diff --git a/SOURCES/openvswitch-2.17.0.patch b/SOURCES/openvswitch-2.17.0.patch index a6ca91d..4ec8262 100644 --- a/SOURCES/openvswitch-2.17.0.patch +++ b/SOURCES/openvswitch-2.17.0.patch @@ -96090,7 +96090,7 @@ index 4d411d19fd..7ece2eae2f 100644 int timeout_policy_update(struct conntrack *ct, struct timeout_policy *tp); int timeout_policy_delete(struct conntrack *ct, uint32_t tp_id); diff --git a/lib/conntrack.c b/lib/conntrack.c -index 33a1a92953..a5d90dabaa 100644 +index 33a1a92953..0da6bdfb68 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -94,14 +94,13 @@ static bool valid_new(struct dp_packet *pkt, struct conn_key *); @@ -96530,10 +96530,10 @@ index 33a1a92953..a5d90dabaa 100644 + /* Reverse the key for inner packet. */ + struct conn_key rev_key = *key; + conn_key_reverse(&rev_key); ++ ++ pat_packet(pkt, &rev_key); - reverse_pat_packet(pkt, conn); -+ pat_packet(pkt, &rev_key); -+ + if (key->dl_type == htons(ETH_TYPE_IP)) { + nat_packet_ipv4(pkt, &rev_key, nat_action); + @@ -96682,8 +96682,21 @@ index 33a1a92953..a5d90dabaa 100644 if (ct_verify_helper(helper, ct_alg_ctl)) { nc->alg = nullable_xstrdup(helper); -@@ -1020,45 +895,33 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, +@@ -1018,56 +893,50 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, + nc->parent_key = alg_exp->parent_key; + } ++ ovs_mutex_init_adaptive(&nc->lock); ++ fwd_key_node->dir = CT_DIR_FWD; ++ rev_key_node->dir = CT_DIR_REV; ++ ++ if (zl) { ++ nc->admit_zone = zl->czl.zone; ++ nc->zone_limit_seq = zl->czl.zone_limit_seq; ++ } else { ++ nc->admit_zone = INVALID_ZONE; ++ } ++ if (nat_action_info) { nc->nat_action = nat_action_info->nat_action; - nat_conn = xzalloc(sizeof *nat_conn); @@ -96729,16 +96742,26 @@ index 33a1a92953..a5d90dabaa 100644 } - nc->nat_conn = nat_conn; - ovs_mutex_init_adaptive(&nc->lock); +- ovs_mutex_init_adaptive(&nc->lock); - nc->conn_type = CT_CONN_TYPE_DEFAULT; - cmap_insert(&ct->conns, &nc->cm_node, ctx->hash); -+ fwd_key_node->dir = CT_DIR_FWD; -+ rev_key_node->dir = CT_DIR_REV; + cmap_insert(&ct->conns, &fwd_key_node->cm_node, ctx->hash); atomic_count_inc(&ct->n_conn); - ctx->conn = nc; /* For completeness. */ +- ctx->conn = nc; /* For completeness. */ ++ if (zl) { -@@ -1078,9 +941,8 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, +- nc->admit_zone = zl->czl.zone; +- nc->zone_limit_seq = zl->czl.zone_limit_seq; + zl->czl.count++; +- } else { +- nc->admit_zone = INVALID_ZONE; + } ++ ++ ctx->conn = nc; /* For completeness. */ + } + + return nc; +@@ -1078,9 +947,8 @@ conn_not_found(struct conntrack *ct, struct dp_packet *pkt, * firewall rules or a separate firewall. Also using zone partitioning * can limit DoS impact. */ nat_res_exhaustion: @@ -96749,7 +96772,7 @@ index 33a1a92953..a5d90dabaa 100644 static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 5); VLOG_WARN_RL(&rl, "Unable to NAT due to tuple space exhaustion - " "if DoS attack, use firewalling and/or zone partitioning."); -@@ -1092,7 +954,6 @@ conn_update_state(struct conntrack *ct, struct dp_packet *pkt, +@@ -1092,7 +960,6 @@ conn_update_state(struct conntrack *ct, struct dp_packet *pkt, struct conn_lookup_ctx *ctx, struct conn *conn, long long now) { @@ -96757,7 +96780,7 @@ index 33a1a92953..a5d90dabaa 100644 bool create_new_conn = false; if (ctx->icmp_related) { -@@ -1120,7 +981,8 @@ conn_update_state(struct conntrack *ct, struct dp_packet *pkt, +@@ -1120,7 +987,8 @@ conn_update_state(struct conntrack *ct, struct dp_packet *pkt, break; case CT_UPDATE_NEW: ovs_mutex_lock(&ct->ct_lock); @@ -96767,7 +96790,7 @@ index 33a1a92953..a5d90dabaa 100644 conn_clean(ct, conn); } ovs_mutex_unlock(&ct->ct_lock); -@@ -1148,11 +1010,8 @@ handle_nat(struct dp_packet *pkt, struct conn *conn, +@@ -1148,11 +1016,8 @@ handle_nat(struct dp_packet *pkt, struct conn *conn, if (pkt->md.ct_state & (CS_SRC_NAT | CS_DST_NAT)) { pkt->md.ct_state &= ~(CS_SRC_NAT | CS_DST_NAT); } @@ -96781,7 +96804,7 @@ index 33a1a92953..a5d90dabaa 100644 } } -@@ -1300,8 +1159,10 @@ initial_conn_lookup(struct conntrack *ct, struct conn_lookup_ctx *ctx, +@@ -1300,8 +1165,10 @@ initial_conn_lookup(struct conntrack *ct, struct conn_lookup_ctx *ctx, if (natted) { if (OVS_LIKELY(ctx->conn)) { @@ -96793,7 +96816,7 @@ index 33a1a92953..a5d90dabaa 100644 ctx->hash = conn_key_hash(&ctx->key, ct->hash_basis); } else { /* A lookup failure does not necessarily imply that an -@@ -1335,32 +1196,14 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, +@@ -1335,32 +1202,14 @@ process_one(struct conntrack *ct, struct dp_packet *pkt, /* Delete found entry if in wrong direction. 'force' implies commit. */ if (OVS_UNLIKELY(force && ctx->reply && conn)) { ovs_mutex_lock(&ct->ct_lock); @@ -96828,7 +96851,7 @@ index 33a1a92953..a5d90dabaa 100644 enum ct_alg_ctl_type ct_alg_ctl = get_alg_ctl_type(pkt, tp_src, tp_dst, helper); -@@ -1453,8 +1296,9 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch, +@@ -1453,8 +1302,9 @@ conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch, struct conn *conn = packet->md.conn; if (OVS_UNLIKELY(packet->md.ct_state == CS_INVALID)) { write_ct_md(packet, zone, NULL, NULL, NULL); @@ -96840,7 +96863,7 @@ index 33a1a92953..a5d90dabaa 100644 process_one_fast(zone, setmark, setlabel, nat_action_info, conn, packet); } else if (OVS_UNLIKELY(!conn_key_extract(ct, packet, dl_type, &ctx, -@@ -1526,14 +1370,14 @@ set_label(struct dp_packet *pkt, struct conn *conn, +@@ -1526,14 +1376,14 @@ set_label(struct dp_packet *pkt, struct conn *conn, static long long ct_sweep(struct conntrack *ct, long long now, size_t limit) { @@ -96857,7 +96880,7 @@ index 33a1a92953..a5d90dabaa 100644 ovs_mutex_lock(&conn->lock); if (now < conn->expiration || count >= limit) { min_expiration = MIN(min_expiration, conn->expiration); -@@ -2234,7 +2078,7 @@ nat_ipv6_addr_increment(struct in6_addr *ipv6, uint32_t increment) +@@ -2234,7 +2084,7 @@ nat_ipv6_addr_increment(struct in6_addr *ipv6, uint32_t increment) } static uint32_t @@ -96866,7 +96889,7 @@ index 33a1a92953..a5d90dabaa 100644 const struct nat_action_info_t *nat_info) { uint32_t hash = basis; -@@ -2242,13 +2086,13 @@ nat_range_hash(const struct conn *conn, uint32_t basis, +@@ -2242,13 +2092,13 @@ nat_range_hash(const struct conn *conn, uint32_t basis, hash = ct_addr_hash_add(hash, &nat_info->min_addr); hash = ct_addr_hash_add(hash, &nat_info->max_addr); hash = hash_add(hash, @@ -96886,7 +96909,7 @@ index 33a1a92953..a5d90dabaa 100644 /* The purpose of the second parameter is to distinguish hashes of data of * different length; our data always has the same length so there is no -@@ -2265,8 +2109,16 @@ set_sport_range(const struct nat_action_info_t *ni, const struct conn_key *k, +@@ -2265,8 +2115,16 @@ set_sport_range(const struct nat_action_info_t *ni, const struct conn_key *k, if (((ni->nat_action & NAT_ACTION_SNAT_ALL) == NAT_ACTION_SRC) || ((ni->nat_action & NAT_ACTION_DST))) { *curr = ntohs(k->src.port); @@ -96905,7 +96928,7 @@ index 33a1a92953..a5d90dabaa 100644 } else { *min = ni->min_port; *max = ni->max_port; -@@ -2314,7 +2166,7 @@ get_addr_in_range(union ct_addr *min, union ct_addr *max, +@@ -2314,19 +2172,21 @@ get_addr_in_range(union ct_addr *min, union ct_addr *max, } static void @@ -96914,7 +96937,12 @@ index 33a1a92953..a5d90dabaa 100644 union ct_addr *max, union ct_addr *curr, uint32_t hash, bool ipv4, const struct nat_action_info_t *nat_info) -@@ -2324,9 +2176,9 @@ get_initial_addr(const struct conn *conn, union ct_addr *min, + { +- const union ct_addr zero_ip = {0}; ++ union ct_addr zero_ip; ++ ++ memset(&zero_ip, 0, sizeof zero_ip); + /* All-zero case. */ if (!memcmp(min, &zero_ip, sizeof *min)) { if (nat_info->nat_action & NAT_ACTION_SRC) { @@ -96926,7 +96954,7 @@ index 33a1a92953..a5d90dabaa 100644 } } else { get_addr_in_range(min, max, curr, hash, ipv4); -@@ -2389,6 +2241,25 @@ next_addr_in_range_guarded(union ct_addr *curr, union ct_addr *min, +@@ -2389,6 +2249,25 @@ next_addr_in_range_guarded(union ct_addr *curr, union ct_addr *min, return exhausted; } @@ -96952,7 +96980,7 @@ index 33a1a92953..a5d90dabaa 100644 /* This function tries to get a unique tuple. * Every iteration checks that the reverse tuple doesn't * collide with any existing one. -@@ -2403,61 +2274,72 @@ next_addr_in_range_guarded(union ct_addr *curr, union ct_addr *min, +@@ -2403,61 +2282,76 @@ next_addr_in_range_guarded(union ct_addr *curr, union ct_addr *min, * * In case of DNAT: * - For each dst IP address in the range (if any). @@ -96972,19 +97000,25 @@ index 33a1a92953..a5d90dabaa 100644 +nat_get_unique_tuple(struct conntrack *ct, struct conn *conn, const struct nat_action_info_t *nat_info) { -+ struct conn_key *fwd_key = &conn->key_node[CT_DIR_FWD].key; -+ struct conn_key *rev_key = &conn->key_node[CT_DIR_REV].key; - union ct_addr min_addr = {0}, max_addr = {0}, curr_addr = {0}, - guard_addr = {0}; +- union ct_addr min_addr = {0}, max_addr = {0}, curr_addr = {0}, +- guard_addr = {0}; - uint32_t hash = nat_range_hash(conn, ct->hash_basis, nat_info); - bool pat_proto = conn->key.nw_proto == IPPROTO_TCP || - conn->key.nw_proto == IPPROTO_UDP; ++ struct conn_key *fwd_key = &conn->key_node[CT_DIR_FWD].key; ++ struct conn_key *rev_key = &conn->key_node[CT_DIR_REV].key; ++ union ct_addr min_addr, max_addr, curr_addr, guard_addr; + bool pat_proto = fwd_key->nw_proto == IPPROTO_TCP || + fwd_key->nw_proto == IPPROTO_UDP; uint16_t min_dport, max_dport, curr_dport; uint16_t min_sport, max_sport, curr_sport; + uint32_t hash; ++ memset(&min_addr, 0, sizeof min_addr); ++ memset(&max_addr, 0, sizeof max_addr); ++ memset(&curr_addr, 0, sizeof curr_addr); ++ memset(&guard_addr, 0, sizeof guard_addr); ++ + hash = nat_range_hash(fwd_key, ct->hash_basis, nat_info); min_addr = nat_info->min_addr; max_addr = nat_info->max_addr; @@ -97050,7 +97084,7 @@ index 33a1a92953..a5d90dabaa 100644 } /* Check if next IP is in range and respin. Otherwise, notify -@@ -2465,7 +2347,7 @@ another_round: +@@ -2465,7 +2359,7 @@ another_round: next_addr: if (next_addr_in_range_guarded(&curr_addr, &min_addr, &max_addr, &guard_addr, @@ -97059,7 +97093,7 @@ index 33a1a92953..a5d90dabaa 100644 return false; } -@@ -2477,23 +2359,20 @@ conn_update(struct conntrack *ct, struct conn *conn, struct dp_packet *pkt, +@@ -2477,23 +2371,20 @@ conn_update(struct conntrack *ct, struct conn *conn, struct dp_packet *pkt, struct conn_lookup_ctx *ctx, long long now) { ovs_mutex_lock(&conn->lock); @@ -97090,7 +97124,7 @@ index 33a1a92953..a5d90dabaa 100644 } static bool -@@ -2510,7 +2389,7 @@ new_conn(struct conntrack *ct, struct dp_packet *pkt, struct conn_key *key, +@@ -2510,7 +2401,7 @@ new_conn(struct conntrack *ct, struct dp_packet *pkt, struct conn_key *key, } static void @@ -97099,7 +97133,7 @@ index 33a1a92953..a5d90dabaa 100644 { free(conn->alg); free(conn); -@@ -2519,20 +2398,8 @@ delete_conn_cmn(struct conn *conn) +@@ -2519,20 +2410,8 @@ delete_conn_cmn(struct conn *conn) static void delete_conn(struct conn *conn) { @@ -97121,7 +97155,7 @@ index 33a1a92953..a5d90dabaa 100644 } /* Convert a conntrack address 'a' into an IP address 'b' based on 'dl_type'. -@@ -2610,7 +2477,9 @@ tuple_to_conn_key(const struct ct_dpif_tuple *tuple, uint16_t zone, +@@ -2610,7 +2489,9 @@ tuple_to_conn_key(const struct ct_dpif_tuple *tuple, uint16_t zone, key->src.icmp_type = tuple->icmp_type; key->src.icmp_code = tuple->icmp_code; key->dst.icmp_id = tuple->icmp_id; @@ -97132,7 +97166,7 @@ index 33a1a92953..a5d90dabaa 100644 key->dst.icmp_code = tuple->icmp_code; } else { key->src.port = tuple->src_port; -@@ -2623,11 +2492,14 @@ static void +@@ -2623,11 +2504,14 @@ static void conn_to_ct_dpif_entry(const struct conn *conn, struct ct_dpif_entry *entry, long long now) { @@ -97150,7 +97184,7 @@ index 33a1a92953..a5d90dabaa 100644 ovs_mutex_lock(&conn->lock); entry->mark = conn->mark; -@@ -2635,7 +2507,7 @@ conn_to_ct_dpif_entry(const struct conn *conn, struct ct_dpif_entry *entry, +@@ -2635,7 +2519,7 @@ conn_to_ct_dpif_entry(const struct conn *conn, struct ct_dpif_entry *entry, long long expiration = conn->expiration - now; @@ -97159,7 +97193,7 @@ index 33a1a92953..a5d90dabaa 100644 if (class->conn_get_protoinfo) { class->conn_get_protoinfo(conn, &entry->protoinfo); } -@@ -2668,25 +2540,29 @@ conntrack_dump_start(struct conntrack *ct, struct conntrack_dump *dump, +@@ -2668,25 +2552,29 @@ conntrack_dump_start(struct conntrack *ct, struct conntrack_dump *dump, dump->ct = ct; *ptot_bkts = 1; /* Need to clean up the callers. */ @@ -97199,7 +97233,7 @@ index 33a1a92953..a5d90dabaa 100644 conn_to_ct_dpif_entry(conn, entry, now); return 0; } -@@ -2704,12 +2580,18 @@ conntrack_dump_done(struct conntrack_dump *dump OVS_UNUSED) +@@ -2704,12 +2592,18 @@ conntrack_dump_done(struct conntrack_dump *dump OVS_UNUSED) int conntrack_flush(struct conntrack *ct, const uint16_t *zone) { @@ -97221,7 +97255,7 @@ index 33a1a92953..a5d90dabaa 100644 } } ovs_mutex_unlock(&ct->ct_lock); -@@ -2721,19 +2603,19 @@ int +@@ -2721,19 +2615,19 @@ int conntrack_flush_tuple(struct conntrack *ct, const struct ct_dpif_tuple *tuple, uint16_t zone) { @@ -97244,7 +97278,7 @@ index 33a1a92953..a5d90dabaa 100644 error = ENOENT; } -@@ -2857,8 +2739,8 @@ expectation_clean(struct conntrack *ct, const struct conn_key *parent_key) +@@ -2857,8 +2751,8 @@ expectation_clean(struct conntrack *ct, const struct conn_key *parent_key) { ovs_rwlock_wrlock(&ct->resources_lock); @@ -97255,7 +97289,7 @@ index 33a1a92953..a5d90dabaa 100644 conn_key_hash(parent_key, ct->hash_basis), &ct->alg_expectation_refs) { if (!conn_key_cmp(&node->parent_key, parent_key)) { -@@ -2877,50 +2759,54 @@ expectation_create(struct conntrack *ct, ovs_be16 dst_port, +@@ -2877,50 +2771,54 @@ expectation_create(struct conntrack *ct, ovs_be16 dst_port, const struct conn *parent_conn, bool reply, bool src_ip_wc, bool skip_nat) { @@ -97322,7 +97356,7 @@ index 33a1a92953..a5d90dabaa 100644 sizeof alg_exp_node->parent_key); /* Take the write lock here because it is almost 100% * likely that the lookup will fail and -@@ -3172,12 +3058,16 @@ process_ftp_ctl_v4(struct conntrack *ct, +@@ -3172,12 +3070,16 @@ process_ftp_ctl_v4(struct conntrack *ct, switch (mode) { case CT_FTP_MODE_ACTIVE: @@ -97343,7 +97377,7 @@ index 33a1a92953..a5d90dabaa 100644 break; case CT_TFTP_MODE: default: -@@ -3209,7 +3099,7 @@ skip_ipv6_digits(char *str) +@@ -3209,7 +3111,7 @@ skip_ipv6_digits(char *str) static enum ftp_ctl_pkt process_ftp_ctl_v6(struct conntrack *ct, struct dp_packet *pkt, @@ -97352,7 +97386,7 @@ index 33a1a92953..a5d90dabaa 100644 union ct_addr *v6_addr_rep, char **ftp_data_start, size_t *addr_offset_from_ftp_data_start, size_t *addr_size, enum ct_alg_mode *mode) -@@ -3277,24 +3167,25 @@ process_ftp_ctl_v6(struct conntrack *ct, +@@ -3277,24 +3179,25 @@ process_ftp_ctl_v6(struct conntrack *ct, switch (*mode) { case CT_FTP_MODE_ACTIVE: @@ -97382,7 +97416,7 @@ index 33a1a92953..a5d90dabaa 100644 !!(pkt->md.ct_state & CS_REPLY_DIR), false, false); return CT_FTP_CTL_INTEREST; } -@@ -3448,7 +3339,8 @@ handle_tftp_ctl(struct conntrack *ct, +@@ -3448,7 +3351,8 @@ handle_tftp_ctl(struct conntrack *ct, long long now OVS_UNUSED, enum ftp_ctl_pkt ftp_ctl OVS_UNUSED, bool nat OVS_UNUSED) { diff --git a/SPECS/openvswitch2.17.spec b/SPECS/openvswitch2.17.spec index e4b3773..262b081 100644 --- a/SPECS/openvswitch2.17.spec +++ b/SPECS/openvswitch2.17.spec @@ -63,7 +63,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 2.17.0 -Release: 168%{?dist} +Release: 169%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -749,6 +749,13 @@ exit 0 %endif %changelog +* Tue May 14 2024 Open vSwitch CI - 2.17.0-169 +- Merging upstream branch-2.17 [RH git: b2beb2fa0a] + Commit list: + c553026ecd conntrack: Fully initialize conn struct before insertion. + 966ed838e3 conntrack: Do not use {0} to initialize unions. + + * Tue May 07 2024 Open vSwitch CI - 2.17.0-168 - Merging upstream branch-2.17 [RH git: 3bced0ab82] Commit list: