diff --git a/SOURCES/openvswitch-3.2.0.patch b/SOURCES/openvswitch-3.2.0.patch index 6b51960..68b238a 100644 --- a/SOURCES/openvswitch-3.2.0.patch +++ b/SOURCES/openvswitch-3.2.0.patch @@ -1851,7 +1851,7 @@ index 89cb2704a6..2149fdc73a 100644 conn->expiration = now + val * 1000; } diff --git a/lib/conntrack.c b/lib/conntrack.c -index 5f1176d333..069b069e70 100644 +index 5f1176d333..cb910b7a22 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -103,7 +103,7 @@ static enum ct_update_res conn_update(struct conntrack *ct, struct conn *conn, @@ -2096,8 +2096,22 @@ index 5f1176d333..069b069e70 100644 if (ct_verify_helper(helper, ct_alg_ctl)) { nc->alg = nullable_xstrdup(helper); -@@ -992,46 +944,33 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, +@@ -990,58 +942,51 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, + nc->parent_key = alg_exp->parent_key; + } ++ ovs_mutex_init_adaptive(&nc->lock); ++ atomic_flag_clear(&nc->reclaimed); ++ fwd_key_node->dir = CT_DIR_FWD; ++ rev_key_node->dir = CT_DIR_REV; ++ ++ if (zl) { ++ nc->admit_zone = zl->czl.zone; ++ nc->zone_limit_seq = zl->czl.zone_limit_seq; ++ } else { ++ nc->admit_zone = INVALID_ZONE; ++ } ++ if (nat_action_info) { nc->nat_action = nat_action_info->nat_action; - nat_conn = xzalloc(sizeof *nat_conn); @@ -2142,17 +2156,28 @@ index 5f1176d333..069b069e70 100644 } - nc->nat_conn = nat_conn; - ovs_mutex_init_adaptive(&nc->lock); +- ovs_mutex_init_adaptive(&nc->lock); - nc->conn_type = CT_CONN_TYPE_DEFAULT; - atomic_flag_clear(&nc->reclaimed); +- atomic_flag_clear(&nc->reclaimed); - cmap_insert(&ct->conns, &nc->cm_node, ctx->hash); -+ fwd_key_node->dir = CT_DIR_FWD; -+ rev_key_node->dir = CT_DIR_REV; + cmap_insert(&ct->conns, &fwd_key_node->cm_node, ctx->hash); conn_expire_push_front(ct, nc); atomic_count_inc(&ct->n_conn); - ctx->conn = nc; /* For completeness. */ -@@ -1052,7 +991,6 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, +- ctx->conn = nc; /* For completeness. */ ++ + if (zl) { +- nc->admit_zone = zl->czl.zone; +- nc->zone_limit_seq = zl->czl.zone_limit_seq; + atomic_count_inc(&zl->czl.count); +- } else { +- nc->admit_zone = INVALID_ZONE; + } ++ ++ ctx->conn = nc; /* For completeness. */ + } + + return nc; +@@ -1052,7 +997,6 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, * firewall rules or a separate firewall. Also using zone partitioning * can limit DoS impact. */ nat_res_exhaustion: @@ -2160,7 +2185,7 @@ index 5f1176d333..069b069e70 100644 delete_conn__(nc); static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 5); VLOG_WARN_RL(&rl, "Unable to NAT due to tuple space exhaustion - " -@@ -1065,7 +1003,6 @@ conn_update_state(struct conntrack *ct, struct dp_packet *pkt, +@@ -1065,7 +1009,6 @@ conn_update_state(struct conntrack *ct, struct dp_packet *pkt, struct conn_lookup_ctx *ctx, struct conn *conn, long long now) { @@ -2168,7 +2193,7 @@ index 5f1176d333..069b069e70 100644 bool create_new_conn = false; if (ctx->icmp_related) { -@@ -1092,7 +1029,8 @@ conn_update_state(struct conntrack *ct, struct dp_packet *pkt, +@@ -1092,7 +1035,8 @@ conn_update_state(struct conntrack *ct, struct dp_packet *pkt, pkt->md.ct_state = CS_INVALID; break; case CT_UPDATE_NEW: @@ -2178,7 +2203,7 @@ index 5f1176d333..069b069e70 100644 conn_force_expire(conn); } create_new_conn = true; -@@ -1268,8 +1206,10 @@ initial_conn_lookup(struct conntrack *ct, struct conn_lookup_ctx *ctx, +@@ -1268,8 +1212,10 @@ initial_conn_lookup(struct conntrack *ct, struct conn_lookup_ctx *ctx, if (natted) { if (OVS_LIKELY(ctx->conn)) { @@ -2190,7 +2215,7 @@ index 5f1176d333..069b069e70 100644 ctx->hash = conn_key_hash(&ctx->key, ct->hash_basis); } else { /* A lookup failure does not necessarily imply that an -@@ -1302,31 +1242,13 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, +@@ -1302,31 +1248,13 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, /* Delete found entry if in wrong direction. 'force' implies commit. */ if (OVS_UNLIKELY(force && ctx->reply && conn)) { @@ -2224,7 +2249,7 @@ index 5f1176d333..069b069e70 100644 enum ct_alg_ctl_type ct_alg_ctl = get_alg_ctl_type(pkt, tp_src, tp_dst, helper); -@@ -1419,8 +1341,9 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch, +@@ -1419,8 +1347,9 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch, struct conn *conn = packet->md.conn; if (OVS_UNLIKELY(packet->md.ct_state == CS_INVALID)) { write_ct_md(packet, zone, NULL, NULL, NULL); @@ -2236,7 +2261,7 @@ index 5f1176d333..069b069e70 100644 process_one_fast(zone, setmark, setlabel, nat_action_info, conn, packet); } else if (OVS_UNLIKELY(!conn_key_extract(ct, packet, dl_type, &ctx, -@@ -2269,7 +2192,7 @@ nat_ipv6_addr_increment(struct in6_addr *ipv6, uint32_t increment) +@@ -2269,7 +2198,7 @@ nat_ipv6_addr_increment(struct in6_addr *ipv6, uint32_t increment) } static uint32_t @@ -2245,7 +2270,7 @@ index 5f1176d333..069b069e70 100644 const struct nat_action_info_t *nat_info) { uint32_t hash = basis; -@@ -2279,11 +2202,11 @@ nat_range_hash(const struct conn *conn, uint32_t basis, +@@ -2279,11 +2208,11 @@ nat_range_hash(const struct conn *conn, uint32_t basis, hash = hash_add(hash, ((uint32_t) nat_info->max_port << 16) | nat_info->min_port); @@ -2262,7 +2287,7 @@ index 5f1176d333..069b069e70 100644 /* The purpose of the second parameter is to distinguish hashes of data of * different length; our data always has the same length so there is no -@@ -2357,7 +2280,7 @@ get_addr_in_range(union ct_addr *min, union ct_addr *max, +@@ -2357,19 +2286,21 @@ get_addr_in_range(union ct_addr *min, union ct_addr *max, } static void @@ -2271,7 +2296,12 @@ index 5f1176d333..069b069e70 100644 union ct_addr *max, union ct_addr *curr, uint32_t hash, bool ipv4, const struct nat_action_info_t *nat_info) -@@ -2367,9 +2290,9 @@ find_addr(const struct conn *conn, union ct_addr *min, + { +- const union ct_addr zero_ip = {0}; ++ union ct_addr zero_ip; ++ ++ memset(&zero_ip, 0, sizeof zero_ip); + /* All-zero case. */ if (!memcmp(min, &zero_ip, sizeof *min)) { if (nat_info->nat_action & NAT_ACTION_SRC) { @@ -2283,7 +2313,7 @@ index 5f1176d333..069b069e70 100644 } } else { get_addr_in_range(min, max, curr, hash, ipv4); -@@ -2388,7 +2311,7 @@ store_addr_to_key(union ct_addr *addr, struct conn_key *key, +@@ -2388,7 +2319,7 @@ store_addr_to_key(union ct_addr *addr, struct conn_key *key, } static bool @@ -2292,7 +2322,7 @@ index 5f1176d333..069b069e70 100644 ovs_be16 *port, uint16_t curr, uint16_t min, uint16_t max) { -@@ -2411,8 +2334,7 @@ another_round: +@@ -2411,8 +2342,7 @@ another_round: } *port = htons(curr); @@ -2302,7 +2332,7 @@ index 5f1176d333..069b069e70 100644 return true; } } -@@ -2450,54 +2372,50 @@ another_round: +@@ -2450,54 +2380,54 @@ another_round: * * If none can be found, return exhaustion to the caller. */ static bool @@ -2312,19 +2342,24 @@ index 5f1176d333..069b069e70 100644 const struct nat_action_info_t *nat_info) { - uint32_t hash = nat_range_hash(conn, ct->hash_basis, nat_info); -+ struct conn_key *fwd_key = &conn->key_node[CT_DIR_FWD].key; -+ struct conn_key *rev_key = &conn->key_node[CT_DIR_REV].key; - union ct_addr min_addr = {0}, max_addr = {0}, addr = {0}; +- union ct_addr min_addr = {0}, max_addr = {0}, addr = {0}; - bool pat_proto = conn->key.nw_proto == IPPROTO_TCP || - conn->key.nw_proto == IPPROTO_UDP || - conn->key.nw_proto == IPPROTO_SCTP; ++ struct conn_key *fwd_key = &conn->key_node[CT_DIR_FWD].key; ++ struct conn_key *rev_key = &conn->key_node[CT_DIR_REV].key; + bool pat_proto = fwd_key->nw_proto == IPPROTO_TCP || + fwd_key->nw_proto == IPPROTO_UDP || + fwd_key->nw_proto == IPPROTO_SCTP; uint16_t min_dport, max_dport, curr_dport; uint16_t min_sport, max_sport, curr_sport; ++ union ct_addr min_addr, max_addr, addr; + uint32_t hash; ++ memset(&min_addr, 0, sizeof min_addr); ++ memset(&max_addr, 0, sizeof max_addr); ++ memset(&addr, 0, sizeof addr); ++ + hash = nat_range_hash(fwd_key, ct->hash_basis, nat_info); min_addr = nat_info->min_addr; max_addr = nat_info->max_addr; @@ -2375,7 +2410,7 @@ index 5f1176d333..069b069e70 100644 curr_sport, min_sport, max_sport); } -@@ -2513,9 +2431,9 @@ conn_update(struct conntrack *ct, struct conn *conn, struct dp_packet *pkt, +@@ -2513,9 +2443,9 @@ conn_update(struct conntrack *ct, struct conn *conn, struct dp_packet *pkt, struct conn_lookup_ctx *ctx, long long now) { ovs_mutex_lock(&conn->lock); @@ -2387,7 +2422,7 @@ index 5f1176d333..069b069e70 100644 ovs_mutex_unlock(&conn->lock); return update_res; } -@@ -2541,12 +2459,9 @@ conn_expiration(const struct conn *conn) +@@ -2541,12 +2471,9 @@ conn_expiration(const struct conn *conn) } static bool @@ -2402,7 +2437,7 @@ index 5f1176d333..069b069e70 100644 } static bool -@@ -2572,9 +2487,7 @@ delete_conn__(struct conn *conn) +@@ -2572,9 +2499,7 @@ delete_conn__(struct conn *conn) static void delete_conn(struct conn *conn) { @@ -2412,7 +2447,7 @@ index 5f1176d333..069b069e70 100644 delete_conn__(conn); } -@@ -2654,7 +2567,9 @@ tuple_to_conn_key(const struct ct_dpif_tuple *tuple, uint16_t zone, +@@ -2654,7 +2579,9 @@ tuple_to_conn_key(const struct ct_dpif_tuple *tuple, uint16_t zone, key->src.icmp_type = tuple->icmp_type; key->src.icmp_code = tuple->icmp_code; key->dst.icmp_id = tuple->icmp_id; @@ -2423,7 +2458,7 @@ index 5f1176d333..069b069e70 100644 key->dst.icmp_code = tuple->icmp_code; } else { key->src.port = tuple->src_port; -@@ -2667,15 +2582,18 @@ static void +@@ -2667,15 +2594,18 @@ static void conn_to_ct_dpif_entry(const struct conn *conn, struct ct_dpif_entry *entry, long long now) { @@ -2445,7 +2480,7 @@ index 5f1176d333..069b069e70 100644 ovs_mutex_lock(&conn->lock); entry->mark = conn->mark; -@@ -2683,7 +2601,7 @@ conn_to_ct_dpif_entry(const struct conn *conn, struct ct_dpif_entry *entry, +@@ -2683,7 +2613,7 @@ conn_to_ct_dpif_entry(const struct conn *conn, struct ct_dpif_entry *entry, long long expiration = conn_expiration(conn) - now; @@ -2454,7 +2489,7 @@ index 5f1176d333..069b069e70 100644 if (class->conn_get_protoinfo) { class->conn_get_protoinfo(conn, &entry->protoinfo); } -@@ -2716,30 +2634,29 @@ conntrack_dump_start(struct conntrack *ct, struct conntrack_dump *dump, +@@ -2716,30 +2646,29 @@ conntrack_dump_start(struct conntrack *ct, struct conntrack_dump *dump, dump->ct = ct; *ptot_bkts = 1; /* Need to clean up the callers. */ @@ -2494,7 +2529,7 @@ index 5f1176d333..069b069e70 100644 conn_to_ct_dpif_entry(conn, entry, now); return 0; } -@@ -2823,14 +2740,15 @@ conntrack_exp_dump_done(struct conntrack_dump *dump OVS_UNUSED) +@@ -2823,14 +2752,15 @@ conntrack_exp_dump_done(struct conntrack_dump *dump OVS_UNUSED) int conntrack_flush(struct conntrack *ct, const uint16_t *zone) { @@ -2514,7 +2549,7 @@ index 5f1176d333..069b069e70 100644 conn_clean(ct, conn); } } -@@ -2842,18 +2760,18 @@ int +@@ -2842,18 +2772,18 @@ int conntrack_flush_tuple(struct conntrack *ct, const struct ct_dpif_tuple *tuple, uint16_t zone) { @@ -2536,7 +2571,7 @@ index 5f1176d333..069b069e70 100644 error = ENOENT; } -@@ -2996,50 +2914,54 @@ expectation_create(struct conntrack *ct, ovs_be16 dst_port, +@@ -2996,50 +2926,54 @@ expectation_create(struct conntrack *ct, ovs_be16 dst_port, const struct conn *parent_conn, bool reply, bool src_ip_wc, bool skip_nat) { @@ -2603,7 +2638,7 @@ index 5f1176d333..069b069e70 100644 sizeof alg_exp_node->parent_key); /* Take the write lock here because it is almost 100% * likely that the lookup will fail and -@@ -3291,12 +3213,16 @@ process_ftp_ctl_v4(struct conntrack *ct, +@@ -3291,12 +3225,16 @@ process_ftp_ctl_v4(struct conntrack *ct, switch (mode) { case CT_FTP_MODE_ACTIVE: @@ -2624,7 +2659,7 @@ index 5f1176d333..069b069e70 100644 break; case CT_TFTP_MODE: default: -@@ -3328,7 +3254,7 @@ skip_ipv6_digits(char *str) +@@ -3328,7 +3266,7 @@ skip_ipv6_digits(char *str) static enum ftp_ctl_pkt process_ftp_ctl_v6(struct conntrack *ct, struct dp_packet *pkt, @@ -2633,7 +2668,7 @@ index 5f1176d333..069b069e70 100644 union ct_addr *v6_addr_rep, char **ftp_data_start, size_t *addr_offset_from_ftp_data_start, size_t *addr_size, enum ct_alg_mode *mode) -@@ -3396,24 +3322,25 @@ process_ftp_ctl_v6(struct conntrack *ct, +@@ -3396,24 +3334,25 @@ process_ftp_ctl_v6(struct conntrack *ct, switch (*mode) { case CT_FTP_MODE_ACTIVE: @@ -2663,7 +2698,7 @@ index 5f1176d333..069b069e70 100644 !!(pkt->md.ct_state & CS_REPLY_DIR), false, false); return CT_FTP_CTL_INTEREST; } -@@ -3571,7 +3498,8 @@ handle_tftp_ctl(struct conntrack *ct, +@@ -3571,7 +3510,8 @@ handle_tftp_ctl(struct conntrack *ct, long long now OVS_UNUSED, enum ftp_ctl_pkt ftp_ctl OVS_UNUSED, bool nat OVS_UNUSED) { diff --git a/SPECS/openvswitch3.2.spec b/SPECS/openvswitch3.2.spec index c310317..6ad89e9 100644 --- a/SPECS/openvswitch3.2.spec +++ b/SPECS/openvswitch3.2.spec @@ -57,7 +57,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 3.2.0 -Release: 77%{?dist} +Release: 78%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -761,6 +761,13 @@ exit 0 %endif %changelog +* Tue May 14 2024 Open vSwitch CI - 3.2.0-78 +- Merging upstream branch-3.2 [RH git: ff697d229b] + Commit list: + 65960eb76b conntrack: Fully initialize conn struct before insertion. + 7f8ed26f85 conntrack: Do not use {0} to initialize unions. + + * Tue May 07 2024 Open vSwitch CI - 3.2.0-77 - Merging upstream branch-3.2 [RH git: 875358dc66] Commit list: