with systemd socket activation, where systemd opens the socket\n+ and passes it to the service.\n+\n+ For security, ``pfd:`` may only be specified on the command line\n+ (``--remote=pfd:<fd>``). It is rejected if added at runtime via\n+ ``ovsdb-server/add-remote`` or through the database.\n+\n+ This connection method is not supported on Windows.\n+\n All IP-based connection methods accept IPv4 and IPv6 addresses. To specify an\n IPv6 address, wrap it in square brackets, e.g. ``ssl:[::1]:6640``. Passive\n IP-based connection methods by default listen for IPv4 connections only; use\ndiff --git a/lib/stream-provider.h b/lib/stream-provider.h\nindex 44e3c6431..ddd468b09 100644\n--- a/lib/stream-provider.h\n+++ b/lib/stream-provider.h\n@@ -195,6 +195,7 @@ extern const struct pstream_class ptcp_pstream_class;\n #ifndef _WIN32\n extern const struct stream_class unix_stream_class;\n extern const struct pstream_class punix_pstream_class;\n+extern const struct pstream_class pfd_pstream_class;\n #else\n extern const struct stream_class windows_stream_class;\n extern const struct pstream_class pwindows_pstream_class;\ndiff --git a/lib/stream-unix.c b/lib/stream-unix.c\nindex d265efb83..2374d0fbf 100644\n--- a/lib/stream-unix.c\n+++ b/lib/stream-unix.c\n@@ -136,3 +136,55 @@ const struct pstream_class punix_pstream_class = {\n NULL,\n };\n \n+/* Pre-opened file descriptor passive stream.\n+ *\n+ * Used for systemd socket activation: systemd opens and binds the socket,\n+ * then passes it to the service as a pre-opened file descriptor. */\n+\n+static int\n+pfd_open(const char *name, char *suffix,\n+ struct pstream **pstreamp, uint8_t dscp OVS_UNUSED)\n+{\n+ long fd;\n+\n+ if (!str_to_long(suffix, 10, &fd) || fd < 0) {\n+ VLOG_ERR(\"%s: bad file descriptor\", name);\n+ return EINVAL;\n+ }\n+\n+ /* Verify it is a listening stream socket. */\n+ int sock_type;\n+ socklen_t len = sizeof sock_type;\n+ if (getsockopt(fd, SOL_SOCKET, SO_TYPE, &sock_type, &len)) {\n+ VLOG_ERR(\"%s: not a socket (%s)\", name, ovs_strerror(errno));\n+ return errno;\n+ }\n+ if (sock_type != SOCK_STREAM) {\n+ VLOG_ERR(\"%s: not a stream socket (type %d)\", name, sock_type);\n+ return EINVAL;\n+ }\n+ int listening;\n+ len = sizeof listening;\n+ if (getsockopt(fd, SOL_SOCKET, SO_ACCEPTCONN, &listening, &len)\n+ || !listening) {\n+ VLOG_ERR(\"%s: not a listening socket\", name);\n+ return EINVAL;\n+ }\n+\n+ int error = set_nonblocking(fd);\n+ if (error) {\n+ return error;\n+ }\n+\n+ return new_fd_pstream(xstrdup(name), fd, punix_accept, NULL, pstreamp);\n+}\n+\n+const struct pstream_class pfd_pstream_class = {\n+ \"pfd\",\n+ false,\n+ pfd_open,\n+ NULL,\n+ NULL,\n+ NULL,\n+};\n+\ndiff --git a/lib/stream.c b/lib/stream.c\nindex feaa1cb2d..b3b21588a 100644\n--- a/lib/stream.c\n+++ b/lib/stream.c\n@@ -69,6 +69,7 @@ static const struct pstream_class *pstream_classes[] = {\n &ptcp_pstream_class,\n #ifndef _WIN32\n &punix_pstream_class,\n+ &pfd_pstream_class,\n #else\n &pwindows_pstream_class,\n #endif\n@@ -147,6 +148,10 @@ stream_usage(const char *name, bool active, bool passive,\n #endif\n printf(\" punix:FILE \"\n \"listen on Unix domain socket FILE\\n\");\n+#ifndef _WIN32\n+ printf(\" pfd:FD \"\n+ \"listen on pre-opened file descriptor FD\\n\");\n+#endif\n }\n \n #ifdef HAVE_OPENSSL\ndiff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c\nindex 7c3a5ef11..2af62071e 100644\n--- a/ovsdb/ovsdb-server.c\n+++ b/ovsdb/ovsdb-server.c\n@@ -1425,6 +1425,12 @@ add_manager_options(struct shash *remotes, const struct ovsdb_row *row)\n return;\n }\n \n+ if (!strncmp(\"pfd:\", target, 4)) {\n+ VLOG_WARN_RL(&rl, \"pfd: remotes can only be specified on the \"\n+ \"command line; ignoring \\\"%s\\\" from database\", target);\n+ return;\n+ }\n+\n options = add_remote(remotes, target, NULL);\n if (ovsdb_util_read_integer_column(row, \"max_backoff\", &max_backoff)) {\n options->rpc.max_backoff = max_backoff;\n@@ -1485,7 +1491,16 @@ query_db_remotes(const char *name, const struct shash *all_dbs,\n \n datum = &row->fields[column->index];\n for (i = 0; i < datum->n; i++) {\n- add_remote(remotes, json_string(datum->keys[i].s), NULL);\n+ const char *t = json_string(datum->keys[i].s);\n+ if (!strncmp(\"pfd:\", t, 4)) {\n+ static struct vlog_rate_limit pfd_rl\n+ = VLOG_RATE_LIMIT_INIT(1, 1);\n+ VLOG_WARN_RL(&pfd_rl, \"pfd: remotes can only be \"\n+ \"specified on the command line; ignoring \"\n+ \"\\\"%s\\\" from database\", t);\n+ continue;\n+ }\n+ add_remote(remotes, t, NULL);\n }\n }\n } else if (column->type.key.type == OVSDB_TYPE_UUID\n@@ -2291,6 +2306,12 @@ ovsdb_server_add_remote(struct unixctl_conn *conn, int argc OVS_UNUSED,\n return;\n }\n \n+ if (!strncmp(\"pfd:\", remote, 4)) {\n+ unixctl_command_reply_error(conn,\n+ \"pfd: remotes can only be specified on the command line\");\n+ return;\n+ }\n+\n retval = (strncmp(\"db:\", remote, 3)\n ? NULL\n : parse_db_column(config->all_dbs, remote,\n", "prefixes": [ "ovs-dev", "v2", "1/5" ] }