rebase master from lts-2203

backport-dpif-netlink-avoid-netlink-modify-flow-put-op-failed-after-tc-modify-flow-put-op-failed.patch

@@ -1,159 +0,0 @@
-From patchwork Sat Mar 21 06:54:21 2020
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: wenxu <wenxu@ucloud.cn>
-X-Patchwork-Id: 1259295
-Return-Path: <ovs-dev-bounces@openvswitch.org>
-X-Original-To: incoming@patchwork.ozlabs.org
-Delivered-To: patchwork-incoming@bilbo.ozlabs.org
-Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
-	smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133;
-	helo=hemlock.osuosl.org;
-	envelope-from=ovs-dev-bounces@openvswitch.org;
-	receiver=<UNKNOWN>)
-Authentication-Results: ozlabs.org;
-	dmarc=fail (p=none dis=none) header.from=ucloud.cn
-Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
-	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
-	bits)) (No client certificate requested)
-	by ozlabs.org (Postfix) with ESMTPS id 48krwp45Rqz9sPR
-	for <incoming@patchwork.ozlabs.org>;
-	Sat, 21 Mar 2020 17:54:34 +1100 (AEDT)
-Received: from localhost (localhost [127.0.0.1])
-	by hemlock.osuosl.org (Postfix) with ESMTP id 1829489424;
-	Sat, 21 Mar 2020 06:54:33 +0000 (UTC)
-X-Virus-Scanned: amavisd-new at osuosl.org
-Received: from hemlock.osuosl.org ([127.0.0.1])
-	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
-	with ESMTP id 3JodhcswCEYy; Sat, 21 Mar 2020 06:54:31 +0000 (UTC)
-Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
-	by hemlock.osuosl.org (Postfix) with ESMTP id 9C17E89383;
-	Sat, 21 Mar 2020 06:54:31 +0000 (UTC)
-Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
-	by lists.linuxfoundation.org (Postfix) with ESMTP id 8470EC089F;
-	Sat, 21 Mar 2020 06:54:31 +0000 (UTC)
-X-Original-To: dev@openvswitch.org
-Delivered-To: ovs-dev@lists.linuxfoundation.org
-Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
-	by lists.linuxfoundation.org (Postfix) with ESMTP id E1868C07FF
-	for <dev@openvswitch.org>; Sat, 21 Mar 2020 06:54:29 +0000 (UTC)
-Received: from localhost (localhost [127.0.0.1])
-	by fraxinus.osuosl.org (Postfix) with ESMTP id DEBC286813
-	for <dev@openvswitch.org>; Sat, 21 Mar 2020 06:54:29 +0000 (UTC)
-X-Virus-Scanned: amavisd-new at osuosl.org
-Received: from fraxinus.osuosl.org ([127.0.0.1])
-	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
-	with ESMTP id vvlN2NAtNL6N for <dev@openvswitch.org>;
-	Sat, 21 Mar 2020 06:54:28 +0000 (UTC)
-X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
-Received: from m9784.mail.qiye.163.com (m9784.mail.qiye.163.com
-	[220.181.97.84])
-	by fraxinus.osuosl.org (Postfix) with ESMTPS id 5B60C8679E
-	for <dev@openvswitch.org>; Sat, 21 Mar 2020 06:54:28 +0000 (UTC)
-Received: from localhost.localdomain (unknown [123.59.132.129])
-	by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 9C56941610;
-	Sat, 21 Mar 2020 14:54:21 +0800 (CST)
-From: wenxu@ucloud.cn
-To: simon.horman@netronome.com
-Date: Sat, 21 Mar 2020 14:54:21 +0800
-Message-Id: <1584773661-6886-1-git-send-email-wenxu@ucloud.cn>
-X-Mailer: git-send-email 1.8.3.1
-X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZSFVPSU1CQkJDS0xITkxMQllXWShZQU
-	lCN1dZLVlBSVdZCQ4XHghZQVk1NCk2OjckKS43PlkG
-X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6PAg6Ixw4KTgxQxM0EzoKHBQX
-	EDwKCiNVSlVKTkNPTExITU1KTUNDVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO
-	QlVKSElVSklCWVdZCAFZQUhNQk03Bg++
-X-HM-Tid: 0a70fbdf03d02086kuqy9c56941610
-Cc: dev@openvswitch.org
-Subject: [ovs-dev] [PATCH branch-2.12] dpif-netlink: avoid netlink modify
-	flow put op failed after tc modify flow put op failed.
-X-BeenThere: ovs-dev@openvswitch.org
-X-Mailman-Version: 2.1.15
-Precedence: list
-List-Id: <ovs-dev.openvswitch.org>
-List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
-	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
-List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
-List-Post: <mailto:ovs-dev@openvswitch.org>
-List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
-List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
-	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
-MIME-Version: 1.0
-Errors-To: ovs-dev-bounces@openvswitch.org
-Sender: "dev" <ovs-dev-bounces@openvswitch.org>
-
-From: wenxu <wenxu@ucloud.cn>
-
-The tc modify flow put always delete the original flow first and
-then add the new flow. If the modfiy flow put operation failed,
-the flow put operation will change from modify to create if success
-to delete the original flow in tc (which will be always failed with
-ENOENT, the flow is already be deleted before add the new flow in tc).
-Finally, the modify flow put will failed to add in kernel datapath.
-
-Signed-off-by: wenxu <wenxu@ucloud.cn>
----
- lib/dpif-netlink.c      | 7 ++++++-
- lib/netdev-offload-tc.c | 7 +++++--
- lib/netdev-offload.h    | 3 +++
- 3 files changed, 14 insertions(+), 3 deletions(-)
-
-diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c
-index 7bc71d6..7e088c0 100644
---- a/lib/dpif-netlink.c
-+++ b/lib/dpif-netlink.c
-@@ -2038,6 +2038,7 @@ parse_flow_put(struct dpif_netlink *dpif, struct dpif_flow_put *put)
-     info.dpif_class = dpif_class;
-     info.tp_dst_port = dst_port;
-     info.tunnel_csum_on = csum_on;
-+    info.tc_modify_flow_deleted = false;
-     err = netdev_flow_put(dev, &match,
-                           CONST_CAST(struct nlattr *, put->actions),
-                           put->actions_len,
-@@ -2088,7 +2089,11 @@ parse_flow_put(struct dpif_netlink *dpif, struct dpif_flow_put *put)
- out:
-     if (err && err != EEXIST && (put->flags & DPIF_FP_MODIFY)) {
-         /* Modified rule can't be offloaded, try and delete from HW */
--        int del_err = netdev_flow_del(dev, put->ufid, put->stats);
-+        int del_err = 0;
-+
-+        if (!info.tc_modify_flow_deleted) {
-+            del_err = netdev_flow_del(dev, put->ufid, put->stats);
-+        }
- 
-         if (!del_err) {
-             /* Delete from hw success, so old flow was offloaded.
-diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c
-index 4cc044b..c95de1e 100644
---- a/lib/netdev-offload-tc.c
-+++ b/lib/netdev-offload-tc.c
-@@ -1359,9 +1359,12 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match,
-     block_id = get_block_id_from_netdev(netdev);
-     handle = get_ufid_tc_mapping(ufid, &prio, NULL);
-     if (handle && prio) {
-+        bool flow_deleted;
-+
-         VLOG_DBG_RL(&rl, "updating old handle: %d prio: %d", handle, prio);
--        del_filter_and_ufid_mapping(ifindex, prio, handle, block_id, ufid,
--                                    hook);
-+        flow_deleted = !del_filter_and_ufid_mapping(ifindex, prio, handle,
-+                                                    block_id, ufid, hook);
-+        info->tc_modify_flow_deleted = flow_deleted;
-     }
- 
-     if (!prio) {
-diff --git a/lib/netdev-offload.h b/lib/netdev-offload.h
-index 97a5006..34721ef 100644
---- a/lib/netdev-offload.h
-+++ b/lib/netdev-offload.h
-@@ -71,6 +71,9 @@ struct offload_info {
-      * it will be in the pkt meta data.
-      */
-     uint32_t flow_mark;
-+
-+    bool tc_modify_flow_deleted; /* Indicate the tc modify flow put success
-+                                  * to delete the original flow. */
- };
- 
- int netdev_flow_flush(struct netdev *);

fix-selinux-err.patch

@@ -0,0 +1,41 @@
+From 3b35964c7da2a4000486c57e2c347c8cc67ac393 Mon Sep 17 00:00:00 2001
+Date: Wed, 1 Sep 2021 16:54:34 +0800
+Subject: [PATCH] openvswitch-2
+
+---
+ selinux/openvswitch-custom.te.in | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
+index b2c63ab..8f76c14 100644
+--- a/selinux/openvswitch-custom.te.in
++++ b/selinux/openvswitch-custom.te.in
+@@ -15,10 +15,12 @@ require {
+         type ifconfig_exec_t;
+         type init_t;
+         type init_var_run_t;
++        type initrc_t;
+         type insmod_exec_t;
+         type kernel_t;
+         type hostname_exec_t;
+         type modules_conf_t;
++        type modules_dep_t;
+         type modules_object_t;
+         type passwd_file_t;
+         type plymouth_exec_t;
+@@ -117,10 +119,12 @@ allow openvswitch_t openvswitch_load_module_t:process transition;
+ allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
+ allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write };
+ allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search };
++allow openvswitch_load_module_t initrc_t:fifo_file ioctl;
+ allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read };
+ allow openvswitch_load_module_t kernel_t:system module_request;
+ allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search };
+ allow openvswitch_load_module_t modules_conf_t:file { getattr open read };
++allow openvswitch_load_module_t modules_dep_t:file open;
+ allow openvswitch_load_module_t modules_object_t:file { map getattr open read };
+ allow openvswitch_load_module_t modules_object_t:dir { getattr open read search };
+ allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint };
+-- 
+2.27.0
+

openvswitch.spec

@@ -6,7 +6,7 @@ Summary:        Production Quality, Multilayer Open Virtual Switch
 URL:            http://www.openvswitch.org/
 Version:        2.12.0
 License:        ASL 2.0 and ISC
-Release:        21
+Release:        22
 Source:         https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz
 Buildroot:      /tmp/openvswitch-rpm
 Patch0000:      0000-openvswitch-add-stack-protector-strong.patch
@@ -18,10 +18,11 @@ Patch0005:      CVE-2020-35498.patch
 Patch0006:      CVE-2020-27827.patch
 Patch0007:      CVE-2015-8011.patch
 Patch0008:      backport-CVE-2021-36980.patch
-Patch0009:	backport-dpif-netlink-avoid-netlink-modify-flow-put-op-failed-after-tc-modify-flow-put-op-failed.patch
-Patch0010:	CVE-2021-3905.patch
+Patch0009:      CVE-2021-3905.patch
 
-Requires:       logrotate hostname python >= 3.8 python3-six selinux-policy-targeted libsepol >= 3.1
+Patch9000:      fix-selinux-err.patch
+
+Requires:       logrotate hostname python >= 3.8 python3-six selinux-policy-targeted
 BuildRequires:  python3-six, openssl-devel checkpolicy selinux-policy-devel autoconf automake libtool python-sphinx unbound-devel
 BuildRequires:  python3-devel
 Provides:       openvswitch-selinux-policy = %{version}-%{release}
@@ -290,20 +291,17 @@ exit 0
 %doc README.rst NEWS rhel/README.RHEL.rst
 
 %changelog
-* Fri Jul 8 2022 qz_cx <wangqingzheng@kylinos.cn> - 2.12.0-21
-- Type:cve
-- ID:CVE-2021-3905
-- SUG:NA
-- DESC: fix CVE-2021-3905
+* Mon Jul 25 2022 zhouwenpei <zhouwenpei1@h-pattners.com> - 2.12.0-22
+- revent "Add ovn-central ovn-central and ovn-host subpackage"
 
-* Wed Apr 06 2022 chenjian <chenjian@kylinos.cn> - 2.12.0-20
-- add backport-dpif-netlink-avoid-netlink-modify-flow-put-op-failed-after-tc-modify-flow-put-op-failed.patch
+* Wed Jul 13 2022 zhouwenpei <zhouwenpei1@h-pattners.com> - 2.12.0-21
+- fix CVE-2021-3905
 
-* Mon Oct 18 2021 yangcheng <yangcheng87@huawei.com> - 2.12.0-19
-- Type:bugfix
-- ID:NA
-- SUG:NA
-- DESC: fix the error of opevswitch installation and upgrade
+* Wed May 18 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 2.12.0-20
+- Add ovn-central ovn-central and ovn-host subpackage
+
+* Thu Sep 2 2021 hanhui <hanhui15@huawei.com> - 2.12.0-19
+- Fix selinux preventing ovs-kmod-ctl err
 
 * Wed Sep 1 2021 hanhui <hanhui15@huawei.com> - 2.12.0-18
 - Change the OVS startup mode to service startup.