packages/openvswitch
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rebase master from lts-2203

Browse Source
This commit is contained in:
wangkerong 2022-08-05 17:36:47 +08:00
parent e8627c9574
commit b3793b7a39
3 changed files with 55 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
backport-dpif-netlink-avoid-netlink-modify-flow-put-op-failed-after-tc-modify-flow-put-op-failed.patch
View File

@ -1,159 +0,0 @@
From patchwork Sat Mar 21 06:54:21 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: wenxu <wenxu@ucloud.cn>
X-Patchwork-Id: 1259295
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133;
helo=hemlock.osuosl.org;
envelope-from=ovs-dev-bounces@openvswitch.org;
receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
dmarc=fail (p=none dis=none) header.from=ucloud.cn
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits)) (No client certificate requested)
by ozlabs.org (Postfix) with ESMTPS id 48krwp45Rqz9sPR
for <incoming@patchwork.ozlabs.org>;
Sat, 21 Mar 2020 17:54:34 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
by hemlock.osuosl.org (Postfix) with ESMTP id 1829489424;
Sat, 21 Mar 2020 06:54:33 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 3JodhcswCEYy; Sat, 21 Mar 2020 06:54:31 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
by hemlock.osuosl.org (Postfix) with ESMTP id 9C17E89383;
Sat, 21 Mar 2020 06:54:31 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
by lists.linuxfoundation.org (Postfix) with ESMTP id 8470EC089F;
Sat, 21 Mar 2020 06:54:31 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id E1868C07FF
for <dev@openvswitch.org>; Sat, 21 Mar 2020 06:54:29 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by fraxinus.osuosl.org (Postfix) with ESMTP id DEBC286813
for <dev@openvswitch.org>; Sat, 21 Mar 2020 06:54:29 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id vvlN2NAtNL6N for <dev@openvswitch.org>;
Sat, 21 Mar 2020 06:54:28 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from m9784.mail.qiye.163.com (m9784.mail.qiye.163.com
[220.181.97.84])
by fraxinus.osuosl.org (Postfix) with ESMTPS id 5B60C8679E
for <dev@openvswitch.org>; Sat, 21 Mar 2020 06:54:28 +0000 (UTC)
Received: from localhost.localdomain (unknown [123.59.132.129])
by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 9C56941610;
Sat, 21 Mar 2020 14:54:21 +0800 (CST)
From: wenxu@ucloud.cn
To: simon.horman@netronome.com
Date: Sat, 21 Mar 2020 14:54:21 +0800
Message-Id: <1584773661-6886-1-git-send-email-wenxu@ucloud.cn>
X-Mailer: git-send-email 1.8.3.1
X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZSFVPSU1CQkJDS0xITkxMQllXWShZQU
lCN1dZLVlBSVdZCQ4XHghZQVk1NCk2OjckKS43PlkG
X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6PAg6Ixw4KTgxQxM0EzoKHBQX
EDwKCiNVSlVKTkNPTExITU1KTUNDVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO
QlVKSElVSklCWVdZCAFZQUhNQk03Bg++
X-HM-Tid: 0a70fbdf03d02086kuqy9c56941610
Cc: dev@openvswitch.org
Subject: [ovs-dev] [PATCH branch-2.12] dpif-netlink: avoid netlink modify
flow put op failed after tc modify flow put op failed.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>
From: wenxu <wenxu@ucloud.cn>
The tc modify flow put always delete the original flow first and
then add the new flow. If the modfiy flow put operation failed,
the flow put operation will change from modify to create if success
to delete the original flow in tc (which will be always failed with
ENOENT, the flow is already be deleted before add the new flow in tc).
Finally, the modify flow put will failed to add in kernel datapath.
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
lib/dpif-netlink.c | 7 ++++++-
lib/netdev-offload-tc.c | 7 +++++--
lib/netdev-offload.h | 3 +++
3 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c
index 7bc71d6..7e088c0 100644
--- a/lib/dpif-netlink.c
+++ b/lib/dpif-netlink.c
@@ -2038,6 +2038,7 @@ parse_flow_put(struct dpif_netlink *dpif, struct dpif_flow_put *put)
info.dpif_class = dpif_class;
info.tp_dst_port = dst_port;
info.tunnel_csum_on = csum_on;
+ info.tc_modify_flow_deleted = false;
err = netdev_flow_put(dev, &match,
CONST_CAST(struct nlattr *, put->actions),
put->actions_len,
@@ -2088,7 +2089,11 @@ parse_flow_put(struct dpif_netlink *dpif, struct dpif_flow_put *put)
out:
if (err && err != EEXIST && (put->flags & DPIF_FP_MODIFY)) {
/* Modified rule can't be offloaded, try and delete from HW */
- int del_err = netdev_flow_del(dev, put->ufid, put->stats);
+ int del_err = 0;
+
+ if (!info.tc_modify_flow_deleted) {
+ del_err = netdev_flow_del(dev, put->ufid, put->stats);
+ }
if (!del_err) {
/* Delete from hw success, so old flow was offloaded.
diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c
index 4cc044b..c95de1e 100644
--- a/lib/netdev-offload-tc.c
+++ b/lib/netdev-offload-tc.c
@@ -1359,9 +1359,12 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match,
block_id = get_block_id_from_netdev(netdev);
handle = get_ufid_tc_mapping(ufid, &prio, NULL);
if (handle && prio) {
+ bool flow_deleted;
+
VLOG_DBG_RL(&rl, "updating old handle: %d prio: %d", handle, prio);
- del_filter_and_ufid_mapping(ifindex, prio, handle, block_id, ufid,
- hook);
+ flow_deleted = !del_filter_and_ufid_mapping(ifindex, prio, handle,
+ block_id, ufid, hook);
+ info->tc_modify_flow_deleted = flow_deleted;
}
if (!prio) {
diff --git a/lib/netdev-offload.h b/lib/netdev-offload.h
index 97a5006..34721ef 100644
--- a/lib/netdev-offload.h
+++ b/lib/netdev-offload.h
@@ -71,6 +71,9 @@ struct offload_info {
* it will be in the pkt meta data.
*/
uint32_t flow_mark;
+
+ bool tc_modify_flow_deleted; /* Indicate the tc modify flow put success
+ * to delete the original flow. */
};
int netdev_flow_flush(struct netdev *);

41
fix-selinux-err.patch Normal file
View File

@ -0,0 +1,41 @@
From 3b35964c7da2a4000486c57e2c347c8cc67ac393 Mon Sep 17 00:00:00 2001
Date: Wed, 1 Sep 2021 16:54:34 +0800
Subject: [PATCH] openvswitch-2
---
selinux/openvswitch-custom.te.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index b2c63ab..8f76c14 100644
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -15,10 +15,12 @@ require {
type ifconfig_exec_t;
type init_t;
type init_var_run_t;
+ type initrc_t;
type insmod_exec_t;
type kernel_t;
type hostname_exec_t;
type modules_conf_t;
+ type modules_dep_t;
type modules_object_t;
type passwd_file_t;
type plymouth_exec_t;
@@ -117,10 +119,12 @@ allow openvswitch_t openvswitch_load_module_t:process transition;
allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write };
allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search };
+allow openvswitch_load_module_t initrc_t:fifo_file ioctl;
allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read };
allow openvswitch_load_module_t kernel_t:system module_request;
allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search };
allow openvswitch_load_module_t modules_conf_t:file { getattr open read };
+allow openvswitch_load_module_t modules_dep_t:file open;
allow openvswitch_load_module_t modules_object_t:file { map getattr open read };
allow openvswitch_load_module_t modules_object_t:dir { getattr open read search };
allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint };
--
2.27.0

30
openvswitch.spec
View File

@ -6,7 +6,7 @@ Summary: Production Quality, Multilayer Open Virtual Switch
URL: http://www.openvswitch.org/ URL: http://www.openvswitch.org/
Version: 2.12.0 Version: 2.12.0
License: ASL 2.0 and ISC License: ASL 2.0 and ISC
Release: 21 Release: 22
Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz
Buildroot: /tmp/openvswitch-rpm Buildroot: /tmp/openvswitch-rpm
Patch0000: 0000-openvswitch-add-stack-protector-strong.patch Patch0000: 0000-openvswitch-add-stack-protector-strong.patch
@ -18,10 +18,11 @@ Patch0005: CVE-2020-35498.patch
Patch0006: CVE-2020-27827.patch Patch0006: CVE-2020-27827.patch
Patch0007: CVE-2015-8011.patch Patch0007: CVE-2015-8011.patch
Patch0008: backport-CVE-2021-36980.patch Patch0008: backport-CVE-2021-36980.patch
Patch0009: backport-dpif-netlink-avoid-netlink-modify-flow-put-op-failed-after-tc-modify-flow-put-op-failed.patch Patch0009: CVE-2021-3905.patch
Patch0010: CVE-2021-3905.patch
Requires: logrotate hostname python >= 3.8 python3-six selinux-policy-targeted libsepol >= 3.1 Patch9000: fix-selinux-err.patch
Requires: logrotate hostname python >= 3.8 python3-six selinux-policy-targeted
BuildRequires: python3-six, openssl-devel checkpolicy selinux-policy-devel autoconf automake libtool python-sphinx unbound-devel BuildRequires: python3-six, openssl-devel checkpolicy selinux-policy-devel autoconf automake libtool python-sphinx unbound-devel
BuildRequires: python3-devel BuildRequires: python3-devel
Provides: openvswitch-selinux-policy = %{version}-%{release} Provides: openvswitch-selinux-policy = %{version}-%{release}
@ -290,20 +291,17 @@ exit 0
%doc README.rst NEWS rhel/README.RHEL.rst %doc README.rst NEWS rhel/README.RHEL.rst
%changelog %changelog
* Fri Jul 8 2022 qz_cx <wangqingzheng@kylinos.cn> - 2.12.0-21 * Mon Jul 25 2022 zhouwenpei <zhouwenpei1@h-pattners.com> - 2.12.0-22
- Type:cve - revent "Add ovn-central ovn-central and ovn-host subpackage"
- ID:CVE-2021-3905
- SUG:NA
- DESC: fix CVE-2021-3905
* Wed Apr 06 2022 chenjian <chenjian@kylinos.cn> - 2.12.0-20 * Wed Jul 13 2022 zhouwenpei <zhouwenpei1@h-pattners.com> - 2.12.0-21
- add backport-dpif-netlink-avoid-netlink-modify-flow-put-op-failed-after-tc-modify-flow-put-op-failed.patch - fix CVE-2021-3905
* Mon Oct 18 2021 yangcheng <yangcheng87@huawei.com> - 2.12.0-19 * Wed May 18 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 2.12.0-20
- Type:bugfix - Add ovn-central ovn-central and ovn-host subpackage
- ID:NA
- SUG:NA * Thu Sep 2 2021 hanhui <hanhui15@huawei.com> - 2.12.0-19
- DESC: fix the error of opevswitch installation and upgrade - Fix selinux preventing ovs-kmod-ctl err
* Wed Sep 1 2021 hanhui <hanhui15@huawei.com> - 2.12.0-18 * Wed Sep 1 2021 hanhui <hanhui15@huawei.com> - 2.12.0-18
- Change the OVS startup mode to service startup. - Change the OVS startup mode to service startup.