[ovs-git] [openvswitch/ovs] efba5a: ofproto-dpif: Reject partial ct_labels if unsuppor...

GitHub noreply at github.com
Tue Dec 1 23:37:24 UTC 2015 

  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: efba5ae4643c3806dabe4d0dff5494ddb6359b69
      https://github.com/openvswitch/ovs/commit/efba5ae4643c3806dabe4d0dff5494ddb6359b69
  Author: Joe Stringer <joestringer at nicira.com>
  Date:   2015-12-01 (Tue, 01 Dec 2015)

  Changed paths:
    M lib/flow.h
    M ofproto/ofproto-dpif.c

  Log Message:
  -----------
  ofproto-dpif: Reject partial ct_labels if unsupported.

If only half of a ct_label is present in a miniflow/minimask (eg, only
matching on one specific bit), then rule_check() would allow the flow
even if ct_label was unsupported, because it required both 64-bit fields
that comprise the ct_label to be present in the miniflow before
performing the check.

Fix this by populating the stack copy of the label directly from the
miniflow fields if available (or zero each 64-bit word if unavailable).

Suggested-by: Jarno Rajahalme <jrajahalme at nicira.com>
Signed-off-by: Joe Stringer <joestringer at nicira.com>
Acked-by: Jarno Rajahalme <jarno at ovn.org>


  Commit: 95619d8c3011254a65cdc72d83d0f3638167c264
      https://github.com/openvswitch/ovs/commit/95619d8c3011254a65cdc72d83d0f3638167c264
  Author: Joe Stringer <joestringer at nicira.com>
  Date:   2015-12-01 (Tue, 01 Dec 2015)

  Changed paths:
    M ofproto/ofproto-dpif.c

  Log Message:
  -----------
  ofproto-dpif: Validate ct_* field masks.

When inserting rules that match on connection tracking fields, datapath
support must be checked before allowing or denying the rule insertion.
Previously we only disallowed flows that had non-zero values for the
ct_* field, but allowed non-zero masks. This meant that, eg:

ct_state=-trk,...

Would be allowed, while

ct_state=+trk,...

Would be disallowed, due to lack of datapath support.

Fix this by performing the check on masks instead of the flows.

Reported-by: Ravindra Kenchappa <ravindra.kenchappa at hpe.com>
Signed-off-by: Joe Stringer <joestringer at nicira.com>
Acked-by: Jarno Rajahalme <jarno at ovn.org>


  Commit: 11968381be82dcfbfdd0823b7aed35d3ee3c7048
      https://github.com/openvswitch/ovs/commit/11968381be82dcfbfdd0823b7aed35d3ee3c7048
  Author: Joe Stringer <joestringer at nicira.com>
  Date:   2015-12-01 (Tue, 01 Dec 2015)

  Changed paths:
    M ofproto/ofproto-dpif.c

  Log Message:
  -----------
  ofproto-dpif: Shortcut common case in rule_check().

Typically the datapath will support all available features, so check
that first before attempting to retrieve various values out of a
minimask as the latter doesn't need to be checked if all fields are
supported.

ct_state is an exception, because support for the bits in this field is
not binary; only some bits are defined so far, so they must still be
checked against the current known supported bits.

Suggested-by: Jarno Rajahalme <jrajahalme at nicira.com>
Signed-off-by: Joe Stringer <joestringer at nicira.com>
Acked-by: Jarno Rajahalme <jarno at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/e496a484cf53...11968381be82

More information about the git mailing list