From patchwork Mon Jan 22 17:20:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yifeng Sun X-Patchwork-Id: 864481 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="ivRHxEzx"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3zQQvv0VYXz9ryv for ; Tue, 23 Jan 2018 09:24:27 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 61D99F66; Mon, 22 Jan 2018 22:24:25 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 9ABCBF56 for ; Mon, 22 Jan 2018 22:24:23 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg0-f45.google.com (mail-pg0-f45.google.com [74.125.83.45]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6ADCE1B4 for ; Mon, 22 Jan 2018 22:24:20 +0000 (UTC) Received: by mail-pg0-f45.google.com with SMTP id 136so8186225pgd.8 for ; Mon, 22 Jan 2018 14:24:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=s/iBlTMqAcLUL1TIPmMxhQzDxU0lAgSt6VtitaSpMvo=; b=ivRHxEzxihzRK2+eTfVTmg4KgTq7WNOY/Qx7I6dkE6QpKEZgLB0I9okOKbN/w18MAi ctK7XQcac0rmRiBBqpSnRzrR+b9VwZT5ES7pCZfDb5jUBaBGqTdoIs5dJA7f+OESybme 1wH0uAhSXd9+OF8QoWMf4adB71iZxRYqHya7MzCtm6Pgz/ffefCl3z8TXRdGa6IJqxf5 wJydF4GmhqfhReOCDFp3QQ0rkIofPRB70DMTv/dX+Ecvauz1X5QH4mYhNGNihg2UHfVl Vj3armghABP1Sxg+BvTqf24tRQb+wE5tIm+AsOaSNs9cvXu4TWvHFoZnSnaG0mmPGA+d EG/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=s/iBlTMqAcLUL1TIPmMxhQzDxU0lAgSt6VtitaSpMvo=; b=gogB0ct1lRt0oRp2HnX8NgYCvG6VWi11TPtMEQFIb6J1Dxp/PmIUx1ROaqRQhOYmAI 4UZw8CiCOqENFtg0u/l4GkUcLfWr0ZfH8140FnNcu38WfvMJ3e52/3RXUm+gl6I/s084 3BDey/bnM0j4MAH5TasFEtbb5JkLBtOsf52g5SyY1PTGdpK1O54EE590zkZJLgswUXR7 ZMvqVT1hz/26mUYPmupE8Z4iorTSnDWxjGtdBEX1OXwgbUDvPhV0bqHT2suf47tR6wIA 59eKb5XjJwJRpLTqNHBXeAsISjmJgMTxG7bIys4KZ3EeXD+o6SFcIB5oNLRPVDpjNS2j d3gA== X-Gm-Message-State: AKwxytfJ7AN6IPMktlz7Z2s0FvC1VWZJCWB4EaSPjLVe9Uq+34BDtrFV TF1S1opYApVc1biAVwchjUFDEg== X-Google-Smtp-Source: AH8x225n6Vi1UHZDnCQx4Ojt6r4oOk1alqs+KRscO0yvwWcaAKOjyGaMgWky+FAxHjevVmQ8ffCTzw== X-Received: by 10.99.1.151 with SMTP id 145mr7878549pgb.229.1516659858932; Mon, 22 Jan 2018 14:24:18 -0800 (PST) Received: from yfsovs.eng.vmware.com ([208.91.1.34]) by smtp.gmail.com with ESMTPSA id g77sm1759033pfk.49.2018.01.22.14.24.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 22 Jan 2018 14:24:18 -0800 (PST) From: Yifeng Sun To: dev@openvswitch.org Date: Mon, 22 Jan 2018 09:20:36 -0800 Message-Id: <1516641636-17122-1-git-send-email-pkusunyifeng@gmail.com> X-Mailer: git-send-email 2.7.4 X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00, DATE_IN_PAST_03_06, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCHv4] DNS: Add basic support for asynchronous DNS resolving X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This patch is a simple implementation for the proposal discussed in https://mail.openvswitch.org/pipermail/ovs-dev/2017-August/337038.html and https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/340013.html. It enables ovs-vswitchd and other utilities to use DNS names when specifying OpenFlow and OVSDB remotes. Below are some of the features and limitations of this patch: - Resolving is asynchornous in daemon context, avoiding blocking main loop; - Resolving is synchronous in general utility context; - Both IPv4 and IPv6 are supported; - The resolving API is thread-safe; - Depends on the unbound library; - When multiple ip addresses are returned, only the first one is used; - /etc/nsswitch.conf isn't respected as unbound library doesn't look at it; - For async-resolving, caller need to retry later; there is no callback. Signed-off-by: Yifeng Sun --- v1 -> v2: refactored and improved code based on reviewer's comments. v2 -> v3: added commit message. v3 -> v4: added synchronous resolving for utilities. made fixes and documented changes based on reviewer's comments. Documentation/intro/install/general.rst | 4 + Documentation/ref/ovsdb.7.rst | 20 +- NEWS | 7 +- configure.ac | 1 + debian/control | 4 +- lib/automake.mk | 10 + lib/dns-resolve-stub.c | 36 +++ lib/dns-resolve.c | 307 ++++++++++++++++++++++++++ lib/dns-resolve.h | 26 +++ lib/socket-util.c | 50 ++++- lib/stream.c | 16 +- lib/vconn-active.man | 10 +- lib/vconn-passive.man | 10 +- lib/vconn.c | 16 +- m4/openvswitch.m4 | 10 + ovn/controller-vtep/ovn-controller-vtep.8.xml | 27 ++- ovn/ovn-nb.xml | 41 ++-- ovn/ovn-sb.xml | 45 ++-- python/ovs/stream.py | 4 +- rhel/openvswitch-fedora.spec.in | 3 +- rhel/openvswitch.spec.in | 1 + vswitchd/ovs-vswitchd.c | 3 + vswitchd/vswitch.xml | 81 ++++--- vtep/vtep.xml | 30 ++- 24 files changed, 596 insertions(+), 166 deletions(-) create mode 100644 lib/dns-resolve-stub.c create mode 100644 lib/dns-resolve.c create mode 100644 lib/dns-resolve.h diff --git a/Documentation/intro/install/general.rst b/Documentation/intro/install/general.rst index deba3eb08fbd..011e3167a0ea 100644 --- a/Documentation/intro/install/general.rst +++ b/Documentation/intro/install/general.rst @@ -93,6 +93,10 @@ need the following software: - Python 2.7. You must also have the Python ``six`` library version 1.4.0 or later. +- Unbound library, from http://www.unbound.net, is optional but recommended if + you want to enable ovs-vswitchd and other utilities to use DNS names when + specifying OpenFlow and OVSDB remotes. If unbound library is already + installed, then Open vSwitch will automatically build with support for it. On Linux, you may choose to compile the kernel module that comes with the Open vSwitch distribution or to use the kernel module built into the Linux kernel diff --git a/Documentation/ref/ovsdb.7.rst b/Documentation/ref/ovsdb.7.rst index 25a6e5fc36ed..1b3e7d66f515 100644 --- a/Documentation/ref/ovsdb.7.rst +++ b/Documentation/ref/ovsdb.7.rst @@ -232,11 +232,11 @@ the opposite arrangement as well. OVSDB supports the following active connection methods: -ssl:: - The specified SSL or TLS on the host at the given . +ssl:: + The specified SSL or TLS on the given . -tcp:: - The specified TCP on the host at the given . +tcp:: + The specified TCP on the given . unix: On Unix-like systems, connect to the Unix domain server socket named @@ -247,15 +247,15 @@ unix: OVSDB supports the following passive connection methods: -pssl:[:] +pssl:[:] Listen on the given TCP for SSL or TLS connections. By default, connections are not bound to a particular local IP address. Specifying - limits connections to those from the given IP. + limits connections to those from the IP. -ptcp:[:] +ptcp:[:] Listen on the given TCP . By default, connections are not bound to a - particular local IP address. Specifying limits connections to those - from the given IP. + particular local IP address. Specifying limits connections to those + from the IP. punix: On Unix-like systems, listens for connections on the Unix domain socket @@ -268,7 +268,7 @@ All IP-based connection methods accept IPv4 and IPv6 addresses. To specify an IPv6 address, wrap it in square brackets, e.g. ``ssl:[::1]:6640``. Passive IP-based connection methods by default listen for IPv4 connections only; use ``[::]`` as the address to accept both IPv4 and IPv6 connections, -e.g. ``pssl:6640:[::]``. DNS names are not accepted. On Linux, use +e.g. ``pssl:6640:[::]``. DNS names are also accepted. On Linux, use ``%`` to designate a scope for IPv6 link-level addresses, e.g. ``ssl:[fe80::1234%eth0]:6653``. diff --git a/NEWS b/NEWS index c067b9462f2d..ded670651192 100644 --- a/NEWS +++ b/NEWS @@ -1,7 +1,10 @@ Post-v2.9.0 -------------------- - - Nothing yet. - + - DNS resolving support: + * Add support for asynchronous DNS resolving that enables ovs-vswitchd + to use DNS names when specifying OpenFlow and OVSDB remotes. + * Add support for synchronous DNS resolving that enables utility clients + to use DNS names when specifying OpenFlow and OVSDB remotes. v2.9.0 - xx xxx xxxx -------------------- diff --git a/configure.ac b/configure.ac index 84fed062cfa3..86dc983756fb 100644 --- a/configure.ac +++ b/configure.ac @@ -134,6 +134,7 @@ OVS_CHECK_LINUX_HOST OVS_LIBTOOL_VERSIONS OVS_CHECK_CXX AX_FUNC_POSIX_MEMALIGN +OVS_CHECK_UNBOUND OVS_CHECK_INCLUDE_NEXT([stdio.h string.h]) AC_CONFIG_FILES([ diff --git a/debian/control b/debian/control index a4c031d85f1b..9ae248f27898 100644 --- a/debian/control +++ b/debian/control @@ -16,7 +16,8 @@ Build-Depends: graphviz, python-all (>= 2.7), python-twisted-conch, python-zopeinterface, - python-six + python-six, + libunbound-dev Standards-Version: 3.9.3 Homepage: http://openvswitch.org/ @@ -307,6 +308,7 @@ Multi-Arch: same Depends: libopenvswitch (>= ${binary:Version}), libssl-dev, + libunbound-dev, ${misc:Depends} Conflicts: openvswitch-dev Replaces: openvswitch-dev diff --git a/lib/automake.mk b/lib/automake.mk index 4b38a11638f2..c56789d6c8f4 100644 --- a/lib/automake.mk +++ b/lib/automake.mk @@ -438,6 +438,16 @@ else lib_libopenvswitch_la_SOURCES += lib/stream-nossl.c endif +if HAVE_UNBOUND +lib_libopenvswitch_la_SOURCES += \ + lib/dns-resolve.h \ + lib/dns-resolve.c +else +lib_libopenvswitch_la_SOURCES += \ + lib/dns-resolve.h \ + lib/dns-resolve-stub.c +endif + pkgconfig_DATA += \ lib/libopenvswitch.pc \ lib/libsflow.pc diff --git a/lib/dns-resolve-stub.c b/lib/dns-resolve-stub.c new file mode 100644 index 000000000000..edf8337be1d9 --- /dev/null +++ b/lib/dns-resolve-stub.c @@ -0,0 +1,36 @@ +/* + * Copyright (c) 2017, 2018 Nicira, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include "dns-resolve.h" +#include "compiler.h" + +void +dns_resolve_init(void) +{ +} + +bool +dns_resolve(const char *name OVS_UNUSED, char **addr) +{ + *addr = NULL; + return false; +} + +void +dns_resolve_destroy(void) +{ +} diff --git a/lib/dns-resolve.c b/lib/dns-resolve.c new file mode 100644 index 000000000000..391d97948d77 --- /dev/null +++ b/lib/dns-resolve.c @@ -0,0 +1,307 @@ +/* + * Copyright (c) 2017, 2018 Nicira, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include "dns-resolve.h" +#include +#include +#include +#include +#include +#include "hash.h" +#include "openvswitch/hmap.h" +#include "openvswitch/vlog.h" +#include "timeval.h" + +VLOG_DEFINE_THIS_MODULE(dns_resolve); + +/* Guard all_reqs__ and resolve_state of each request. */ +static struct ovs_mutex dns_mutex__ = OVS_MUTEX_INITIALIZER; +static struct hmap all_reqs__; +static struct ub_ctx *ub_ctx__; + +static bool thread_is_daemon; + +static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); + +enum resolve_state { + RESOLVE_INVALID, + RESOLVE_PENDING, + RESOLVE_GOOD, + RESOLVE_ERROR +}; + +struct resolve_request { + struct hmap_node hmap_node; /* node for all_reqs__ */ + char *name; /* the domain name to be resolved */ + char *addr; /* the resolved ip address */ + enum resolve_state state; /* state of this request */ + time_t time; /* resolving time */ + struct ub_result *ub_result; /* the stored unbound result */ +}; + +static struct resolve_request *resolve_find_or_new__(const char *name) + OVS_REQUIRES(dns_mutex__); +static bool resolve_check_expire__(struct resolve_request *req) + OVS_REQUIRES(dns_mutex__); +static bool resolve_check_valid__(struct resolve_request *req) + OVS_REQUIRES(dns_mutex__); +static bool resolve_async__(struct resolve_request *req, int qtype) + OVS_REQUIRES(dns_mutex__); +static void resolve_callback__(void *req, int err, struct ub_result *) + OVS_REQUIRES(dns_mutex__); +static bool resolve_result_to_addr__(struct ub_result *result, char **addr); +static bool dns_resolve_sync__(const char *name, char **addr); + +/* Pass a true 'is_daemon' if you don't want the DNS-resolving to block the + * running thread. + */ +void +dns_resolve_init(bool is_daemon) +{ + ub_ctx__ = ub_ctx_create(); + if (ub_ctx__ == NULL) { + VLOG_ERR_RL(&rl, "Failed to create libunbound context, " + "so asynchronous DNS resolving is disabled."); + return; + } + + int retval; +#ifdef __linux__ + retval = ub_ctx_resolvconf(ub_ctx__, "/etc/resolv.conf"); + if (retval != 0) { + VLOG_WARN_RL(&rl, "Failed to read /etc/resolv.conf: %s", + ub_strerror(retval)); + } +#endif + + /* Handles '/etc/hosts' on Linux and 'WINDIR/etc/hosts' on Windows. */ + retval = ub_ctx_hosts(ub_ctx__, NULL); + if (retval != 0) { + VLOG_WARN_RL(&rl, "Failed to read etc/hosts: %s", ub_strerror(retval)); + } + + ub_ctx_async(ub_ctx__, true); + hmap_init(&all_reqs__); + thread_is_daemon = is_daemon; +} + +/* Returns true on success. Otherwise, returns false and the error information + * can be found in logs. If there is no error information, then the resolving + * is in process and the caller should call again later. The value of '*addr' + * is always nullified if false is returned. If this function is called under + * daemon-context, the resolving will undergo asynchronously. Otherwise, a + * synchronouse resolving will take place. + * + * This function is thread-safe. + * + * The caller is responsible for freeing the returned '*addr'. + */ +bool +dns_resolve(const char *name, char **addr) + OVS_EXCLUDED(dns_mutex__) +{ + bool success = false; + + if (!thread_is_daemon) { + return dns_resolve_sync__(name, addr); + } + + *addr = NULL; + ovs_mutex_lock(&dns_mutex__); + + if (ub_ctx__ == NULL) { + goto unlock; + } + + /* ub_process is inside lock as it invokes resolve_callback__. */ + int retval = ub_process(ub_ctx__); + if (retval != 0) { + VLOG_ERR_RL(&rl, "dns-resolve error: %s", ub_strerror(retval)); + goto unlock; + } + + struct resolve_request *req; + req = resolve_find_or_new__(name); + if (resolve_check_valid__(req)) { + *addr = xstrdup(req->addr); + success = true; + } else if (req->state != RESOLVE_PENDING) { + req->time = time_now(); + success = resolve_async__(req, ns_t_a); + } +unlock: + ovs_mutex_unlock(&dns_mutex__); + return success; +} + +void +dns_resolve_destroy(void) +{ + if (ub_ctx__ != NULL) { + /* Outstanding requests will be killed. */ + ub_ctx_delete(ub_ctx__); + ub_ctx__ = NULL; + + struct resolve_request *req; + HMAP_FOR_EACH (req, hmap_node, &all_reqs__) { + ub_resolve_free(req->ub_result); + free(req->addr); + free(req->name); + free(req); + } + hmap_destroy(&all_reqs__); + } +} + +static struct resolve_request * +resolve_find_or_new__(const char *name) + OVS_REQUIRES(dns_mutex__) +{ + struct resolve_request *req; + + HMAP_FOR_EACH_IN_BUCKET (req, hmap_node, hash_string(name, 0), + &all_reqs__) { + if (!strcmp(name, req->name)) { + return req; + } + } + + req = xzalloc(sizeof *req); + req->name = xstrdup(name); + req->state = RESOLVE_INVALID; + hmap_insert(&all_reqs__, &req->hmap_node, hash_string(req->name, 0)); + return req; +} + +static bool +resolve_check_expire__(struct resolve_request *req) + OVS_REQUIRES(dns_mutex__) +{ + return time_now() > req->time + req->ub_result->ttl; +} + +static bool +resolve_check_valid__(struct resolve_request *req) + OVS_REQUIRES(dns_mutex__) +{ + return (req != NULL + && req->state == RESOLVE_GOOD + && !resolve_check_expire__(req)); +} + +static bool +resolve_async__(struct resolve_request *req, int qtype) + OVS_REQUIRES(dns_mutex__) +{ + if (qtype == ns_t_a || qtype == ns_t_aaaa) { + int retval; + retval = ub_resolve_async(ub_ctx__, req->name, + qtype, ns_c_in, req, + resolve_callback__, NULL); + if (retval != 0) { + req->state = RESOLVE_ERROR; + return false; + } else { + req->state = RESOLVE_PENDING; + return true; + } + } + return false; +} + +static void +resolve_callback__(void *req_, int err, struct ub_result *result) + OVS_REQUIRES(dns_mutex__) +{ + struct resolve_request *req = req_; + + if (err != 0 || (result->qtype == ns_t_aaaa && !result->havedata)) { + req->state = RESOLVE_ERROR; + VLOG_ERR_RL(&rl, "%s: failed to resolve", req->name); + return; + } + + /* IPv4 address is empty, try IPv6. */ + if (result->qtype == ns_t_a && !result->havedata) { + ub_resolve_free(result); + resolve_async__(req, ns_t_aaaa); + return; + } + + char *addr; + if (!resolve_result_to_addr__(result, &addr)) { + req->state = RESOLVE_ERROR; + VLOG_ERR_RL(&rl, "%s: failed to resolve", req->name); + return; + } + + ub_resolve_free(req->ub_result); + free(req->addr); + + req->ub_result = result; + req->addr = addr; + req->state = RESOLVE_GOOD; +} + +static bool +resolve_result_to_addr__(struct ub_result *result, char **addr) +{ + int af = result->qtype == ns_t_a ? AF_INET : AF_INET6; + char buffer[INET6_ADDRSTRLEN]; + + /* XXX: only the first returned IP is used. */ + if (inet_ntop(af, result->data[0], buffer, sizeof buffer)) { + *addr = xstrdup(buffer); + } else { + *addr = NULL; + } + + return (*addr != NULL); +} + +static bool +dns_resolve_sync__(const char *name, char **addr) +{ + *addr = NULL; + + if (ub_ctx__ == NULL) { + dns_resolve_init(false); + if (ub_ctx__ == NULL) { + return false; + } + } + + struct ub_result *result; + int retval = ub_resolve(ub_ctx__, name, ns_t_a, ns_c_in, &result); + if (retval != 0) { + return false; + } else if (!result->havedata) { + ub_resolve_free(result); + + retval = ub_resolve(ub_ctx__, name, ns_t_aaaa, ns_c_in, &result); + if (retval != 0) { + return false; + } else if (!result->havedata) { + ub_resolve_free(result); + return false; + } + } + + bool success = resolve_result_to_addr__(result, addr); + ub_resolve_free(result); + return success; +} diff --git a/lib/dns-resolve.h b/lib/dns-resolve.h new file mode 100644 index 000000000000..9cfa366a5d75 --- /dev/null +++ b/lib/dns-resolve.h @@ -0,0 +1,26 @@ +/* + * Copyright (c) 2017, 2018 Nicira, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef DNS_RESOLVE_H +#define DNS_RESOLVE_H 1 + +#include + +void dns_resolve_init(bool is_daemon); +bool dns_resolve(const char *name, char **addr); +void dns_resolve_destroy(void); + +#endif /* dns-resolve.h */ diff --git a/lib/socket-util.c b/lib/socket-util.c index 7fbcdf19feac..2942ea18f76c 100644 --- a/lib/socket-util.c +++ b/lib/socket-util.c @@ -48,11 +48,18 @@ #include "netlink-protocol.h" #include "netlink-socket.h" #endif +#include "dns-resolve.h" VLOG_DEFINE_THIS_MODULE(socket_util); static int getsockopt_int(int fd, int level, int option, const char *optname, int *valuep); +static bool +parse_sockaddr_components(struct sockaddr_storage *ss, + char *host_s, + const char *port_s, uint16_t default_port, + const char *s, + bool resolve_host); /* Sets 'fd' to non-blocking mode. Returns 0 if successful, otherwise a * positive errno value. */ @@ -367,10 +374,30 @@ inet_parse_token(char **pp) } static bool +parse_sockaddr_components_dns(struct sockaddr_storage *ss OVS_UNUSED, + char *host_s, + const char *port_s OVS_UNUSED, + uint16_t default_port OVS_UNUSED, + const char *s OVS_UNUSED) +{ + char *tmp_host_s; + + dns_resolve(host_s, &tmp_host_s); + if (tmp_host_s != NULL) { + parse_sockaddr_components(ss, tmp_host_s, port_s, + default_port, s, false); + free(tmp_host_s); + return true; + } + return false; +} + +static bool parse_sockaddr_components(struct sockaddr_storage *ss, char *host_s, const char *port_s, uint16_t default_port, - const char *s) + const char *s, + bool resolve_host) { struct sockaddr_in *sin = ALIGNED_CAST(struct sockaddr_in *, ss); int port; @@ -394,8 +421,7 @@ parse_sockaddr_components(struct sockaddr_storage *ss, sin6->sin6_family = AF_INET6; sin6->sin6_port = htons(port); if (!addr || !*addr || !ipv6_parse(addr, &sin6->sin6_addr)) { - VLOG_ERR("%s: bad IPv6 address \"%s\"", s, addr ? addr : ""); - goto exit; + goto resolve; } #ifdef HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID @@ -408,7 +434,7 @@ parse_sockaddr_components(struct sockaddr_storage *ss, if (!sin6->sin6_scope_id) { VLOG_ERR("%s: bad IPv6 scope \"%s\" (%s)", s, scope, ovs_strerror(errno)); - goto exit; + goto resolve; } } } @@ -417,13 +443,19 @@ parse_sockaddr_components(struct sockaddr_storage *ss, sin->sin_family = AF_INET; sin->sin_port = htons(port); if (host_s && !ip_parse(host_s, &sin->sin_addr.s_addr)) { - VLOG_ERR("%s: bad IPv4 address \"%s\"", s, host_s); - goto exit; + goto resolve; } } return true; +resolve: + if (resolve_host && parse_sockaddr_components_dns(ss, host_s, port_s, + default_port, s)) { + return true; + } else if (!resolve_host) { + VLOG_ERR("%s: bad IP address \"%s\"", s, host_s); + } exit: memset(ss, 0, sizeof *ss); return false; @@ -456,7 +488,8 @@ inet_parse_active(const char *target_, uint16_t default_port, VLOG_ERR("%s: port must be specified", target_); ok = false; } else { - ok = parse_sockaddr_components(ss, host, port, default_port, target_); + ok = parse_sockaddr_components(ss, host, port, default_port, + target_, true); } if (!ok) { memset(ss, 0, sizeof *ss); @@ -580,7 +613,8 @@ inet_parse_passive(const char *target_, int default_port, VLOG_ERR("%s: port must be specified", target_); ok = false; } else { - ok = parse_sockaddr_components(ss, host, port, default_port, target_); + ok = parse_sockaddr_components(ss, host, port, default_port, + target_, true); } if (!ok) { memset(ss, 0, sizeof *ss); diff --git a/lib/stream.c b/lib/stream.c index 083e2fb93f77..7abc2f7c24cc 100644 --- a/lib/stream.c +++ b/lib/stream.c @@ -126,11 +126,11 @@ stream_usage(const char *name, bool active, bool passive, printf("\n"); if (active) { printf("Active %s connection methods:\n", name); - printf(" tcp:IP:PORT " - "PORT at remote IP\n"); + printf(" tcp:HOST:PORT " + "PORT at remote HOST\n"); #ifdef HAVE_OPENSSL - printf(" ssl:IP:PORT " - "SSL PORT at remote IP\n"); + printf(" ssl:HOST:PORT " + "SSL PORT at remote HOST\n"); #endif printf(" unix:FILE " "Unix domain socket named FILE\n"); @@ -138,11 +138,11 @@ stream_usage(const char *name, bool active, bool passive, if (passive) { printf("Passive %s connection methods:\n", name); - printf(" ptcp:PORT[:IP] " - "listen to TCP PORT on IP\n"); + printf(" ptcp:PORT[:HOST] " + "listen to TCP PORT on HOST\n"); #ifdef HAVE_OPENSSL - printf(" pssl:PORT[:IP] " - "listen for SSL on PORT on IP\n"); + printf(" pssl:PORT[:HOST] " + "listen for SSL on PORT on HOST\n"); #endif printf(" punix:FILE " "listen on Unix domain socket FILE\n"); diff --git a/lib/vconn-active.man b/lib/vconn-active.man index 395879c8a58b..d1e894eb4645 100644 --- a/lib/vconn-active.man +++ b/lib/vconn-active.man @@ -1,8 +1,8 @@ -.IP "\fBssl:\fIip\fR[\fB:\fIport\fR]" -.IQ "\fBtcp:\fIip\fR[\fB:\fIport\fR]" -The specified \fIport\fR on the host at the given \fIip\fR, which must -be expressed as an IP address (not a DNS name) in IPv4 or IPv6 address -format. Wrap IPv6 addresses in square brackets, +.IP "\fBssl:\fIhost\fR[\fB:\fIport\fR]" +.IQ "\fBtcp:\fIhost\fR[\fB:\fIport\fR]" +The specified \fIport\fR on the given \fIhost\fR, which can +be expressed either as a DNS name or an IP address in IPv4 or +IPv6 address format. Wrap IPv6 addresses in square brackets, e.g. \fBtcp:[::1]:6653\fR. On Linux, use \fB%\fIdevice\fR to designate a scope for IPv6 link-level addresses, e.g. \fBtcp:[fe80::1234%eth0]:6653\fR. For \fBssl\fR, the diff --git a/lib/vconn-passive.man b/lib/vconn-passive.man index 1ffa183972b8..563f4a25f6f0 100644 --- a/lib/vconn-passive.man +++ b/lib/vconn-passive.man @@ -1,12 +1,12 @@ -.IP "\fBpssl:\fR[\fIport\fR][\fB:\fIip\fR]" -.IQ "\fBptcp:\fR[\fIport\fR][\fB:\fIip\fR]" +.IP "\fBpssl:\fR[\fIport\fR][\fB:\fIhost\fR]" +.IQ "\fBptcp:\fR[\fIport\fR][\fB:\fIhost\fR]" Listens for OpenFlow connections on \fIport\fR. The default \fIport\fR is 6653. By default, connections are allowed from any IPv4 -address. Specify \fIip\fR as an IPv4 address or a bracketed IPv6 +address. Specify \fIhost\fR as an IPv4 address or a bracketed IPv6 address (e.g. \fBptcp:6653:[::1]\fR). On Linux, use \fB%\fIdevice\fR to designate a scope for IPv6 link-level addresses, -e.g. \fBptcp:6653:[fe80::1234%eth0]\fR. DNS names may -not be used. For \fBpssl\fR, the +e.g. \fBptcp:6653:[fe80::1234%eth0]\fR. DNS names can +be used. For \fBpssl\fR, the \fB\-\-private\-key\fR,\fB\-\-certificate\fR, and \fB\-\-ca\-cert\fR options are mandatory. .IP diff --git a/lib/vconn.c b/lib/vconn.c index bb56be2d2901..3ec09d842a66 100644 --- a/lib/vconn.c +++ b/lib/vconn.c @@ -138,23 +138,23 @@ vconn_usage(bool active, bool passive, bool bootstrap OVS_UNUSED) printf("\n"); if (active) { printf("Active OpenFlow connection methods:\n"); - printf(" tcp:IP[:PORT] " - "PORT (default: %d) at remote IP\n", OFP_PORT); + printf(" tcp:HOST[:PORT] " + "PORT (default: %d) at remote HOST\n", OFP_PORT); #ifdef HAVE_OPENSSL - printf(" ssl:IP[:PORT] " - "SSL PORT (default: %d) at remote IP\n", OFP_PORT); + printf(" ssl:HOST[:PORT] " + "SSL PORT (default: %d) at remote HOST\n", OFP_PORT); #endif printf(" unix:FILE Unix domain socket named FILE\n"); } if (passive) { printf("Passive OpenFlow connection methods:\n"); - printf(" ptcp:[PORT][:IP] " - "listen to TCP PORT (default: %d) on IP\n", + printf(" ptcp:[PORT][:HOST] " + "listen to TCP PORT (default: %d) on HOST\n", OFP_PORT); #ifdef HAVE_OPENSSL - printf(" pssl:[PORT][:IP] " - "listen for SSL on PORT (default: %d) on IP\n", + printf(" pssl:[PORT][:HOST] " + "listen for SSL on PORT (default: %d) on HOST\n", OFP_PORT); #endif printf(" punix:FILE " diff --git a/m4/openvswitch.m4 b/m4/openvswitch.m4 index de4d66ccb2db..312a0a49dd50 100644 --- a/m4/openvswitch.m4 +++ b/m4/openvswitch.m4 @@ -643,3 +643,13 @@ AC_DEFUN([OVS_CHECK_CXX], enable_cxx=false fi AM_CONDITIONAL([HAVE_CXX], [$enable_cxx])]) + +dnl Checks for unbound library. +AC_DEFUN([OVS_CHECK_UNBOUND], + [AC_CHECK_LIB(unbound, ub_ctx_create, [HAVE_UNBOUND=yes]) + if test "$HAVE_UNBOUND" = yes; then + AC_DEFINE([HAVE_UNBOUND], [1], [Define to 1 if unbound is detected.]) + LIBS="$LIBS -lunbound" + fi + AM_CONDITIONAL([HAVE_UNBOUND], [test "$HAVE_UNBOUND" = yes]) + AC_SUBST([HAVE_UNBOUND])]) diff --git a/ovn/controller-vtep/ovn-controller-vtep.8.xml b/ovn/controller-vtep/ovn-controller-vtep.8.xml index 7540b5823599..855a396375cc 100644 --- a/ovn/controller-vtep/ovn-controller-vtep.8.xml +++ b/ovn/controller-vtep/ovn-controller-vtep.8.xml @@ -30,28 +30,27 @@

  • - ssl:ip:port + ssl:host:port

    - The specified SSL port on the host at the given - ip, which must be expressed as an IP address (not a DNS - name) in IPv4 or IPv6 address format. If ip is an IPv6 - address, then wrap ip with square brackets, e.g.: - ssl:[::1]:6640. The --private-key, - --certificate and either of --ca-cert - or --bootstrap-ca-cert options are mandatory when this - form is used. + The specified SSL port on the give host, which + can either be a DNS name or an IP address (IPv4 or IPv6). If + host is an IPv6 address, then wrap host with + square brackets, e.g.: ssl:[::1]:6640. The + --private-key, --certificate and either + of --ca-cert or --bootstrap-ca-cert options + are mandatory when this form is used.

  • - tcp:ip:port + tcp:host:port

    - Connect to the given TCP port on ip, where - ip can be IPv4 or IPv6 address. If ip is an - IPv6 address, then wrap ip with square brackets, e.g.: - tcp:[::1]:6640. + Connect to the given TCP port on host, where + host can be a DNS name or IP address (IPv4 or IPv6). If + host is an IPv6 address, then wrap host with + square brackets, e.g.: tcp:[::1]:6640.

  • diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml index 4447c16b4864..43ae61c61bd3 100644 --- a/ovn/ovn-nb.xml +++ b/ovn/ovn-nb.xml @@ -1982,14 +1982,14 @@ The following connection methods are currently supported:

    -
    ssl:ip[:port]
    +
    ssl:host[:port]

    The specified SSL port on the host at the given - ip, which must be expressed as an IP address - (not a DNS name). A valid SSL configuration must be provided - when this form is used, this configuration can be specified - via command-line options or the table. + host, which can either be a DNS name or an IP address. + A valid SSL configuration must be provided when this form is + used, this configuration can be specified via command-line + options or the table.

    If port is not specified, it defaults to 6640. @@ -2000,30 +2000,29 @@

    -
    tcp:ip[:port]
    +
    tcp:host[:port]

    The specified TCP port on the host at the given - ip, which must be expressed as an IP address (not a - DNS name), where ip can be IPv4 or IPv6 address. If - ip is an IPv6 address, wrap it in square brackets, + host, which can either be a DNS name or an IP address. + If host is an IPv6 address, wrap it in square brackets, e.g. tcp:[::1]:6640.

    If port is not specified, it defaults to 6640.

    -
    pssl:[port][:ip]
    +
    pssl:[port][:host]

    Listens for SSL connections on the specified TCP port. Specify 0 for port to have the kernel automatically - choose an available port. If ip, which must be - expressed as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP address - (either IPv4 or IPv6 address). If ip is an IPv6 + choose an available port. If host, which can either + be a DNS name or an IP address, is specified, then connections + are restricted to the resolved or specified local IPaddress + (either IPv4 or IPv6 address). If host is an IPv6 address, wrap in square brackets, - e.g. pssl:6640:[::1]. If ip is not + e.g. pssl:6640:[::1]. If host is not specified then it listens only on IPv4 (but not IPv6) addresses. A valid SSL configuration must be provided when this form is used, this can be specified either via command-line options or the @@ -2037,17 +2036,17 @@ part of Open vSwitch.

    -
    ptcp:[port][:ip]
    +
    ptcp:[port][:host]

    Listens for connections on the specified TCP port. Specify 0 for port to have the kernel automatically - choose an available port. If ip, which must be - expressed as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP address - (either IPv4 or IPv6 address). If ip is an IPv6 + choose an available port. If host, which can either + be a DNS name or an IP address, is specified, then connections + are restricted to the resolved or specified local IP address + (either IPv4 or IPv6 address). If host is an IPv6 address, wrap it in square brackets, - e.g. ptcp:6640:[::1]. If ip is not + e.g. ptcp:6640:[::1]. If host is not specified then it listens only on IPv4 addresses.

    diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml index abc241ec0749..07718ada4731 100644 --- a/ovn/ovn-sb.xml +++ b/ovn/ovn-sb.xml @@ -2733,14 +2733,14 @@ tcp.flags = RST; The following connection methods are currently supported:

    -
    ssl:ip[:port]
    +
    ssl:host[:port]

    - The specified SSL port on the host at the given - ip, which must be expressed as an IP address - (not a DNS name). A valid SSL configuration must be provided - when this form is used, this configuration can be specified - via command-line options or the table. + The specified SSL port on the given host, + which can either be a DNS name or an IP address. A valid SSL + configuration must be provided when this form is used, this + configuration can be specified via command-line options or the + table.

    If port is not specified, it defaults to 6640. @@ -2751,30 +2751,29 @@ tcp.flags = RST;

    -
    tcp:ip[:port]
    +
    tcp:host[:port]

    - The specified TCP port on the host at the given - ip, which must be expressed as an IP address (not a - DNS name), where ip can be IPv4 or IPv6 address. If - ip is an IPv6 address, wrap it in square brackets, + The specified TCP port on the given host, + which can either be a DNS name or an IP address (IPv4 or IPv6). + If host is an IPv6 address, wrap it in square brackets, e.g. tcp:[::1]:6640.

    If port is not specified, it defaults to 6640.

    -
    pssl:[port][:ip]
    +
    pssl:[port][:host]

    Listens for SSL connections on the specified TCP port. Specify 0 for port to have the kernel automatically - choose an available port. If ip, which must be - expressed as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP address - (either IPv4 or IPv6 address). If ip is an IPv6 + choose an available port. If host, which can either + be a DNS name or an IP address, is specified, then connections + are restricted to the resolved or specified local IP address + (either IPv4 or IPv6 address). If host is an IPv6 address, wrap in square brackets, - e.g. pssl:6640:[::1]. If ip is not + e.g. pssl:6640:[::1]. If host is not specified then it listens only on IPv4 (but not IPv6) addresses. A valid SSL configuration must be provided when this form is used, this can be specified either via command-line options or the @@ -2788,17 +2787,17 @@ tcp.flags = RST; part of Open vSwitch.

    -
    ptcp:[port][:ip]
    +
    ptcp:[port][:host]

    Listens for connections on the specified TCP port. Specify 0 for port to have the kernel automatically - choose an available port. If ip, which must be - expressed as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP address - (either IPv4 or IPv6 address). If ip is an IPv6 + choose an available port. If host, which can either + be a DNS name or an IP address, is specified, then connections + are restricted to the resolved or specified local IP address + (either IPv4 or IPv6 address). If host is an IPv6 address, wrap it in square brackets, - e.g. ptcp:6640:[::1]. If ip is not + e.g. ptcp:6640:[::1]. If host is not specified then it listens only on IPv4 addresses.

    diff --git a/python/ovs/stream.py b/python/ovs/stream.py index c8b96b0730e0..d5e6215fc253 100644 --- a/python/ovs/stream.py +++ b/python/ovs/stream.py @@ -705,8 +705,8 @@ def usage(name): return """ Active %s connection methods: unix:FILE Unix domain socket named FILE - tcp:IP:PORT TCP socket to IP with port no of PORT - ssl:IP:PORT SSL socket to IP with port no of PORT + tcp:HOST:PORT TCP socket to HOST with port no of PORT + ssl:HOST:PORT SSL socket to HOST with port no of PORT Passive %s connection methods: punix:FILE Listen on Unix domain socket FILE""" % (name, name) diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index ede62c8442c3..fa27fd5aedbc 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -87,8 +87,9 @@ BuildRequires: libpcap-devel numactl-devel BuildRequires: dpdk-devel >= 17.05.1 Provides: %{name}-dpdk = %{version}-%{release} %endif +BuildRequires: unbound unbound-devel -Requires: openssl hostname iproute module-init-tools +Requires: openssl hostname iproute module-init-tools unbound #Upstream kernel commit 4f647e0a3c37b8d5086214128614a136064110c3 #Requires: kernel >= 3.15.0-0 diff --git a/rhel/openvswitch.spec.in b/rhel/openvswitch.spec.in index 104b2732956d..8260b6b5a515 100644 --- a/rhel/openvswitch.spec.in +++ b/rhel/openvswitch.spec.in @@ -38,6 +38,7 @@ BuildRequires: openssl-devel BuildRequires: checkpolicy, selinux-policy-devel BuildRequires: autoconf, automake, libtool BuildRequires: python-sphinx +BuildRequires: unbound-devel %bcond_without check %bcond_with check_datapath_kernel diff --git a/vswitchd/ovs-vswitchd.c b/vswitchd/ovs-vswitchd.c index d5e07c0376cd..75344815b79a 100644 --- a/vswitchd/ovs-vswitchd.c +++ b/vswitchd/ovs-vswitchd.c @@ -48,6 +48,7 @@ #include "openvswitch/vconn.h" #include "openvswitch/vlog.h" #include "lib/vswitch-idl.h" +#include "lib/dns-resolve.h" VLOG_DEFINE_THIS_MODULE(vswitchd); @@ -77,6 +78,7 @@ main(int argc, char *argv[]) set_program_name(argv[0]); + dns_resolve_init(true); ovs_cmdl_proctitle_init(argc, argv); service_start(&argc, &argv); remote = parse_options(argc, argv, &unixctl_path); @@ -135,6 +137,7 @@ main(int argc, char *argv[]) bridge_exit(cleanup); unixctl_server_destroy(unixctl); service_stop(); + dns_resolve_destroy(); return 0; } diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml index 58c0ebd4b206..48bbf89488b1 100644 --- a/vswitchd/vswitch.xml +++ b/vswitchd/vswitch.xml @@ -4292,26 +4292,24 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ controllers:

    -
    ssl:ip[:port]
    +
    ssl:host[:port]

    The specified SSL port on the host at the - given ip, which must be expressed as an IP - address (not a DNS name). The column in the - table must point to a valid SSL configuration when this form - is used.

    + given host, which can either be a DNS name or an IP + address. The column + in the table must point to a valid SSL + configuration when this form is used.

    If port is not specified, it defaults to 6653.

    SSL support is an optional feature that is not always built as part of Open vSwitch.

    -
    tcp:ip[:port]
    +
    tcp:host[:port]

    The specified TCP port on the host at the given - ip, which must be expressed as an IP address (not a - DNS name), where ip can be IPv4 or IPv6 address. If - ip is an IPv6 address, wrap it in square brackets, - e.g. tcp:[::1]:6653. + host, which can either be a DNS name or an IP address + (IPv4 or IPv6). If host is an IPv6 address, wrap it + in square brackets, e.g. tcp:[::1]:6653.

    If port is not specified, it defaults to 6653. @@ -4323,19 +4321,19 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ controllers:

    -
    pssl:[port][:ip]
    +
    pssl:[port][:host]

    Listens for SSL connections on the specified TCP port. - If ip, which must be expressed as an IP address (not a - DNS name), is specified, then connections are restricted to the - specified local IP address (either IPv4 or IPv6). If - ip is an IPv6 address, wrap it in square brackets, + If host, which can either be a DNS name or an IP + address, is specified, then connections are restricted to the + resolved or specified local IP address (either IPv4 or IPv6). If + host is an IPv6 address, wrap it in square brackets, e.g. pssl:6653:[::1].

    If port is not specified, it defaults to - 6653. If ip is not specified then it listens only on + 6653. If host is not specified then it listens only on IPv4 (but not IPv6) addresses. The column in the table must point to a @@ -4349,15 +4347,15 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ part of Open vSwitch.

    -
    ptcp:[port][:ip]
    +
    ptcp:[port][:host]

    Listens for connections on the specified TCP port. If - ip, which must be expressed as an IP address (not a - DNS name), is specified, then connections are restricted to the + host, which can either be a DNS name or an IP address, + is specified, then connections are restricted to the resolved or specified local IP address (either IPv4 or IPv6). If - ip is an IPv6 address, wrap it in square brackets, - e.g. ptcp:6653:[::1]. If ip is not + host is an IPv6 address, wrap it in square brackets, + e.g. ptcp:6653:[::1]. If host is not specified then it listens only on IPv4 addresses.

    @@ -4695,12 +4693,12 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ The following connection methods are currently supported:

    -
    ssl:ip[:port]
    +
    ssl:host[:port]

    The specified SSL port on the host at the given - ip, which must be expressed as an IP address - (not a DNS name). The host, which can either be a DNS name or an IP + address. The column in the table must point to a valid SSL configuration when this form is used. @@ -4714,30 +4712,29 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \

    -
    tcp:ip[:port]
    +
    tcp:host[:port]

    The specified TCP port on the host at the given - ip, which must be expressed as an IP address (not a - DNS name), where ip can be IPv4 or IPv6 address. If - ip is an IPv6 address, wrap it in square brackets, - e.g. tcp:[::1]:6640. + host, which can either be a DNS name or an IP address + (IPv4 or IPv6). If host is an IPv6 address, wrap it + in square brackets, e.g. tcp:[::1]:6640.

    If port is not specified, it defaults to 6640.

    -
    pssl:[port][:ip]
    +
    pssl:[port][:host]

    Listens for SSL connections on the specified TCP port. Specify 0 for port to have the kernel automatically - choose an available port. If ip, which must be - expressed as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP address - (either IPv4 or IPv6 address). If ip is an IPv6 + choose an available port. If host, which can either + be a DNS name or an IP address, is specified, then connections + are restricted to the resolved or specified local IP address + (either IPv4 or IPv6 address). If host is an IPv6 address, wrap in square brackets, - e.g. pssl:6640:[::1]. If ip is not + e.g. pssl:6640:[::1]. If host is not specified then it listens only on IPv4 (but not IPv6) addresses. The column in the table must point to a valid SSL @@ -4751,17 +4748,17 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ part of Open vSwitch.

    -
    ptcp:[port][:ip]
    +
    ptcp:[port][:host]

    Listens for connections on the specified TCP port. Specify 0 for port to have the kernel automatically - choose an available port. If ip, which must be - expressed as an IP address (not a DNS name), is specified, then - connections are restricted to the specified local IP address - (either IPv4 or IPv6 address). If ip is an IPv6 + choose an available port. If host, which can either + be a DNS name or an IP address, is specified, then connections + are restricted to the resolved or specified local IP address + (either IPv4 or IPv6 address). If host is an IPv6 address, wrap it in square brackets, - e.g. ptcp:6640:[::1]. If ip is not + e.g. ptcp:6640:[::1]. If host is not specified then it listens only on IPv4 addresses.

    diff --git a/vtep/vtep.xml b/vtep/vtep.xml index 62075ca882dd..4e4d45addbf6 100644 --- a/vtep/vtep.xml +++ b/vtep/vtep.xml @@ -116,12 +116,11 @@ The following connection methods are currently supported:

    -
    ssl:ip[:port]
    +
    ssl:host[:port]

    - The specified SSL port (default: 6640) on the host at - the given ip, which must be expressed as an IP address - (not a DNS name). + The specified SSL port (default: 6640) on the given + host, which can either be a DNS name or an IP address.

    SSL key and certificate configuration happens outside the @@ -129,27 +128,26 @@

    -
    tcp:ip[:port]
    +
    tcp:host[:port]
    - The specified TCP port (default: 6640) on the host at - the given ip, which must be expressed as an IP address - (not a DNS name). + The specified TCP port (default: 6640) on the given + host, which can either be a DNS name or an IP address.
    -
    pssl:[port][:ip]
    +
    pssl:[port][:host]

    Listens for SSL connections on the specified TCP port - (default: 6640). If ip, which must be expressed as an - IP address (not a DNS name), is specified, then connections are - restricted to the specified local IP address. + (default: 6640). If host, which can either be a DNS + name or an IP address, is specified, then connections are + restricted to the resolved or specified local IP address.

    -
    ptcp:[port][:ip]
    +
    ptcp:[port][:host]
    Listens for connections on the specified TCP port - (default: 6640). If ip, which must be expressed as an - IP address (not a DNS name), is specified, then connections are - restricted to the specified local IP address. + (default: 6640). If host, which can either be a DNS + name or an IP address, is specified, then connections are + restricted to the resolved or specified local IP address.