From: Ben Pfaff Date: Wed, 15 Jul 2009 22:29:49 +0000 (-0700) Subject: Do not try to resolve DNS for OpenFlow controllers or netflow collectors. X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b35e1475ef0c274495aa04d60b054288971d503;p=openvswitch Do not try to resolve DNS for OpenFlow controllers or netflow collectors. Until now, setting a netflow collector to a DNS name would cause secchan to attempt to resolve that DNS name each time that the set of netflow collectors is re-set. For the vswitch, this is every time that the vswitch reconfigures itself. Unfortunately, DNS lookup within secchan cannot work as currently implemented, because it needs both an asynchronous DNS resolver library and in-band control updates. Currently we have neither. Attempting to look up DNS anyway just hangs. This commit disables DNS lookup entirely, and updates the documentation to change user expectations. DNS still won't work, but at least it won't hang. Bug #1609. --- diff --git a/debian/openvswitch-switch-config.templates b/debian/openvswitch-switch-config.templates index 24bf0352..5945ad71 100644 --- a/debian/openvswitch-switch-config.templates +++ b/debian/openvswitch-switch-config.templates @@ -113,16 +113,16 @@ Template: openvswitch-switch/controller-vconn Type: string _Description: Controller location: Specify how the OpenFlow switch should connect to the OpenFlow controller. - The value should be in form "ssl:HOST[:PORT]" to connect to the controller - over SSL (recommended for security) or "tcp:HOST[:PORT]" to connect over + The value should be in form "ssl:IP[:PORT]" to connect to the controller + over SSL (recommended for security) or "tcp:IP[:PORT]" to connect over cleartext TCP. Template: openvswitch-switch/controller-vconn-error Type: error _Description: The controller location is invalid. - The controller location must be specifed as "ssl:HOST[:PORT]" to + The controller location must be specifed as "ssl:IP[:PORT]" to connect to the controller over SSL (recommended for security) or - "tcp:HOST[:PORT]" to connect over cleartext TCP. + "tcp:IP[:PORT]" to connect over cleartext TCP. Template: openvswitch-switch/pki-uri Type: string diff --git a/debian/openvswitch-switch.init b/debian/openvswitch-switch.init index b238f72e..c579a088 100755 --- a/debian/openvswitch-switch.init +++ b/debian/openvswitch-switch.init @@ -220,7 +220,7 @@ case "$1" in configure_ssl ;; *) - echo "$default: CONTROLLER must be in the form 'ssl:HOST[:PORT]' or 'tcp:HOST[:PORT]' when not in discovery mode" >&2 + echo "$default: CONTROLLER must be in the form 'ssl:IP[:PORT]' or 'tcp:IP[:PORT]' when not in discovery mode" >&2 echo "Run ovs-switch-setup (in the openvswitch-switch-config package) or edit /etc/default/openvswitch-switch to configure" >&2 exit 1 esac diff --git a/debian/openvswitch-switch.template b/debian/openvswitch-switch.template index 7fe0e15c..967b3cef 100644 --- a/debian/openvswitch-switch.template +++ b/debian/openvswitch-switch.template @@ -69,8 +69,8 @@ SWITCH_IP=dhcp # CONTROLLER: Location of controller. # One of the following formats: -# tcp:HOST[:PORT] via TCP to PORT (default: 6633) on HOST -# ssl:HOST[:PORT] via SSL to PORT (default: 6633) on HOST +# tcp:IP[:PORT] via TCP to PORT (default: 6633) at IP +# ssl:IP[:PORT] via SSL to PORT (default: 6633) at IP # The default below assumes that the controller is running locally. # This setting has no effect when MODE is set to 'discovery'. #CONTROLLER="tcp:127.0.0.1" diff --git a/debian/po/templates.pot b/debian/po/templates.pot index 119e5587..39dee7a4 100644 --- a/debian/po/templates.pot +++ b/debian/po/templates.pot @@ -278,8 +278,8 @@ msgstr "" #: ../openvswitch-switch-config.templates:10001 msgid "" "Specify how the OpenFlow switch should connect to the OpenFlow controller. " -"The value should be in form \"ssl:HOST[:PORT]\" to connect to the controller " -"over SSL (recommended for security) or \"tcp:HOST[:PORT]\" to connect over " +"The value should be in form \"ssl:IP[:PORT]\" to connect to the controller " +"over SSL (recommended for security) or \"tcp:IP[:PORT]\" to connect over " "cleartext TCP." msgstr "" @@ -293,8 +293,8 @@ msgstr "" #. Description #: ../openvswitch-switch-config.templates:11001 msgid "" -"The controller location must be specifed as \"ssl:HOST[:PORT]\" to connect " -"to the controller over SSL (recommended for security) or \"tcp:HOST[:PORT]\" " +"The controller location must be specifed as \"ssl:IP[:PORT]\" to connect " +"to the controller over SSL (recommended for security) or \"tcp:IP[:PORT]\" " "to connect over cleartext TCP." msgstr "" diff --git a/lib/socket-util.c b/lib/socket-util.c index 086a329e..d13255ff 100644 --- a/lib/socket-util.c +++ b/lib/socket-util.c @@ -72,25 +72,16 @@ get_max_fds(void) return max_fds; } -/* Translates 'host_name', which may be a DNS name or an IP address, into a - * numeric IP address in '*addr'. Returns 0 if successful, otherwise a - * positive errno value. */ +/* Translates 'host_name', which must be a string representation of an IP + * address, into a numeric IP address in '*addr'. Returns 0 if successful, + * otherwise a positive errno value. */ int lookup_ip(const char *host_name, struct in_addr *addr) { if (!inet_aton(host_name, addr)) { - struct hostent *he = gethostbyname(host_name); - if (he == NULL) { - struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5); - VLOG_ERR_RL(&rl, "gethostbyname(%s): %s", host_name, - (h_errno == HOST_NOT_FOUND ? "host not found" - : h_errno == TRY_AGAIN ? "try again" - : h_errno == NO_RECOVERY ? "non-recoverable error" - : h_errno == NO_ADDRESS ? "no address" - : "unknown error")); - return ENOENT; - } - addr->s_addr = *(uint32_t *) he->h_addr; + struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5); + VLOG_ERR_RL(&rl, "\"%s\" is not a valid IP address", host_name); + return ENOENT; } return 0; } diff --git a/lib/vconn.c b/lib/vconn.c index f493f833..b5e11020 100644 --- a/lib/vconn.c +++ b/lib/vconn.c @@ -128,11 +128,11 @@ vconn_usage(bool active, bool passive, bool bootstrap UNUSED) printf("\n"); if (active) { printf("Active OpenFlow connection methods:\n"); - printf(" tcp:HOST[:PORT] " - "PORT (default: %d) on remote TCP HOST\n", OFP_TCP_PORT); + printf(" tcp:IP[:PORT] " + "PORT (default: %d) at remote IP\n", OFP_TCP_PORT); #ifdef HAVE_OPENSSL - printf(" ssl:HOST[:PORT] " - "SSL PORT (default: %d) on remote HOST\n", OFP_SSL_PORT); + printf(" ssl:IP[:PORT] " + "SSL PORT (default: %d) at remote IP\n", OFP_SSL_PORT); #endif printf(" unix:FILE Unix domain socket named FILE\n"); } diff --git a/secchan/secchan.8.in b/secchan/secchan.8.in index b40842a9..61202044 100644 --- a/secchan/secchan.8.in +++ b/secchan/secchan.8.in @@ -23,16 +23,15 @@ The optional \fIcontroller\fR argument specifies how to connect to the OpenFlow controller. It takes one of the following forms: .RS -.TP -\fBssl:\fIhost\fR[\fB:\fIport\fR] -The specified SSL \fIport\fR (default: 6633) on the given remote -\fIhost\fR. The \fB--private-key\fR, \fB--certificate\fR, and -\fB--ca-cert\fR options are mandatory when this form is used. +.IP "\fBssl:\fIip\fR[\fB:\fIport\fR]" +The specified SSL \fIport\fR (default: 6633) on the host at the given +\fIip\fR, which must be expressed as an IP address (not a DNS name). +The \fB--private-key\fR, \fB--certificate\fR, and \fB--ca-cert\fR +options are mandatory when this form is used. -.TP -\fBtcp:\fIhost\fR[\fB:\fIport\fR] -The specified TCP \fIport\fR (default: 6633) on the given remote -\fIhost\fR. +.IP "\fBtcp:\fIip\fR[\fB:\fIport\fR]" +The specified TCP \fIport\fR (default: 6633) on the host at the given +\fIip\fR, which must be expressed as an IP address (not a DNS name). .TP \fBunix:\fIfile\fR @@ -342,9 +341,10 @@ mode (see \fBContacting the Controller\fR above). When neither option is given, the default is in-band control. .TP -\fB--netflow=\fIhost\fB:\fIport\fR -Configures the given UDP \fIport\fR on the specified IP \fIhost\fR as -a recipient of NetFlow messages for expired flows. +\fB--netflow=\fIip\fB:\fIport\fR +Configures the given UDP \fIport\fR on the specified IP \fIip\fR as +a recipient of NetFlow messages for expired flows. The \fIip\fR must +be specified numerically, not as a DNS name. This option may be specified multiple times to configure additional NetFlow collectors. diff --git a/utilities/ovs-controller.8.in b/utilities/ovs-controller.8.in index 31c7a865..750fcea5 100644 --- a/utilities/ovs-controller.8.in +++ b/utilities/ovs-controller.8.in @@ -32,16 +32,15 @@ Listens for TCP connections from remote OpenFlow switches on Listens for connections from OpenFlow switches on the Unix domain server socket named \fIfile\fR. -.TP -\fBssl:\fIhost\fR[\fB:\fIport\fR] -The specified SSL \fIport\fR (default: 6633) on the given remote -\fIhost\fR. The \fB--private-key\fR, \fB--certificate\fR, and -\fB--ca-cert\fR options are mandatory when this form is used. - -.TP -\fBtcp:\fIhost\fR[\fB:\fIport\fR] -The specified TCP \fIport\fR (default: 6633) on the given remote -\fIhost\fR. +.IP "\fBssl:\fIip\fR[\fB:\fIport\fR]" +The specified SSL \fIport\fR (default: 6633) on the host at the given +\fIip\fR, which must be expressed as an IP address (not a DNS name). +The \fB--private-key\fR, \fB--certificate\fR, and \fB--ca-cert\fR +options are mandatory when this form is used. + +.IP "\fBtcp:\fIip\fR[\fB:\fIport\fR]" +The specified TCP \fIport\fR (default: 6633) on the host at the given +\fIip\fR, which must be expressed as an IP address (not a DNS name). .TP \fBunix:\fIfile\fR diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in index 4b87cd3c..6b39765c 100644 --- a/utilities/ovs-ofctl.8.in +++ b/utilities/ovs-ofctl.8.in @@ -26,16 +26,15 @@ connecting to an OpenFlow switch. The following connection methods are supported: .RS -.TP -\fBssl:\fIhost\fR[\fB:\fIport\fR] -The specified SSL \fIport\fR (default: 6633) on the given remote -\fIhost\fR. The \fB--private-key\fR, \fB--certificate\fR, and -\fB--ca-cert\fR options are mandatory when this form is used. - -.TP -\fBtcp:\fIhost\fR[\fB:\fIport\fR] -The specified TCP \fIport\fR (default: 6633) on the given remote -\fIhost\fR. +.IP "\fBssl:\fIip\fR[\fB:\fIport\fR]" +The specified SSL \fIport\fR (default: 6633) on the host at the given +\fIip\fR, which must be expressed as an IP address (not a DNS name). +The \fB--private-key\fR, \fB--certificate\fR, and \fB--ca-cert\fR +options are mandatory when this form is used. + +.IP "\fBtcp:\fIip\fR[\fB:\fIport\fR]" +The specified TCP \fIport\fR (default: 6633) on the host at the given +\fIip\fR, which must be expressed as an IP address (not a DNS name). .TP \fBunix:\fIfile\fR diff --git a/vswitchd/ovs-vswitchd.conf.5.in b/vswitchd/ovs-vswitchd.conf.5.in index d0e24741..25332db4 100644 --- a/vswitchd/ovs-vswitchd.conf.5.in +++ b/vswitchd/ovs-vswitchd.conf.5.in @@ -318,8 +318,9 @@ NetFlow is a protocol that exports a number of details about terminating IP flows, such as the principals involved and duration. A bridge may be configured to send NetFlow v5 records to NetFlow collectors when flows end. To enable, define the key \fBnetflow.\fIbridge\fB.host\fR for each -collector in the form \fIhost\fB:\fIport\fR. Records from \fIbridge\fR -will be sent to each \fIhost\fR on UDP \fIport\fR. +collector in the form \fIip\fB:\fIport\fR. Records from \fIbridge\fR +will be sent to each \fIip\fR on UDP \fIport\fR. The \fIip\fR must +be specified numerically, not as a DNS name. The NetFlow messages will use the datapath index for the engine type and id. This can be overridden with the \fBnetflow.\fIbridge\fB.engine-type\fR and @@ -351,16 +352,15 @@ supports the OpenFlow Management Protocol, such as NOX. This functionality is enabled by setting the key \fBmgmt.controller\fR to one of the following values: . -.TP -\fBssl:\fIhost\fR[\fB:\fIport\fR] -The specified SSL \fIport\fR (default: 6633) on the given remote -\fIhost\fR. SSL must be configured when this form is used (see \fBSSL +.IP "\fBssl:\fIip\fR[\fB:\fIport\fR]" +The specified SSL \fIport\fR (default: 6633) on the host at the given +\fIip\fR, which must be expressed as an IP address (not a DNS name). +SSL must be configured when this form is used (see \fBSSL Configuration\fR, below). . -.TP -\fBtcp:\fIhost\fR[\fB:\fIport\fR] -The specified TCP \fIport\fR (default: 6633) on the given remote -\fIhost\fR. +.IP "\fBtcp:\fIip\fR[\fB:\fIport\fR]" +The specified TCP \fIport\fR (default: 6633) on the host at the given +\fIip\fR, which must be expressed as an IP address (not a DNS name). .PP The maximum time between attempts to connect to the controller may be specified in integral seconds with the \fBmgmt.max-backoff\fR key. The @@ -431,15 +431,16 @@ that it receives specifies one or more DNS servers. .RE . .TP -\fBssl:\fIhost\fR[\fB:\fIport\fR] -The specified SSL \fIport\fR (default: 6633) on the given remote -\fIhost\fR. SSL must be configured when this form is used (see \fBSSL +\fBssl:\fIip\fR[\fB:\fIport\fR] +The specified SSL \fIport\fR (default: 6633) on the host at the given +\fIip\fR, which must be expressed as an IP address (not a DNS name). +SSL must be configured when this form is used (see \fBSSL Configuration\fR, below). . .TP -\fBtcp:\fIhost\fR[\fB:\fIport\fR] -The specified TCP \fIport\fR (default: 6633) on the given remote -\fIhost\fR. +\fBtcp:\fIip\fR[\fB:\fIport\fR] +The specified TCP \fIport\fR (default: 6633) on the host at the given +\fIip\fR, which must be expressed as an IP address (not a DNS name). . .TP \fBunix:\fIfile\fR