diff --git a/SOURCES/openvswitch-3.1.0.patch b/SOURCES/openvswitch-3.1.0.patch index c8eb735..261a378 100644 --- a/SOURCES/openvswitch-3.1.0.patch +++ b/SOURCES/openvswitch-3.1.0.patch @@ -2130,7 +2130,7 @@ index 4d411d19fd..7ece2eae2f 100644 int timeout_policy_update(struct conntrack *ct, struct timeout_policy *tp); int timeout_policy_delete(struct conntrack *ct, uint32_t tp_id); diff --git a/lib/conntrack.c b/lib/conntrack.c -index 524670e45d..d25f501582 100644 +index 524670e45d..b6aa641688 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -101,7 +101,7 @@ static enum ct_update_res conn_update(struct conntrack *ct, struct conn *conn, @@ -2375,8 +2375,22 @@ index 524670e45d..d25f501582 100644 if (ct_verify_helper(helper, ct_alg_ctl)) { nc->alg = nullable_xstrdup(helper); -@@ -987,46 +939,33 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, +@@ -985,58 +937,51 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, + nc->parent_key = alg_exp->parent_key; + } ++ ovs_mutex_init_adaptive(&nc->lock); ++ atomic_flag_clear(&nc->reclaimed); ++ fwd_key_node->dir = CT_DIR_FWD; ++ rev_key_node->dir = CT_DIR_REV; ++ ++ if (zl) { ++ nc->admit_zone = zl->czl.zone; ++ nc->zone_limit_seq = zl->czl.zone_limit_seq; ++ } else { ++ nc->admit_zone = INVALID_ZONE; ++ } ++ if (nat_action_info) { nc->nat_action = nat_action_info->nat_action; - nat_conn = xzalloc(sizeof *nat_conn); @@ -2421,17 +2435,28 @@ index 524670e45d..d25f501582 100644 } - nc->nat_conn = nat_conn; - ovs_mutex_init_adaptive(&nc->lock); +- ovs_mutex_init_adaptive(&nc->lock); - nc->conn_type = CT_CONN_TYPE_DEFAULT; - atomic_flag_clear(&nc->reclaimed); +- atomic_flag_clear(&nc->reclaimed); - cmap_insert(&ct->conns, &nc->cm_node, ctx->hash); -+ fwd_key_node->dir = CT_DIR_FWD; -+ rev_key_node->dir = CT_DIR_REV; + cmap_insert(&ct->conns, &fwd_key_node->cm_node, ctx->hash); conn_expire_push_front(ct, nc); atomic_count_inc(&ct->n_conn); - ctx->conn = nc; /* For completeness. */ -@@ -1047,7 +986,6 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, +- ctx->conn = nc; /* For completeness. */ ++ + if (zl) { +- nc->admit_zone = zl->czl.zone; +- nc->zone_limit_seq = zl->czl.zone_limit_seq; + atomic_count_inc(&zl->czl.count); +- } else { +- nc->admit_zone = INVALID_ZONE; + } ++ ++ ctx->conn = nc; /* For completeness. */ + } + + return nc; +@@ -1047,7 +992,6 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, * firewall rules or a separate firewall. Also using zone partitioning * can limit DoS impact. */ nat_res_exhaustion: @@ -2439,7 +2464,7 @@ index 524670e45d..d25f501582 100644 delete_conn__(nc); static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 5); VLOG_WARN_RL(&rl, "Unable to NAT due to tuple space exhaustion - " -@@ -1060,7 +998,6 @@ conn_update_state(struct conntrack *ct, struct dp_packet *pkt, +@@ -1060,7 +1004,6 @@ conn_update_state(struct conntrack *ct, struct dp_packet *pkt, struct conn_lookup_ctx *ctx, struct conn *conn, long long now) { @@ -2447,7 +2472,7 @@ index 524670e45d..d25f501582 100644 bool create_new_conn = false; if (ctx->icmp_related) { -@@ -1087,7 +1024,8 @@ conn_update_state(struct conntrack *ct, struct dp_packet *pkt, +@@ -1087,7 +1030,8 @@ conn_update_state(struct conntrack *ct, struct dp_packet *pkt, pkt->md.ct_state = CS_INVALID; break; case CT_UPDATE_NEW: @@ -2457,7 +2482,7 @@ index 524670e45d..d25f501582 100644 conn_force_expire(conn); } create_new_conn = true; -@@ -1263,8 +1201,10 @@ initial_conn_lookup(struct conntrack *ct, struct conn_lookup_ctx *ctx, +@@ -1263,8 +1207,10 @@ initial_conn_lookup(struct conntrack *ct, struct conn_lookup_ctx *ctx, if (natted) { if (OVS_LIKELY(ctx->conn)) { @@ -2469,7 +2494,7 @@ index 524670e45d..d25f501582 100644 ctx->hash = conn_key_hash(&ctx->key, ct->hash_basis); } else { /* A lookup failure does not necessarily imply that an -@@ -1297,31 +1237,13 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, +@@ -1297,31 +1243,13 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, /* Delete found entry if in wrong direction. 'force' implies commit. */ if (OVS_UNLIKELY(force && ctx->reply && conn)) { @@ -2503,7 +2528,7 @@ index 524670e45d..d25f501582 100644 enum ct_alg_ctl_type ct_alg_ctl = get_alg_ctl_type(pkt, tp_src, tp_dst, helper); -@@ -1414,8 +1336,9 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch, +@@ -1414,8 +1342,9 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch, struct conn *conn = packet->md.conn; if (OVS_UNLIKELY(packet->md.ct_state == CS_INVALID)) { write_ct_md(packet, zone, NULL, NULL, NULL); @@ -2515,7 +2540,7 @@ index 524670e45d..d25f501582 100644 process_one_fast(zone, setmark, setlabel, nat_action_info, conn, packet); } else if (OVS_UNLIKELY(!conn_key_extract(ct, packet, dl_type, &ctx, -@@ -1512,12 +1435,12 @@ conntrack_clean(struct conntrack *ct, long long now) +@@ -1512,12 +1441,12 @@ conntrack_clean(struct conntrack *ct, long long now) clean_end = n_conn_limit / 64; for (i = ct->next_sweep; i < N_EXP_LISTS; i++) { @@ -2530,7 +2555,7 @@ index 524670e45d..d25f501582 100644 } ct->next_sweep = (i < N_EXP_LISTS) ? i : 0; -@@ -2172,7 +2095,7 @@ nat_ipv6_addr_increment(struct in6_addr *ipv6, uint32_t increment) +@@ -2172,7 +2101,7 @@ nat_ipv6_addr_increment(struct in6_addr *ipv6, uint32_t increment) } static uint32_t @@ -2539,7 +2564,7 @@ index 524670e45d..d25f501582 100644 const struct nat_action_info_t *nat_info) { uint32_t hash = basis; -@@ -2182,11 +2105,11 @@ nat_range_hash(const struct conn *conn, uint32_t basis, +@@ -2182,11 +2111,11 @@ nat_range_hash(const struct conn *conn, uint32_t basis, hash = hash_add(hash, ((uint32_t) nat_info->max_port << 16) | nat_info->min_port); @@ -2556,7 +2581,7 @@ index 524670e45d..d25f501582 100644 /* The purpose of the second parameter is to distinguish hashes of data of * different length; our data always has the same length so there is no -@@ -2260,7 +2183,7 @@ get_addr_in_range(union ct_addr *min, union ct_addr *max, +@@ -2260,19 +2189,21 @@ get_addr_in_range(union ct_addr *min, union ct_addr *max, } static void @@ -2565,7 +2590,12 @@ index 524670e45d..d25f501582 100644 union ct_addr *max, union ct_addr *curr, uint32_t hash, bool ipv4, const struct nat_action_info_t *nat_info) -@@ -2270,9 +2193,9 @@ find_addr(const struct conn *conn, union ct_addr *min, + { +- const union ct_addr zero_ip = {0}; ++ union ct_addr zero_ip; ++ ++ memset(&zero_ip, 0, sizeof zero_ip); + /* All-zero case. */ if (!memcmp(min, &zero_ip, sizeof *min)) { if (nat_info->nat_action & NAT_ACTION_SRC) { @@ -2577,7 +2607,7 @@ index 524670e45d..d25f501582 100644 } } else { get_addr_in_range(min, max, curr, hash, ipv4); -@@ -2291,7 +2214,7 @@ store_addr_to_key(union ct_addr *addr, struct conn_key *key, +@@ -2291,7 +2222,7 @@ store_addr_to_key(union ct_addr *addr, struct conn_key *key, } static bool @@ -2586,7 +2616,7 @@ index 524670e45d..d25f501582 100644 ovs_be16 *port, uint16_t curr, uint16_t min, uint16_t max) { -@@ -2314,8 +2237,7 @@ another_round: +@@ -2314,8 +2245,7 @@ another_round: } *port = htons(curr); @@ -2596,7 +2626,7 @@ index 524670e45d..d25f501582 100644 return true; } } -@@ -2353,53 +2275,49 @@ another_round: +@@ -2353,53 +2283,53 @@ another_round: * * If none can be found, return exhaustion to the caller. */ static bool @@ -2606,17 +2636,22 @@ index 524670e45d..d25f501582 100644 const struct nat_action_info_t *nat_info) { - uint32_t hash = nat_range_hash(conn, ct->hash_basis, nat_info); -+ struct conn_key *fwd_key = &conn->key_node[CT_DIR_FWD].key; -+ struct conn_key *rev_key = &conn->key_node[CT_DIR_REV].key; - union ct_addr min_addr = {0}, max_addr = {0}, addr = {0}; +- union ct_addr min_addr = {0}, max_addr = {0}, addr = {0}; - bool pat_proto = conn->key.nw_proto == IPPROTO_TCP || - conn->key.nw_proto == IPPROTO_UDP; ++ struct conn_key *fwd_key = &conn->key_node[CT_DIR_FWD].key; ++ struct conn_key *rev_key = &conn->key_node[CT_DIR_REV].key; + bool pat_proto = fwd_key->nw_proto == IPPROTO_TCP || + fwd_key->nw_proto == IPPROTO_UDP; uint16_t min_dport, max_dport, curr_dport; uint16_t min_sport, max_sport, curr_sport; ++ union ct_addr min_addr, max_addr, addr; + uint32_t hash; ++ memset(&min_addr, 0, sizeof min_addr); ++ memset(&max_addr, 0, sizeof max_addr); ++ memset(&addr, 0, sizeof addr); ++ + hash = nat_range_hash(fwd_key, ct->hash_basis, nat_info); min_addr = nat_info->min_addr; max_addr = nat_info->max_addr; @@ -2667,7 +2702,7 @@ index 524670e45d..d25f501582 100644 curr_sport, min_sport, max_sport); } -@@ -2415,9 +2333,9 @@ conn_update(struct conntrack *ct, struct conn *conn, struct dp_packet *pkt, +@@ -2415,9 +2345,9 @@ conn_update(struct conntrack *ct, struct conn *conn, struct dp_packet *pkt, struct conn_lookup_ctx *ctx, long long now) { ovs_mutex_lock(&conn->lock); @@ -2679,7 +2714,7 @@ index 524670e45d..d25f501582 100644 ovs_mutex_unlock(&conn->lock); return update_res; } -@@ -2443,12 +2361,9 @@ conn_expiration(const struct conn *conn) +@@ -2443,12 +2373,9 @@ conn_expiration(const struct conn *conn) } static bool @@ -2694,7 +2729,7 @@ index 524670e45d..d25f501582 100644 } static bool -@@ -2474,9 +2389,7 @@ delete_conn__(struct conn *conn) +@@ -2474,9 +2401,7 @@ delete_conn__(struct conn *conn) static void delete_conn(struct conn *conn) { @@ -2704,7 +2739,7 @@ index 524670e45d..d25f501582 100644 delete_conn__(conn); } -@@ -2556,7 +2469,9 @@ tuple_to_conn_key(const struct ct_dpif_tuple *tuple, uint16_t zone, +@@ -2556,7 +2481,9 @@ tuple_to_conn_key(const struct ct_dpif_tuple *tuple, uint16_t zone, key->src.icmp_type = tuple->icmp_type; key->src.icmp_code = tuple->icmp_code; key->dst.icmp_id = tuple->icmp_id; @@ -2715,7 +2750,7 @@ index 524670e45d..d25f501582 100644 key->dst.icmp_code = tuple->icmp_code; } else { key->src.port = tuple->src_port; -@@ -2569,15 +2484,18 @@ static void +@@ -2569,15 +2496,18 @@ static void conn_to_ct_dpif_entry(const struct conn *conn, struct ct_dpif_entry *entry, long long now) { @@ -2737,7 +2772,7 @@ index 524670e45d..d25f501582 100644 ovs_mutex_lock(&conn->lock); entry->mark = conn->mark; -@@ -2585,7 +2503,7 @@ conn_to_ct_dpif_entry(const struct conn *conn, struct ct_dpif_entry *entry, +@@ -2585,7 +2515,7 @@ conn_to_ct_dpif_entry(const struct conn *conn, struct ct_dpif_entry *entry, long long expiration = conn_expiration(conn) - now; @@ -2746,7 +2781,7 @@ index 524670e45d..d25f501582 100644 if (class->conn_get_protoinfo) { class->conn_get_protoinfo(conn, &entry->protoinfo); } -@@ -2618,30 +2536,29 @@ conntrack_dump_start(struct conntrack *ct, struct conntrack_dump *dump, +@@ -2618,30 +2548,29 @@ conntrack_dump_start(struct conntrack *ct, struct conntrack_dump *dump, dump->ct = ct; *ptot_bkts = 1; /* Need to clean up the callers. */ @@ -2786,7 +2821,7 @@ index 524670e45d..d25f501582 100644 conn_to_ct_dpif_entry(conn, entry, now); return 0; } -@@ -2659,14 +2576,15 @@ conntrack_dump_done(struct conntrack_dump *dump OVS_UNUSED) +@@ -2659,14 +2588,15 @@ conntrack_dump_done(struct conntrack_dump *dump OVS_UNUSED) int conntrack_flush(struct conntrack *ct, const uint16_t *zone) { @@ -2806,7 +2841,7 @@ index 524670e45d..d25f501582 100644 conn_clean(ct, conn); } } -@@ -2678,18 +2596,18 @@ int +@@ -2678,18 +2608,18 @@ int conntrack_flush_tuple(struct conntrack *ct, const struct ct_dpif_tuple *tuple, uint16_t zone) { @@ -2828,7 +2863,7 @@ index 524670e45d..d25f501582 100644 error = ENOENT; } -@@ -2832,50 +2750,54 @@ expectation_create(struct conntrack *ct, ovs_be16 dst_port, +@@ -2832,50 +2762,54 @@ expectation_create(struct conntrack *ct, ovs_be16 dst_port, const struct conn *parent_conn, bool reply, bool src_ip_wc, bool skip_nat) { @@ -2895,7 +2930,7 @@ index 524670e45d..d25f501582 100644 sizeof alg_exp_node->parent_key); /* Take the write lock here because it is almost 100% * likely that the lookup will fail and -@@ -3127,12 +3049,16 @@ process_ftp_ctl_v4(struct conntrack *ct, +@@ -3127,12 +3061,16 @@ process_ftp_ctl_v4(struct conntrack *ct, switch (mode) { case CT_FTP_MODE_ACTIVE: @@ -2916,7 +2951,7 @@ index 524670e45d..d25f501582 100644 break; case CT_TFTP_MODE: default: -@@ -3164,7 +3090,7 @@ skip_ipv6_digits(char *str) +@@ -3164,7 +3102,7 @@ skip_ipv6_digits(char *str) static enum ftp_ctl_pkt process_ftp_ctl_v6(struct conntrack *ct, struct dp_packet *pkt, @@ -2925,7 +2960,7 @@ index 524670e45d..d25f501582 100644 union ct_addr *v6_addr_rep, char **ftp_data_start, size_t *addr_offset_from_ftp_data_start, size_t *addr_size, enum ct_alg_mode *mode) -@@ -3232,24 +3158,25 @@ process_ftp_ctl_v6(struct conntrack *ct, +@@ -3232,24 +3170,25 @@ process_ftp_ctl_v6(struct conntrack *ct, switch (*mode) { case CT_FTP_MODE_ACTIVE: @@ -2955,7 +2990,7 @@ index 524670e45d..d25f501582 100644 !!(pkt->md.ct_state & CS_REPLY_DIR), false, false); return CT_FTP_CTL_INTEREST; } -@@ -3403,7 +3330,8 @@ handle_tftp_ctl(struct conntrack *ct, +@@ -3403,7 +3342,8 @@ handle_tftp_ctl(struct conntrack *ct, long long now OVS_UNUSED, enum ftp_ctl_pkt ftp_ctl OVS_UNUSED, bool nat OVS_UNUSED) { diff --git a/SPECS/openvswitch3.1.spec b/SPECS/openvswitch3.1.spec index 04b28bb..a2bc598 100644 --- a/SPECS/openvswitch3.1.spec +++ b/SPECS/openvswitch3.1.spec @@ -57,7 +57,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 3.1.0 -Release: 108%{?dist} +Release: 109%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -754,6 +754,13 @@ exit 0 %endif %changelog +* Tue May 14 2024 Open vSwitch CI - 3.1.0-109 +- Merging upstream branch-3.1 [RH git: d476b37007] + Commit list: + 0dab34c2f2 conntrack: Fully initialize conn struct before insertion. + b20de3c573 conntrack: Do not use {0} to initialize unions. + + * Tue May 07 2024 Open vSwitch CI - 3.1.0-108 - Merging upstream branch-3.1 [RH git: fb3f5d6c8f] Commit list: