diff --git a/SOURCES/openvswitch-2.15.0.patch b/SOURCES/openvswitch-2.15.0.patch index e9d4b1b..f557c1f 100644 --- a/SOURCES/openvswitch-2.15.0.patch +++ b/SOURCES/openvswitch-2.15.0.patch @@ -18394,6 +18394,18 @@ index b0a5ce8bec..bc51a5767f 100644 }; enum { +diff --git a/include/openvswitch/meta-flow.h b/include/openvswitch/meta-flow.h +index 95e52e3587..045dce8f5f 100644 +--- a/include/openvswitch/meta-flow.h ++++ b/include/openvswitch/meta-flow.h +@@ -2305,6 +2305,7 @@ void mf_set_flow_value_masked(const struct mf_field *, + const union mf_value *mask, + struct flow *); + bool mf_is_tun_metadata(const struct mf_field *); ++bool mf_is_frozen_metadata(const struct mf_field *); + bool mf_is_pipeline_field(const struct mf_field *); + bool mf_is_set(const struct mf_field *, const struct flow *); + void mf_mask_field(const struct mf_field *, struct flow_wildcards *); diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index 64111768b3..668507fd37 100755 --- a/ipsec/ovs-monitor-ipsec.in @@ -19487,6 +19499,30 @@ index d75d66b863..ba096dd0c8 100644 void jsonrpc_session_set_max_backoff(struct jsonrpc_session *, int max_backoff); +diff --git a/lib/meta-flow.c b/lib/meta-flow.c +index c808d205d5..e03cd8d0c5 100644 +--- a/lib/meta-flow.c ++++ b/lib/meta-flow.c +@@ -1788,6 +1788,19 @@ mf_is_tun_metadata(const struct mf_field *mf) + mf->id < MFF_TUN_METADATA0 + TUN_METADATA_NUM_OPTS; + } + ++bool ++mf_is_frozen_metadata(const struct mf_field *mf) ++{ ++ if (mf->id >= MFF_TUN_ID && mf->id <= MFF_IN_PORT_OXM) { ++ return true; ++ } ++ ++ if (mf->id >= MFF_REG0 && mf->id < MFF_ETH_SRC) { ++ return true; ++ } ++ return false; ++} ++ + bool + mf_is_pipeline_field(const struct mf_field *mf) + { diff --git a/lib/netdev-dpdk.c b/lib/netdev-dpdk.c index 9d8096668e..6699c383e6 100644 --- a/lib/netdev-dpdk.c @@ -20845,10 +20881,58 @@ index 5fae46adfc..ccf97266c0 100644 ovs_mutex_destroy(&udpif->ukeys[i].mutex); } diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c -index 7108c8a301..479e459fcb 100644 +index 7108c8a301..3942ddbdc7 100644 --- a/ofproto/ofproto-dpif-xlate.c +++ b/ofproto/ofproto-dpif-xlate.c -@@ -7127,7 +7127,9 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, +@@ -6177,11 +6177,32 @@ static void + compose_conntrack_action(struct xlate_ctx *ctx, struct ofpact_conntrack *ofc, + bool is_last_action) + { +- ovs_u128 old_ct_label_mask = ctx->wc->masks.ct_label; +- uint32_t old_ct_mark_mask = ctx->wc->masks.ct_mark; +- size_t ct_offset; + uint16_t zone; ++ if (ofc->zone_src.field) { ++ union mf_subvalue value; ++ memset(&value, 0xff, sizeof(value)); + ++ zone = mf_get_subfield(&ofc->zone_src, &ctx->xin->flow); ++ if (ctx->xin->frozen_state) { ++ /* If the upcall is a resume of a recirculation, we only need to ++ * unwildcard the fields that are not in the frozen_metadata, as ++ * when the rules update, OVS will generate a new recirc_id, ++ * which will invalidate the megaflow with old the recirc_id. ++ */ ++ if (!mf_is_frozen_metadata(ofc->zone_src.field)) { ++ mf_write_subfield_flow(&ofc->zone_src, &value, ++ &ctx->wc->masks); ++ } ++ } else { ++ mf_write_subfield_flow(&ofc->zone_src, &value, &ctx->wc->masks); ++ } ++ } else { ++ zone = ofc->zone_imm; ++ } ++ ++ size_t ct_offset; ++ ovs_u128 old_ct_label_mask = ctx->wc->masks.ct_label; ++ uint32_t old_ct_mark_mask = ctx->wc->masks.ct_mark; + /* Ensure that any prior actions are applied before composing the new + * conntrack action. */ + xlate_commit_actions(ctx); +@@ -6193,11 +6214,6 @@ compose_conntrack_action(struct xlate_ctx *ctx, struct ofpact_conntrack *ofc, + do_xlate_actions(ofc->actions, ofpact_ct_get_action_len(ofc), ctx, + is_last_action, false); + +- if (ofc->zone_src.field) { +- zone = mf_get_subfield(&ofc->zone_src, &ctx->xin->flow); +- } else { +- zone = ofc->zone_imm; +- } + + ct_offset = nl_msg_start_nested(ctx->odp_actions, OVS_ACTION_ATTR_CT); + if (ofc->flags & NX_CT_F_COMMIT) { +@@ -7127,7 +7143,9 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, break; case OFPACT_CT_CLEAR: @@ -23475,7 +23559,7 @@ index 4f601ef939..c8e4c68fae 100644 +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP diff --git a/tests/system-traffic.at b/tests/system-traffic.at -index fb5b9a36d2..bc203c1cce 100644 +index fb5b9a36d2..b56ffda448 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -574,6 +574,60 @@ NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PI @@ -23539,7 +23623,119 @@ index fb5b9a36d2..bc203c1cce 100644 AT_SETUP([datapath - flow resume with geneve tun_metadata]) OVS_CHECK_GENEVE() -@@ -3251,6 +3305,46 @@ NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING +@@ -1927,6 +1981,111 @@ tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=,dport=),reply=(src= + OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + ++AT_SETUP([conntrack - zones from other field]) ++CHECK_CONNTRACK() ++OVS_TRAFFIC_VSWITCHD_START() ++ ++ADD_NAMESPACES(at_ns0, at_ns1) ++ ++ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") ++ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") ++ ++dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. ++AT_DATA([flows.txt], [dnl ++priority=1,action=drop ++priority=10,arp,action=normal ++priority=10,icmp,action=normal ++priority=100,in_port=1,tcp,ct_state=-trk,action=ct(zone=5,table=0) ++priority=100,in_port=1,tcp,ct_state=+trk,action=ct(commit,zone=NXM_NX_CT_ZONE[]),2 ++priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=5) ++priority=100,in_port=2,ct_state=+trk,ct_zone=5,tcp,action=1 ++]) ++ ++AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) ++ ++OVS_START_L7([at_ns1], [http]) ++ ++dnl HTTP requests from p0->p1 should work fine. ++NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) ++ ++AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl ++tcp,dnl ++orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),dnl ++reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),dnl ++zone=5,protoinfo=(state=) ++]) ++ ++dnl This is to test when the zoneid is set by a field variable like ++dnl NXM_NX_CT_ZONE, the OVS xlate should generate a megaflow with a form of ++dnl "ct_zone(5), ... actions: ct(commit, zone=5)". The match "ct_zone(5)" ++dnl is needed as if we changes the zoneid into 15 in the following, the old ++dnl "ct_zone(5), ... actions: ct(commit, zone=5)" megaflow will not get hit, ++dnl and OVS will generate a new megaflow with the match "ct_zone(0xf)". ++dnl This will make sure that the new packets are committing to zoneid 15 ++dnl rather than old 5. ++AT_CHECK([ovs-appctl dpctl/dump-flows --names filter=in_port=ovs-p0 dnl ++ | grep "+trk" | grep -q "ct_zone(0x5)" ], [0], []) ++ ++AT_CHECK([ovs-ofctl mod-flows br0 dnl ++ 'priority=100,ct_state=-trk,tcp,in_port="ovs-p0" actions=ct(table=0,zone=15)']) ++ ++NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows --names filter=in_port=ovs-p0 dnl ++ | grep "+trk" | grep -q "ct_zone(0xf)" ], [0], []) ++ ++OVS_TRAFFIC_VSWITCHD_STOP ++AT_CLEANUP ++ ++AT_SETUP([conntrack - zones from other field, more tests]) ++CHECK_CONNTRACK() ++OVS_TRAFFIC_VSWITCHD_START() ++ ++ADD_NAMESPACES(at_ns0, at_ns1) ++ ++ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") ++ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") ++ ++dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. ++AT_DATA([flows.txt], [dnl ++priority=1,action=drop ++priority=10,arp,action=normal ++priority=10,icmp,action=normal ++priority=100,in_port=1,tcp,ct_state=-trk,action=ct(zone=5,table=0,commit,exec(load:0xffff0005->NXM_NX_CT_LABEL[[0..31]])) ++priority=100,in_port=1,tcp,ct_state=+trk,action=ct(commit,zone=NXM_NX_CT_LABEL[[0..15]]),2 ++priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=5) ++priority=100,in_port=2,ct_state=+trk,ct_zone=5,tcp,action=1 ++]) ++ ++AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) ++ ++OVS_START_L7([at_ns1], [http]) ++ ++dnl HTTP requests from p0->p1 should work fine. ++NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) ++ ++AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl ++tcp,dnl ++orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),dnl ++reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),dnl ++zone=5,labels=0xffff0005,protoinfo=(state=) ++]) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows --names filter=in_port=ovs-p0 dnl ++ | grep "+trk" | sed 's/0xffff0005\/0xffff/0x5\/0xffff/' dnl ++ | grep -q "ct_label(0x5/0xffff)" ], [0], []) ++ ++AT_CHECK([ovs-ofctl mod-flows br0 'priority=100,ct_state=-trk,tcp,in_port="ovs-p0" actions=ct(table=0,zone=15,commit,exec(load:0xffff000f->NXM_NX_CT_LABEL[[0..31]]))']) ++ ++NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows --names filter=in_port=ovs-p0 dnl ++ | grep "+trk" | sed 's/0xffff000f\/0xffff/0xf\/0xffff/' dnl ++ | grep -q "ct_label(0xf/0xffff)" ], [0], []) ++ ++OVS_TRAFFIC_VSWITCHD_STOP ++AT_CLEANUP ++ + AT_SETUP([conntrack - multiple bridges]) + CHECK_CONNTRACK() + OVS_TRAFFIC_VSWITCHD_START( +@@ -3251,6 +3410,46 @@ NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP @@ -23586,7 +23782,7 @@ index fb5b9a36d2..bc203c1cce 100644 AT_SETUP([conntrack - resubmit to ct multiple times]) CHECK_CONNTRACK() -@@ -4433,6 +4527,52 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= +@@ -4433,6 +4632,52 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP @@ -23639,7 +23835,7 @@ index fb5b9a36d2..bc203c1cce 100644 AT_SETUP([conntrack - simple DNAT]) CHECK_CONNTRACK() CHECK_CONNTRACK_NAT() -@@ -4488,6 +4628,41 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= +@@ -4488,6 +4733,41 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP diff --git a/SPECS/openvswitch2.15.spec b/SPECS/openvswitch2.15.spec index 7f4805f..2d55ec4 100644 --- a/SPECS/openvswitch2.15.spec +++ b/SPECS/openvswitch2.15.spec @@ -57,7 +57,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 2.15.0 -Release: 45%{?dist} +Release: 46%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -699,6 +699,12 @@ exit 0 %endif %changelog +* Thu Oct 14 2021 Open vSwitch CI - 2.15.0-46 +- Merging upstream branch-2.15 [RH git: f8619036c9] + Commit list: + 3f718857e7 ofproto-dpif-xlate: Fix zone set from non-frozen-metadata fields. + + * Wed Oct 13 2021 Open vSwitch CI - 2.15.0-45 - Merging upstream branch-2.15 [RH git: e273e307d1] Commit list: