From 9e45d4534807d372cbb22b1fa734b4d79b42a8a9 Mon Sep 17 00:00:00 2001 From: Stijn Tintel Date: Tue, 21 Sep 2021 14:58:15 +0300 Subject: [PATCH] openvswitch: add option for failure mode When Open vSwitch is configured to use a controller, but is unable to connect to it, Open vSwitch will setup flows to allow all traffic, if the failure mode is not configured, or set to standalone. As this might be a security hazard, it is also possible to configure Open vSwitch in a secure failure mode. Enabling this mode causes Open vSwitch to drop all traffic if it is unable to connect to the controller. Redirect stderr of the command to /dev/null as it does not support the --if-exists option. Signed-off-by: Stijn Tintel --- net/openvswitch/Makefile | 2 +- net/openvswitch/README.md | 1 + net/openvswitch/files/openvswitch.config | 1 + net/openvswitch/files/openvswitch.init | 25 ++++++++++++++++++++++++ 4 files changed, 28 insertions(+), 1 deletion(-) diff --git a/net/openvswitch/Makefile b/net/openvswitch/Makefile index bbe8b4614..1fdc11c07 100644 --- a/net/openvswitch/Makefile +++ b/net/openvswitch/Makefile @@ -17,7 +17,7 @@ include ./openvswitch.mk # PKG_NAME:=openvswitch PKG_VERSION:=$(ovs_version) -PKG_RELEASE:=8 +PKG_RELEASE:=9 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.openvswitch.org/releases/ PKG_HASH:=7d5797f2bf2449c6a266149e88f72123540f7fe7f31ad52902057ae8d8f88c38 diff --git a/net/openvswitch/README.md b/net/openvswitch/README.md index cb7c3b466..b5911a597 100644 --- a/net/openvswitch/README.md +++ b/net/openvswitch/README.md @@ -92,6 +92,7 @@ for initialising a virtual bridge with an OpenFlow controller. | controller | string | no | (none) | The endpoint of an OpenFlow controller for this bridge | | datapath_id | string | no | (none) | The OpenFlow datapath ID for this bridge | | datapath_desc | string | no | (none) | The OpenFlow datapath description for this bridge | +| fail_mode | string | no | standalone | The bridge failure mode | The ovs_port section can be used to add ports to a bridge. It supports the options below. diff --git a/net/openvswitch/files/openvswitch.config b/net/openvswitch/files/openvswitch.config index a7222b776..8fb9d1a79 100644 --- a/net/openvswitch/files/openvswitch.config +++ b/net/openvswitch/files/openvswitch.config @@ -16,6 +16,7 @@ config ovs_bridge option controller 'tcp:192.168.0.1' option datapath_desc '' option datapath_id '' + option fail_mode 'standalone' config ovs_port option disabled 1 diff --git a/net/openvswitch/files/openvswitch.init b/net/openvswitch/files/openvswitch.init index 53259d513..f4a88edcf 100755 --- a/net/openvswitch/files/openvswitch.init +++ b/net/openvswitch/files/openvswitch.init @@ -198,6 +198,20 @@ ovs_bridge_validate_datapath_desc() { fi } +ovs_bridge_validate_fail_mode() { + local fail_mode="$1" + + case "$fail_mode" in + secure|standalone) + return 0 + ;; + *) + logger -t openvswitch "invalid fail_mode: $fail_mode" + return 1 + ;; + esac +} + ovs_bridge_init() { local cfg="$1" @@ -226,6 +240,17 @@ ovs_bridge_init() { } } + config_get fail_mode "$cfg" fail_mode + [ -n "$fail_mode" ] && { + ovs_bridge_validate_fail_mode "$fail_mode" && { + ovs-vsctl set-fail-mode "$name" "$fail_mode" 2> /dev/null + } || { + ovs-vsctl del-fail-mode "$name" 2> /dev/null + } + } || { + ovs-vsctl del-fail-mode "$name" 2> /dev/null + } + config_list_foreach "$cfg" "ports" ovs_bridge_port_add config_foreach ovs_bridge_port_add_complex ovs_port "$name" config_get_bool drop "$cfg" "drop_unknown_ports" 0