Browse Source

openvswitch: add option for failure mode

When Open vSwitch is configured to use a controller, but is unable to
connect to it, Open vSwitch will setup flows to allow all traffic, if
the failure mode is not configured, or set to standalone.

As this might be a security hazard, it is also possible to configure
Open vSwitch in a secure failure mode. Enabling this mode causes Open
vSwitch to drop all traffic if it is unable to connect to the
controller.

Redirect stderr of the command to /dev/null as it does not support the
--if-exists option.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
lilik-openwrt-22.03
Stijn Tintel 3 years ago
committed by Yousong Zhou
parent
commit
9e45d45348
4 changed files with 28 additions and 1 deletions
  1. +1
    -1
      net/openvswitch/Makefile
  2. +1
    -0
      net/openvswitch/README.md
  3. +1
    -0
      net/openvswitch/files/openvswitch.config
  4. +25
    -0
      net/openvswitch/files/openvswitch.init

+ 1
- 1
net/openvswitch/Makefile View File

@ -17,7 +17,7 @@ include ./openvswitch.mk
#
PKG_NAME:=openvswitch
PKG_VERSION:=$(ovs_version)
PKG_RELEASE:=8
PKG_RELEASE:=9
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.openvswitch.org/releases/
PKG_HASH:=7d5797f2bf2449c6a266149e88f72123540f7fe7f31ad52902057ae8d8f88c38


+ 1
- 0
net/openvswitch/README.md View File

@ -92,6 +92,7 @@ for initialising a virtual bridge with an OpenFlow controller.
| controller | string | no | (none) | The endpoint of an OpenFlow controller for this bridge |
| datapath_id | string | no | (none) | The OpenFlow datapath ID for this bridge |
| datapath_desc | string | no | (none) | The OpenFlow datapath description for this bridge |
| fail_mode | string | no | standalone | The bridge failure mode |
The ovs_port section can be used to add ports to a bridge. It supports the options below.


+ 1
- 0
net/openvswitch/files/openvswitch.config View File

@ -16,6 +16,7 @@ config ovs_bridge
option controller 'tcp:192.168.0.1'
option datapath_desc ''
option datapath_id ''
option fail_mode 'standalone'
config ovs_port
option disabled 1


+ 25
- 0
net/openvswitch/files/openvswitch.init View File

@ -198,6 +198,20 @@ ovs_bridge_validate_datapath_desc() {
fi
}
ovs_bridge_validate_fail_mode() {
local fail_mode="$1"
case "$fail_mode" in
secure|standalone)
return 0
;;
*)
logger -t openvswitch "invalid fail_mode: $fail_mode"
return 1
;;
esac
}
ovs_bridge_init() {
local cfg="$1"
@ -226,6 +240,17 @@ ovs_bridge_init() {
}
}
config_get fail_mode "$cfg" fail_mode
[ -n "$fail_mode" ] && {
ovs_bridge_validate_fail_mode "$fail_mode" && {
ovs-vsctl set-fail-mode "$name" "$fail_mode" 2> /dev/null
} || {
ovs-vsctl del-fail-mode "$name" 2> /dev/null
}
} || {
ovs-vsctl del-fail-mode "$name" 2> /dev/null
}
config_list_foreach "$cfg" "ports" ovs_bridge_port_add
config_foreach ovs_bridge_port_add_complex ovs_port "$name"
config_get_bool drop "$cfg" "drop_unknown_ports" 0


Loading…
Cancel
Save