diff --git a/backport-CVE-2023-1668.patch b/backport-CVE-2023-1668.patch deleted file mode 100644 index 0b7f7d35de8b97bc5398fd6f90679933772f53fa..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-1668.patch +++ /dev/null @@ -1,433 +0,0 @@ -From 27fb5db7f727ffc056f024f9ba4936facccb5f40 Mon Sep 17 00:00:00 2001 -From: Aaron Conole -Date: Fri, 31 Mar 2023 17:17:27 -0400 -Subject: [PATCH] ofproto-dpif-xlate: Always mask ip proto field. - -The ofproto layer currently treats nw_proto field as overloaded to mean -both that a proper nw layer exists, as well as the value contained in -the header for the nw proto. However, this is incorrect behavior as -relevant standards permit that any value, including '0' should be treated -as a valid value. - -Because of this overload, when the ofproto layer builds action list for -a packet with nw_proto of 0, it won't build the complete action list that -we expect to be built for the packet. That will cause a bad behavior -where all packets passing the datapath will fall into an incomplete -action set. - -The fix here is to unwildcard nw_proto, allowing us to preserve setting -actions for protocols which we know have support for the actions we -program. This means that a traffic which contains nw_proto == 0 cannot -cause connectivity breakage with other traffic on the link. - -Reported-by: David Marchand -Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2134873 -Acked-by: Ilya Maximets -Signed-off-by: Aaron Conole -Signed-off-by: Ilya Maximets ---- - include/openvswitch/meta-flow.h | 4 + - lib/meta-flow.c | 25 +++++ - ofproto/ofproto-dpif-xlate.c | 8 ++ - tests/ofproto-dpif.at | 18 ++-- - tests/ofproto.at | 182 ++++++++++++++++++++++++++++++++ - tests/packet-type-aware.at | 2 +- - 6 files changed, 229 insertions(+), 10 deletions(-) - -diff --git a/include/openvswitch/meta-flow.h b/include/openvswitch/meta-flow.h -index 045dce8f5fa..3b0220aaa25 100644 ---- a/include/openvswitch/meta-flow.h -+++ b/include/openvswitch/meta-flow.h -@@ -2366,6 +2366,10 @@ void mf_format_subvalue(const union mf_subvalue *subvalue, struct ds *s); - void field_array_set(enum mf_field_id id, const union mf_value *, - struct field_array *); - -+/* Mask the required l3 prerequisites if a 'set' action occurs. */ -+void mf_set_mask_l3_prereqs(const struct mf_field *, const struct flow *, -+ struct flow_wildcards *); -+ - #ifdef __cplusplus - } - #endif -diff --git a/lib/meta-flow.c b/lib/meta-flow.c -index c576ae6202a..474344194fa 100644 ---- a/lib/meta-flow.c -+++ b/lib/meta-flow.c -@@ -3676,3 +3676,28 @@ mf_bitmap_not(struct mf_bitmap x) - bitmap_not(x.bm, MFF_N_IDS); - return x; - } -+ -+void -+mf_set_mask_l3_prereqs(const struct mf_field *mf, const struct flow *fl, -+ struct flow_wildcards *wc) -+{ -+ if (is_ip_any(fl) && -+ ((mf->id == MFF_IPV4_SRC) || -+ (mf->id == MFF_IPV4_DST) || -+ (mf->id == MFF_IPV6_SRC) || -+ (mf->id == MFF_IPV6_DST) || -+ (mf->id == MFF_IPV6_LABEL) || -+ (mf->id == MFF_IP_DSCP) || -+ (mf->id == MFF_IP_ECN) || -+ (mf->id == MFF_IP_TTL))) { -+ WC_MASK_FIELD(wc, nw_proto); -+ } else if ((fl->dl_type == htons(ETH_TYPE_ARP)) && -+ ((mf->id == MFF_ARP_OP) || -+ (mf->id == MFF_ARP_SHA) || -+ (mf->id == MFF_ARP_THA) || -+ (mf->id == MFF_ARP_SPA) || -+ (mf->id == MFF_ARP_TPA))) { -+ /* mask only the lower 8 bits. */ -+ wc->masks.nw_proto = 0xff; -+ } -+} -diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c -index 8a28b29d4c2..c9bd075a90d 100644 ---- a/ofproto/ofproto-dpif-xlate.c -+++ b/ofproto/ofproto-dpif-xlate.c -@@ -5186,6 +5186,7 @@ compose_dec_ttl(struct xlate_ctx *ctx, struct ofpact_cnt_ids *ids) - } - - ctx->wc->masks.nw_ttl = 0xff; -+ WC_MASK_FIELD(ctx->wc, nw_proto); - if (flow->nw_ttl > 1) { - flow->nw_ttl--; - return false; -@@ -7094,6 +7095,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - case OFPACT_SET_IPV4_SRC: - if (flow->dl_type == htons(ETH_TYPE_IP)) { - memset(&wc->masks.nw_src, 0xff, sizeof wc->masks.nw_src); -+ WC_MASK_FIELD(wc, nw_proto); - flow->nw_src = ofpact_get_SET_IPV4_SRC(a)->ipv4; - } - break; -@@ -7101,12 +7103,14 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - case OFPACT_SET_IPV4_DST: - if (flow->dl_type == htons(ETH_TYPE_IP)) { - memset(&wc->masks.nw_dst, 0xff, sizeof wc->masks.nw_dst); -+ WC_MASK_FIELD(wc, nw_proto); - flow->nw_dst = ofpact_get_SET_IPV4_DST(a)->ipv4; - } - break; - - case OFPACT_SET_IP_DSCP: - if (is_ip_any(flow)) { -+ WC_MASK_FIELD(wc, nw_proto); - wc->masks.nw_tos |= IP_DSCP_MASK; - flow->nw_tos &= ~IP_DSCP_MASK; - flow->nw_tos |= ofpact_get_SET_IP_DSCP(a)->dscp; -@@ -7115,6 +7119,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - case OFPACT_SET_IP_ECN: - if (is_ip_any(flow)) { -+ WC_MASK_FIELD(wc, nw_proto); - wc->masks.nw_tos |= IP_ECN_MASK; - flow->nw_tos &= ~IP_ECN_MASK; - flow->nw_tos |= ofpact_get_SET_IP_ECN(a)->ecn; -@@ -7123,6 +7128,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - case OFPACT_SET_IP_TTL: - if (is_ip_any(flow)) { -+ WC_MASK_FIELD(wc, nw_proto); - wc->masks.nw_ttl = 0xff; - flow->nw_ttl = ofpact_get_SET_IP_TTL(a)->ttl; - } -@@ -7190,6 +7196,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - /* Set the field only if the packet actually has it. */ - if (mf_are_prereqs_ok(mf, flow, wc)) { -+ mf_set_mask_l3_prereqs(mf, flow, wc); - mf_mask_field_masked(mf, ofpact_set_field_mask(set_field), wc); - mf_set_flow_value_masked(mf, set_field->value, - ofpact_set_field_mask(set_field), -@@ -7246,6 +7253,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - case OFPACT_DEC_TTL: - wc->masks.nw_ttl = 0xff; -+ WC_MASK_FIELD(wc, nw_proto); - if (compose_dec_ttl(ctx, ofpact_get_DEC_TTL(a))) { - return; - } -diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at -index bc981f8fc61..71c267b3adc 100644 ---- a/tests/ofproto-dpif.at -+++ b/tests/ofproto-dpif.at -@@ -720,7 +720,7 @@ table=2 ip actions=set_field:192.168.3.91->ip_src,output(11) - AT_CHECK([ovs-ofctl -O OpenFlow12 add-flows br0 flows.txt]) - AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=1,nw_tos=0,nw_ttl=128,nw_frag=no,icmp_type=8,icmp_code=0'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no -+ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no - Datapath actions: 10,set(ipv4(src=192.168.3.91)),11,set(ipv4(src=192.168.3.90)),13 - ]) - OVS_VSWITCHD_STOP -@@ -783,7 +783,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds - # Must match on the source address to be able to restore it's value for - # the second bucket - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no -+ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no - Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 - ]) - OVS_VSWITCHD_STOP -@@ -815,7 +815,7 @@ done - AT_CHECK([ovs-appctl dpctl/dump-flows | sed 's/dp_hash(.*\/0xf)/dp_hash(0xXXXX\/0xf)/' | sed 's/packets.*actions:/actions:/' | strip_ufid | strip_used | sort], [0], [dnl - flow-dump from the main thread: - recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:hash(sym_l4(0)),recirc(0x1) --recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 -+recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,proto=1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 - ]) - - OVS_VSWITCHD_STOP -@@ -830,7 +830,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds - # Must match on the source address to be able to restore it's value for - # the third bucket - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no -+ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no - Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 - ]) - OVS_VSWITCHD_STOP -@@ -1407,17 +1407,17 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=2,frag=no)' -generate], [0], [stdout]) - AT_CHECK([tail -4 stdout], [0], [ - Final flow: ip,in_port=1,vlan_tci=0x0000,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=111,nw_tos=0,nw_ecn=0,nw_ttl=1,nw_frag=no --Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=2,nw_frag=no -+Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=2,nw_frag=no - Datapath actions: set(ipv4(ttl=1)),2,userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)),4 - ]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=3,frag=no)'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=3,nw_frag=no -+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=3,nw_frag=no - Datapath actions: set(ipv4(ttl=2)),2,set(ipv4(ttl=1)),3,4 - ]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x86dd),ipv6(src=::1,dst=::2,label=0,proto=10,tclass=0x70,hlimit=128,frag=no)'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_ttl=128,nw_frag=no -+ [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_proto=10,nw_ttl=128,nw_frag=no - Datapath actions: set(ipv6(hlimit=127)),2,set(ipv6(hlimit=126)),3,4 - ]) - -@@ -1527,7 +1527,7 @@ AT_CHECK([ovs-vsctl -- \ - --id=@q2 create Queue dscp=2], [0], [ignore]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(9),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=1.1.1.1,dst=2.2.2.2,proto=1,tos=0xff,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,skb_priority=0,eth,ip,in_port=9,nw_tos=252,nw_frag=no -+ [Megaflow: recirc_id=0,skb_priority=0,eth,icmp,in_port=9,nw_tos=252,nw_frag=no - Datapath actions: dnl - 100,dnl - set(ipv4(tos=0x4/0xfc)),set(skb_priority(0x1)),1,dnl -@@ -11703,7 +11703,7 @@ ovs-ofctl dump-flows br0 - - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.10.10.2,dst=10.10.10.1,proto=1,tos=1,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout]) - AT_CHECK([tail -3 stdout], [0], [dnl --Megaflow: recirc_id=0,eth,ip,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no -+Megaflow: recirc_id=0,eth,icmp,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no - Datapath actions: drop - Translation failed (Recursion too deep), packet is dropped. - ]) -diff --git a/tests/ofproto.at b/tests/ofproto.at -index 39c3b047045..32bde5b5a28 100644 ---- a/tests/ofproto.at -+++ b/tests/ofproto.at -@@ -6448,3 +6448,185 @@ verify_deleted - - OVS_VSWITCHD_STOP(["/nw_dst,output=2 -+table=0 in_port=1 priority=83,ip,nw_dst=192.168.1.15,actions=set_field:192.168.21.26->nw_src,output=2 -+table=0 in_port=1 priority=82,ip,nw_dst=192.168.1.14,actions=set_field:0x40->nw_tos,output=2 -+table=0 in_port=1 priority=0,actions=drop -+]) -+AT_CHECK([ovs-ofctl del-flows br0]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+ -+dnl send a proto 0 packet to try and poison the DP flow path -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ -+ '5054000000075054000000050800450000548de140004000289fc0a801c4c0a8011408003bf60002001bbf080a640000000032ad010000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2 -+]) -+ -+dnl Send ICMP for mod nw_src and mod nw_dst -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.20,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will dec TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.10,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will mod TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.19,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will mod ECN -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.18,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will mod TOS -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.17,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will set DST -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.16,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will set SRC -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will set TOS -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.14,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.10,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=63)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.14,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.16,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.26)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.17,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.18,proto=1,tos=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x2/0x3)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.19,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=8)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.20)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.21.26)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.20.21)),2 -+]) -+ -+OVS_VSWITCHD_STOP -+AT_CLEANUP -+ -+AT_SETUP([ofproto - implicit mask of ipv6 proto with HOPOPT field]) -+OVS_VSWITCHD_START -+add_of_ports br0 1 2 -+ -+AT_DATA([flows.txt], [dnl -+table=0 in_port=1 priority=77,ip6,ipv6_dst=111:db8::3,actions=dec_ttl,output=2 -+table=0 in_port=1 priority=76,ip6,ipv6_dst=111:db8::4,actions=mod_nw_ttl:8,output=2 -+table=0 in_port=1 priority=75,ip6,ipv6_dst=111:db8::5,actions=mod_nw_ecn:2,output=2 -+table=0 in_port=1 priority=74,ip6,ipv6_dst=111:db8::6,actions=mod_nw_tos:0x40,output=2 -+table=0 in_port=1 priority=73,ip6,ipv6_dst=111:db8::7,actions=set_field:2112:db8::2->ipv6_dst,output=2 -+table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::8,actions=set_field:2112:db8::3->ipv6_src,output=2 -+table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::9,actions=set_field:44->ipv6_label,output=2 -+table=0 in_port=1 priority=0,actions=drop -+]) -+AT_CHECK([ovs-ofctl del-flows br0]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+ -+dnl send a proto 0 packet to try and poison the DP flow path -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=0,tclass=0,hlimit=64,frag=no)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) -+]) -+ -+dnl Send ICMP for mod nw_src and mod nw_dst -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::4,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will dec TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::5,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will mod TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::6,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will mod ECN -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::7,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will mod TOS -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will set LABEL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::9,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=63)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::4,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=8)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::5,proto=1,tclass=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x2/0x3)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::6,proto=1,tclass=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x40/0xfc)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::7,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(dst=2112:db8::2)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::9,label=0,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(label=0x2c)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(src=2112:db8::3)),2 -+]) -+ -+OVS_VSWITCHD_STOP -+AT_CLEANUP -+ -+AT_SETUP([ofproto - implicit mask of ARP OPer field]) -+OVS_VSWITCHD_START -+add_of_ports br0 1 2 -+ -+AT_DATA([flows.txt], [dnl -+table=0 in_port=1 priority=77,arp,arp_sha=00:01:02:03:04:06,actions=set_field:0x1->arp_op,2 -+table=0 in_port=1 priority=76,arp,arp_sha=00:01:02:03:04:07,actions=set_field:00:02:03:04:05:06->arp_sha,2 -+table=0 in_port=1 priority=75,arp,arp_sha=00:01:02:03:04:08,actions=set_field:ff:00:00:00:00:ff->arp_tha,2 -+table=0 in_port=1 priority=74,arp,arp_sha=00:01:02:03:04:09,actions=set_field:172.31.110.26->arp_spa,2 -+table=0 in_port=1 priority=73,arp,arp_sha=00:01:02:03:04:0a,actions=set_field:172.31.110.10->arp_tpa,2 -+table=0 in_port=1 priority=1,actions=drop -+]) -+ -+AT_CHECK([ovs-ofctl del-flows br0]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+ -+dnl Send op == 0 packet -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ -+ 'ffffffffffffaa55aa550000080600010800060400000001020304070c0a00010000000000000c0a0002']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2 -+]) -+ -+dnl Send op 2 -> set op -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=2,sha=00:01:02:03:04:06,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set SHA -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:07,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set THA -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set SIP -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:09,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set TIP -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a,tha=ff:ff:ff:ff:ff:ff)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=2,sha=00:01:02:03:04:06), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(sip=172.31.110.1,op=1,sha=00:01:02:03:04:09), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+]) -+ -+OVS_VSWITCHD_STOP -+AT_CLEANUP -diff --git a/tests/packet-type-aware.at b/tests/packet-type-aware.at -index 054dcc9ccf6..38d839e85ce 100644 ---- a/tests/packet-type-aware.at -+++ b/tests/packet-type-aware.at -@@ -1021,7 +1021,7 @@ AT_CHECK([ - ], [0], [flow-dump from the main thread: - recirc_id(0),in_port(p0),packet_type(ns=0,id=0),eth(src=aa:bb:cc:00:00:02,dst=aa:bb:cc:00:00:01),eth_type(0x0800),ipv4(dst=20.0.0.1,proto=47,frag=no), packets:3, bytes:378, used:0.0s, actions:tnl_pop(gre_sys) - tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0),in_port(gre_sys),packet_type(ns=1,id=0x8847),eth_type(0x8847),mpls(label=999/0x0,tc=0/0,ttl=64/0x0,bos=1/1), packets:3, bytes:264, used:0.0s, actions:push_eth(src=00:00:00:00:00:00,dst=00:00:00:00:00:00),pop_mpls(eth_type=0x800),recirc(0x1) --tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br -+tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=1,ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br - ]) - - ovs-appctl time/warp 1000 diff --git a/backport-CVE-2023-5366.patch b/backport-CVE-2023-5366.patch deleted file mode 100644 index 6e2a7caf5e8b3b1d4a755aab8a138e22a330daef..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-5366.patch +++ /dev/null @@ -1,233 +0,0 @@ -From 489553b1c21692063931a9f50b6849b23128443c Mon Sep 17 00:00:00 2001 -From: Ilya Maximets -Date: Fri, 17 Feb 2023 21:09:59 +0100 -Subject: [PATCH] classifier: Fix missing masks on a final stage with ports - trie. - -Flow lookup doesn't include masks of the final stage in a resulting -flow wildcards in case that stage had L4 ports match. Only the result -of ports trie lookup is added to the mask. It might be sufficient in -many cases, but it's not correct, because ports trie is not how we -decided that the packet didn't match in this subtable. In fact, we -used a full subtable mask in order to determine that, so all the -subtable mask bits has to be added. - -Ports trie can still be used to adjust ports' mask, but it is not -sufficient to determine that the packet didn't match. - -Assuming we have following 2 OpenFlow rules on the bridge: - - table=0, priority=10,tcp,tp_dst=80,tcp_flags=+psh actions=drop - table=0, priority=0 actions=output(1) - -The first high priority rule supposed to drop all the TCP data traffic -sent on port 80. The handshake, however, is allowed for forwarding. - -Both 'tcp_flags' and 'tp_dst' are on the final stage in the flow. -Since the stage mask from that stage is not incorporated into the flow -wildcards and only ports mask is getting updated, we have the following -megaflow for the SYN packet that has no match on 'tcp_flags': - - $ ovs-appctl ofproto/trace br0 "in_port=br0,tcp,tp_dst=80,tcp_flags=syn" - - Megaflow: recirc_id=0,eth,tcp,in_port=LOCAL,nw_frag=no,tp_dst=80 - Datapath actions: 1 - -If this flow is getting installed into datapath flow table, all the -packets for port 80, regardless of TCP flags, will be forwarded. - -Incorporating all the looked at bits from the final stage into the -stages map in order to get all the necessary wildcards. Ports mask -has to be updated as a last step, because it doesn't cover the full -64-bit slot in the flowmap. - -With this change, in the example above, OVS is producing correct -flow wildcards including match on TCP flags: - - Megaflow: recirc_id=0,eth,tcp,in_port=LOCAL,nw_frag=no,tp_dst=80,tcp_flags=-psh - Datapath actions: 1 - -This way only -psh packets will be forwarded, as expected. - -This issue affects all other fields on stage 4, not only TCP flags. -Tests included to cover tcp_flags, nd_target and ct_tp_src/dst. -First two are frequently used, ct ones are sharing the same flowmap -slot with L4 ports, so important to test. - -Before the pre-computation of stage masks, flow wildcards were updated -during lookup, so there was no issue. The bits of the final stage was -lost with introduction of 'stages_map'. - -Recent adjustment of segment boundaries exposed 'tcp_flags' to the issue. - -Reported-at: https://github.com/openvswitch/ovs-issues/issues/272 -Fixes: ca44218515f0 ("classifier: Adjust segment boundary to execute prerequisite processing.") -Fixes: fa2fdbf8d0c1 ("classifier: Pre-compute stage masks.") -Acked-by: Aaron Conole -Signed-off-by: Ilya Maximets ---- - lib/classifier.c | 25 ++++++++++--- - tests/classifier.at | 88 +++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 108 insertions(+), 5 deletions(-) - -diff --git a/lib/classifier.c b/lib/classifier.c -index 0a89626cc30..18dbfc83ad4 100644 ---- a/lib/classifier.c -+++ b/lib/classifier.c -@@ -1695,6 +1695,8 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, - const struct cls_match *rule = NULL; - struct flowmap stages_map = FLOWMAP_EMPTY_INITIALIZER; - unsigned int mask_offset = 0; -+ bool adjust_ports_mask = false; -+ ovs_be32 ports_mask; - int i; - - /* Try to finish early by checking fields in segments. */ -@@ -1722,6 +1724,9 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, - subtable->index_maps[i], flow, wc)) { - goto no_match; - } -+ /* Accumulate the map used so far. */ -+ stages_map = flowmap_or(stages_map, subtable->index_maps[i]); -+ - hash = flow_hash_in_minimask_range(flow, &subtable->mask, - subtable->index_maps[i], - &mask_offset, &basis); -@@ -1731,14 +1736,16 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, - * unwildcarding all the ports bits, use the ports trie to figure out a - * smaller set of bits to unwildcard. */ - unsigned int mbits; -- ovs_be32 value, plens, mask; -+ ovs_be32 value, plens; - -- mask = miniflow_get_ports(&subtable->mask.masks); -- value = ((OVS_FORCE ovs_be32 *)flow)[TP_PORTS_OFS32] & mask; -+ ports_mask = miniflow_get_ports(&subtable->mask.masks); -+ value = ((OVS_FORCE ovs_be32 *) flow)[TP_PORTS_OFS32] & ports_mask; - mbits = trie_lookup_value(&subtable->ports_trie, &value, &plens, 32); - -- ((OVS_FORCE ovs_be32 *)&wc->masks)[TP_PORTS_OFS32] |= -- mask & be32_prefix_mask(mbits); -+ ports_mask &= be32_prefix_mask(mbits); -+ ports_mask |= ((OVS_FORCE ovs_be32 *) &wc->masks)[TP_PORTS_OFS32]; -+ -+ adjust_ports_mask = true; - - goto no_match; - } -@@ -1751,6 +1758,14 @@ find_match_wc(const struct cls_subtable *subtable, ovs_version_t version, - /* Unwildcard the bits in stages so far, as they were used in determining - * there is no match. */ - flow_wildcards_fold_minimask_in_map(wc, &subtable->mask, stages_map); -+ if (adjust_ports_mask) { -+ /* This has to be done after updating flow wildcards to overwrite -+ * the ports mask back. We can't simply disable the corresponding bit -+ * in the stages map, because it has 64-bit resolution, i.e. one -+ * bit covers not only tp_src/dst, but also ct_tp_src/dst, which are -+ * not covered by the trie. */ -+ ((OVS_FORCE ovs_be32 *) &wc->masks)[TP_PORTS_OFS32] = ports_mask; -+ } - return NULL; - } - -diff --git a/tests/classifier.at b/tests/classifier.at -index f652b59837b..de2705653e0 100644 ---- a/tests/classifier.at -+++ b/tests/classifier.at -@@ -65,6 +65,94 @@ Datapath actions: 2 - OVS_VSWITCHD_STOP - AT_CLEANUP - -+AT_SETUP([flow classifier - lookup segmentation - final stage]) -+OVS_VSWITCHD_START -+add_of_ports br0 1 2 3 -+AT_DATA([flows.txt], [dnl -+table=0 in_port=1 priority=33,tcp,tp_dst=80,tcp_flags=+psh,action=output(2) -+table=0 in_port=1 priority=0,ip,action=drop -+table=0 in_port=2 priority=16,icmp6,nw_ttl=255,icmp_type=135,icmp_code=0,nd_target=1000::1 ,action=output(1) -+table=0 in_port=2 priority=0,ip,action=drop -+table=0 in_port=3 action=resubmit(,1) -+table=1 in_port=3 priority=45,ct_state=+trk+rpl,ct_nw_proto=6,ct_tp_src=3/0x1,tcp,tp_dst=80,tcp_flags=+psh,action=output(2) -+table=1 in_port=3 priority=10,ip,action=drop -+]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+ -+AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=syn'], [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh -+Datapath actions: drop -+]) -+AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=syn|ack'], [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh -+Datapath actions: drop -+]) -+AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=ack|psh'], [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=+psh -+Datapath actions: 2 -+]) -+AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80'], [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh -+Datapath actions: drop -+]) -+AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=79'], [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=0x40/0xfff0,tcp_flags=-psh -+Datapath actions: drop -+]) -+ -+dnl Having both the port and the tcp flags in the resulting megaflow below -+dnl is redundant, but that is how ports trie logic is implemented. -+AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=81'], [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=81,tcp_flags=-psh -+Datapath actions: drop -+]) -+ -+dnl nd_target is redundant in the megaflow below and it is also not relevant -+dnl for an icmp reply. Datapath may discard that match, but it is OK as long -+dnl as we have prerequisites (icmp_type) in the match as well. -+AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=128,icmpv6_code=0"], [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x80/0xfc,nd_target=:: -+Datapath actions: drop -+]) -+ -+AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0"], [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=:: -+Datapath actions: drop -+]) -+AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0,nd_target=1000::1"], [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=1000::1 -+Datapath actions: 1 -+]) -+AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0,nd_target=1000::2"], [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=1000::2 -+Datapath actions: drop -+]) -+ -+dnl Check that ports' mask doesn't affect ct ports. -+AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=3,ct_state=trk|rpl,ct_nw_proto=6,ct_tp_src=3,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=psh'], [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,ct_state=+rpl+trk,ct_nw_proto=6,ct_tp_src=0x1/0x1,eth,tcp,in_port=3,nw_frag=no,tp_dst=80,tcp_flags=+psh -+Datapath actions: 2 -+]) -+AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=3,ct_state=trk|rpl,ct_nw_proto=6,ct_tp_src=3,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=79,tcp_flags=psh'], [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,ct_state=+rpl+trk,ct_nw_proto=6,ct_tp_src=0x1/0x1,eth,tcp,in_port=3,nw_frag=no,tp_dst=0x40/0xfff0,tcp_flags=+psh -+Datapath actions: drop -+]) -+ -+OVS_VSWITCHD_STOP -+AT_CLEANUP -+ - AT_BANNER([flow classifier prefix lookup]) - AT_SETUP([flow classifier - prefix lookup]) - OVS_VSWITCHD_START - - diff --git a/backport-docs-5-Run_tbl_preprocessor_in_manpage-check_rule.patch b/backport-docs-5-Run_tbl_preprocessor_in_manpage-check_rule.patch deleted file mode 100644 index dcbc4de09556504ce7bec5088aad10af8badbf68..0000000000000000000000000000000000000000 --- a/backport-docs-5-Run_tbl_preprocessor_in_manpage-check_rule.patch +++ /dev/null @@ -1,125 +0,0 @@ -Description: [PATCH v2 5/5] docs: Run tbl preprocessor in manpage-check rule -Date: Fri, 4 Aug 2023 18:25:33 +0100 - If we omit this, groff 1.23.0 warns: - . - tbl preprocessor failed, or it or soelim was not run; table(s) likely - not rendered (TE macro called with TW register undefined) - . -Author: Colin Watson -Bug-Debian: https://bugs.debian.org/1042358 -Last-Update: 2023-08-07 - ---- - Makefile.am | 2 +- - build-aux/extract-ofp-fields | 15 +++++++++------ - lib/meta-flow.xml | 25 +++++++++++++------------ - 3 files changed, 23 insertions(+), 19 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 9807d63..c29725d 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -368,7 +368,7 @@ ALL_LOCAL += manpage-check - manpage-check: $(man_MANS) $(dist_man_MANS) $(noinst_man_MANS) - @error=false; \ - for manpage in $?; do \ -- LANG=en_US.UTF-8 groff -w mac -w delim -w escape -w input -w missing -w tab -T utf8 -man -p -z $$manpage >$@.tmp 2>&1; \ -+ LANG=en_US.UTF-8 groff -t -w mac -w delim -w escape -w input -w missing -w tab -T utf8 -man -p -z $$manpage >$@.tmp 2>&1; \ - if grep warning: $@.tmp; then error=:; fi; \ - rm -f $@.tmp; \ - done; \ -diff --git a/build-aux/extract-ofp-fields b/build-aux/extract-ofp-fields -index 8766995..5fbdc34 100755 ---- a/build-aux/extract-ofp-fields -+++ b/build-aux/extract-ofp-fields -@@ -552,12 +552,14 @@ def field_to_xml(field_node, f, body, summary): - ovs_version = [int(x) for x in ovs_version_s.split('.')] - if min_ovs_version is None or ovs_version < min_ovs_version: - min_ovs_version = ovs_version -- summary += ["\\fB%s\\fR" % f["name"]] -+ summary += ["T{\n\\fB%s\\fR" % f["name"]] - if f["extra_name"]: - summary += [" aka \\fB%s\\fR" % f["extra_name"]] -- summary += [";%d" % f["n_bytes"]] -+ summary += ["\nT}"] -+ summary += [";T{\n%d" % f["n_bytes"]] - if f["n_bits"] != 8 * f["n_bytes"]: - summary += [" (low %d bits)" % f["n_bits"]] -+ summary += ["\nT}"] - summary += [";%s;" % {"MFM_NONE": "no", "MFM_FULLY": "yes"}[f["mask"]]] - summary += ["%s;" % {True: "yes", False: "no"}[f["writable"]]] - summary += ["%s;" % f["prereqs"]] -@@ -566,7 +568,7 @@ def field_to_xml(field_node, f, body, summary): - support += ["OF %s+" % VERSION_REVERSE[min_of_version]] - if min_ovs_version is not None: - support += ["OVS %s+" % '.'.join([str(x) for x in min_ovs_version])] -- summary += ' and '.join(support) -+ summary += ["T{\n", " and ".join(support), "\nT}"] - summary += ["\n"] - - # Full description. -@@ -589,8 +591,9 @@ l lx. - - body += ["Width:;"] - if f["n_bits"] != 8 * f["n_bytes"]: -- body += ["%d bits (only the least-significant %d bits " -- "may be nonzero)" % (f["n_bytes"] * 8, f["n_bits"])] -+ body += ["T{\n", "%d bits (only the least-significant %d bits " -+ "may be nonzero)" % (f["n_bytes"] * 8, f["n_bits"]), -+ "\nT}",] - elif f["n_bits"] <= 128: - body += ["%d bits" % f["n_bits"]] - else: -@@ -657,7 +660,7 @@ def group_xml_to_nroff(group_node, fields): - '.TS\n', - 'tab(;);\n', - 'l l l l l l l.\n', -- 'Name;Bytes;Mask;RW?;Prereqs;NXM/OXM Support\n', -+ "Name;Bytes;Mask;RW?;Prereqs;T{\nNXM/OXM Support\nT}\n", - '\_;\_;\_;\_;\_;\_\n'] - content += summary - content += ['.TE\n'] -diff --git a/lib/meta-flow.xml b/lib/meta-flow.xml -index 28865f8..cb612d7 100644 ---- a/lib/meta-flow.xml -+++ b/lib/meta-flow.xml -@@ -3517,23 +3517,24 @@ actions=clone(load:0->NXM_OF_IN_PORT[],output:123) -

- - -+tab(;); - r r r r r. --Criteria OpenFlow 1.0 OpenFlow 1.1 OpenFlow 1.2+ NXM --\_ \_ \_ \_ \_ --[1] \fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR \fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR \fL0000\fR/\fL0000\fR,\fL--\fR \fL0000\fR/\fL0000\fR --[2] \fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR \fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR \fL0000\fR/\fLffff\fR,\fL--\fR \fL0000\fR/\fLffff\fR --[3] \fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR \fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR \fL1xxx\fR/\fLffff\fR,\fL--\fR \fL1xxx\fR/\fL1fff\fR --[4] \fL????\fR/\fL1\fR,\fL0y\fR/\fL0\fR \fLfffe\fR/\fL0\fR,\fL0y\fR/\fL0\fR \fL1000\fR/\fL1000\fR,\fL0y\fR \fLz000\fR/\fLf000\fR --[5] \fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR \fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR \fL1xxx\fR/\fLffff\fR,\fL0y\fR \fLzxxx\fR/\fLffff\fR -+Criteria;OpenFlow 1.0;OpenFlow 1.1;OpenFlow 1.2+;NXM -+\_;\_;\_;\_;\_ -+[1];\fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR;\fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR;\fL0000\fR/\fL0000\fR,\fL--\fR;\fL0000\fR/\fL0000\fR -+[2];\fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR;\fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR;\fL0000\fR/\fLffff\fR,\fL--\fR;\fL0000\fR/\fLffff\fR -+[3];\fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR;\fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR;\fL1xxx\fR/\fLffff\fR,\fL--\fR;\fL1xxx\fR/\fL1fff\fR -+[4];\fL????\fR/\fL1\fR,\fL0y\fR/\fL0\fR;\fLfffe\fR/\fL0\fR,\fL0y\fR/\fL0\fR;\fL1000\fR/\fL1000\fR,\fL0y\fR;\fLz000\fR/\fLf000\fR -+[5];\fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR;\fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR;\fL1xxx\fR/\fLffff\fR,\fL0y\fR;\fLzxxx\fR/\fLffff\fR - .T& - r r c c r. --[6] (none) (none) \fL1001\fR/\fL1001\fR,\fL--\fR \fL1001\fR/\fL1001\fR -+[6];(none);(none);\fL1001\fR/\fL1001\fR,\fL--\fR;\fL1001\fR/\fL1001\fR - .T& - r r c c c. --[7] (none) (none) (none) \fL3000\fR/\fL3000\fR --[8] (none) (none) (none) \fL0000\fR/\fL0fff\fR --[9] (none) (none) (none) \fL0000\fR/\fLf000\fR --[10] (none) (none) (none) \fL0000\fR/\fLefff\fR -+[7];(none);(none);(none);\fL3000\fR/\fL3000\fR -+[8];(none);(none);(none);\fL0000\fR/\fL0fff\fR -+[9];(none);(none);(none);\fL0000\fR/\fLf000\fR -+[10];(none);(none);(none);\fL0000\fR/\fLefff\fR - - -

--- -2.27.0 - diff --git a/openvswitch-2.17.5.tar.gz b/openvswitch-3.2.1.tar.gz similarity index 50% rename from openvswitch-2.17.5.tar.gz rename to openvswitch-3.2.1.tar.gz index bebe967830130ae36a7b794be89ee5fa6c133c63..531ba92d56ed0a775e3617fc82de00078396e742 100644 Binary files a/openvswitch-2.17.5.tar.gz and b/openvswitch-3.2.1.tar.gz differ diff --git a/openvswitch.spec b/openvswitch.spec index 3db595c0d80d7c1d9d22866778aed9e6ce5154d2..3e24037228bfc5645095c771c616075521b0b7a1 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -12,8 +12,8 @@ Name: openvswitch Summary: Open vSwitch daemon/database/utilities URL: https://www.openvswitch.org/ -Version: 2.17.5 -Release: 7 +Version: 3.2.1 +Release: 1 License: ASL 2.0 and LGPLv2+ and SISSL Source0: https://www.openvswitch.org/releases/%{name}-%{version}.tar.gz @@ -21,9 +21,6 @@ Source0: https://www.openvswitch.org/releases/%{name}-%{version}.tar.gz Patch0000: 0000-openvswitch-add-stack-protector-strong.patch Patch0002: 0002-Remove-unsupported-permission-names.patch Patch0003: fix-selinux-err.patch -Patch6000: backport-CVE-2023-1668.patch -Patch6001: backport-docs-5-Run_tbl_preprocessor_in_manpage-check_rule.patch -Patch6002: backport-CVE-2023-5366.patch BuildRequires: gcc gcc-c++ make BuildRequires: autoconf automake libtool @@ -355,6 +352,7 @@ fi %{_bindir}/ovs-test %{_bindir}/ovs-vlan-test %{_bindir}/ovs-l3ping +%{_datadir}/openvswitch/scripts/usdt/* %{python3_sitelib}/ovstest %files testcontroller @@ -427,7 +425,10 @@ fi %{_sysconfdir}/sysconfig/network-scripts/ifdown-ovs %changelog -* Sun Oct 07 2023 zhouwenpei - 2.17.5-7 +* Fri Jan 26 2024 zhangpan - 3.2.1-1 +- update to 3.2.1 + +* Sat Oct 07 2023 zhouwenpei - 2.17.5-7 - fix CVE-2023-5366 * Tue Aug 29 2023 zhangpan - 2.17.5-6