!200 remove rpath

From: @zhangxianting 
Reviewed-by: @robertxw 
Signed-off-by: @robertxw

backport-CVE-2023-1668.patch

@@ -1,433 +0,0 @@
-From 27fb5db7f727ffc056f024f9ba4936facccb5f40 Mon Sep 17 00:00:00 2001
-From: Aaron Conole <aconole@redhat.com>
-Date: Fri, 31 Mar 2023 17:17:27 -0400
-Subject: [PATCH] ofproto-dpif-xlate: Always mask ip proto field.
-
-The ofproto layer currently treats nw_proto field as overloaded to mean
-both that a proper nw layer exists, as well as the value contained in
-the header for the nw proto.  However, this is incorrect behavior as
-relevant standards permit that any value, including '0' should be treated
-as a valid value.
-
-Because of this overload, when the ofproto layer builds action list for
-a packet with nw_proto of 0, it won't build the complete action list that
-we expect to be built for the packet.  That will cause a bad behavior
-where all packets passing the datapath will fall into an incomplete
-action set.
-
-The fix here is to unwildcard nw_proto, allowing us to preserve setting
-actions for protocols which we know have support for the actions we
-program.  This means that a traffic which contains nw_proto == 0 cannot
-cause connectivity breakage with other traffic on the link.
-
-Reported-by: David Marchand <dmarchand@redhat.com>
-Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2134873
-Acked-by: Ilya Maximets <i.maximets@ovn.org>
-Signed-off-by: Aaron Conole <aconole@redhat.com>
-Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
----
- include/openvswitch/meta-flow.h |   4 +
- lib/meta-flow.c                 |  25 +++++
- ofproto/ofproto-dpif-xlate.c    |   8 ++
- tests/ofproto-dpif.at           |  18 ++--
- tests/ofproto.at                | 182 ++++++++++++++++++++++++++++++++
- tests/packet-type-aware.at      |   2 +-
- 6 files changed, 229 insertions(+), 10 deletions(-)
-
-diff --git a/include/openvswitch/meta-flow.h b/include/openvswitch/meta-flow.h
-index 045dce8f5fa..3b0220aaa25 100644
---- a/include/openvswitch/meta-flow.h
-+++ b/include/openvswitch/meta-flow.h
-@@ -2366,6 +2366,10 @@ void mf_format_subvalue(const union mf_subvalue *subvalue, struct ds *s);
- void field_array_set(enum mf_field_id id, const union mf_value *,
-                      struct field_array *);
- 
-+/* Mask the required l3 prerequisites if a 'set' action occurs. */
-+void mf_set_mask_l3_prereqs(const struct mf_field *, const struct flow *,
-+                            struct flow_wildcards *);
-+
- #ifdef __cplusplus
- }
- #endif
-diff --git a/lib/meta-flow.c b/lib/meta-flow.c
-index c576ae6202a..474344194fa 100644
---- a/lib/meta-flow.c
-+++ b/lib/meta-flow.c
-@@ -3676,3 +3676,28 @@ mf_bitmap_not(struct mf_bitmap x)
-     bitmap_not(x.bm, MFF_N_IDS);
-     return x;
- }
-+
-+void
-+mf_set_mask_l3_prereqs(const struct mf_field *mf, const struct flow *fl,
-+                       struct flow_wildcards *wc)
-+{
-+    if (is_ip_any(fl) &&
-+        ((mf->id == MFF_IPV4_SRC) ||
-+         (mf->id == MFF_IPV4_DST) ||
-+         (mf->id == MFF_IPV6_SRC) ||
-+         (mf->id == MFF_IPV6_DST) ||
-+         (mf->id == MFF_IPV6_LABEL) ||
-+         (mf->id == MFF_IP_DSCP) ||
-+         (mf->id == MFF_IP_ECN) ||
-+         (mf->id == MFF_IP_TTL))) {
-+        WC_MASK_FIELD(wc, nw_proto);
-+    } else if ((fl->dl_type == htons(ETH_TYPE_ARP)) &&
-+               ((mf->id == MFF_ARP_OP) ||
-+                (mf->id == MFF_ARP_SHA) ||
-+                (mf->id == MFF_ARP_THA) ||
-+                (mf->id == MFF_ARP_SPA) ||
-+                (mf->id == MFF_ARP_TPA))) {
-+        /* mask only the lower 8 bits. */
-+        wc->masks.nw_proto = 0xff;
-+    }
-+}
-diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
-index 8a28b29d4c2..c9bd075a90d 100644
---- a/ofproto/ofproto-dpif-xlate.c
-+++ b/ofproto/ofproto-dpif-xlate.c
-@@ -5186,6 +5186,7 @@ compose_dec_ttl(struct xlate_ctx *ctx, struct ofpact_cnt_ids *ids)
-     }
- 
-     ctx->wc->masks.nw_ttl = 0xff;
-+    WC_MASK_FIELD(ctx->wc, nw_proto);
-     if (flow->nw_ttl > 1) {
-         flow->nw_ttl--;
-         return false;
-@@ -7094,6 +7095,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len,
-         case OFPACT_SET_IPV4_SRC:
-             if (flow->dl_type == htons(ETH_TYPE_IP)) {
-                 memset(&wc->masks.nw_src, 0xff, sizeof wc->masks.nw_src);
-+                WC_MASK_FIELD(wc, nw_proto);
-                 flow->nw_src = ofpact_get_SET_IPV4_SRC(a)->ipv4;
-             }
-             break;
-@@ -7101,12 +7103,14 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len,
-         case OFPACT_SET_IPV4_DST:
-             if (flow->dl_type == htons(ETH_TYPE_IP)) {
-                 memset(&wc->masks.nw_dst, 0xff, sizeof wc->masks.nw_dst);
-+                WC_MASK_FIELD(wc, nw_proto);
-                 flow->nw_dst = ofpact_get_SET_IPV4_DST(a)->ipv4;
-             }
-             break;
- 
-         case OFPACT_SET_IP_DSCP:
-             if (is_ip_any(flow)) {
-+                WC_MASK_FIELD(wc, nw_proto);
-                 wc->masks.nw_tos |= IP_DSCP_MASK;
-                 flow->nw_tos &= ~IP_DSCP_MASK;
-                 flow->nw_tos |= ofpact_get_SET_IP_DSCP(a)->dscp;
-@@ -7115,6 +7119,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len,
- 
-         case OFPACT_SET_IP_ECN:
-             if (is_ip_any(flow)) {
-+                WC_MASK_FIELD(wc, nw_proto);
-                 wc->masks.nw_tos |= IP_ECN_MASK;
-                 flow->nw_tos &= ~IP_ECN_MASK;
-                 flow->nw_tos |= ofpact_get_SET_IP_ECN(a)->ecn;
-@@ -7123,6 +7128,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len,
- 
-         case OFPACT_SET_IP_TTL:
-             if (is_ip_any(flow)) {
-+                WC_MASK_FIELD(wc, nw_proto);
-                 wc->masks.nw_ttl = 0xff;
-                 flow->nw_ttl = ofpact_get_SET_IP_TTL(a)->ttl;
-             }
-@@ -7190,6 +7196,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len,
- 
-             /* Set the field only if the packet actually has it. */
-             if (mf_are_prereqs_ok(mf, flow, wc)) {
-+                mf_set_mask_l3_prereqs(mf, flow, wc);
-                 mf_mask_field_masked(mf, ofpact_set_field_mask(set_field), wc);
-                 mf_set_flow_value_masked(mf, set_field->value,
-                                          ofpact_set_field_mask(set_field),
-@@ -7246,6 +7253,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len,
- 
-         case OFPACT_DEC_TTL:
-             wc->masks.nw_ttl = 0xff;
-+            WC_MASK_FIELD(wc, nw_proto);
-             if (compose_dec_ttl(ctx, ofpact_get_DEC_TTL(a))) {
-                 return;
-             }
-diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
-index bc981f8fc61..71c267b3adc 100644
---- a/tests/ofproto-dpif.at
-+++ b/tests/ofproto-dpif.at
-@@ -720,7 +720,7 @@ table=2 ip actions=set_field:192.168.3.91->ip_src,output(11)
- AT_CHECK([ovs-ofctl -O OpenFlow12 add-flows br0 flows.txt])
- AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=1,nw_tos=0,nw_ttl=128,nw_frag=no,icmp_type=8,icmp_code=0'], [0], [stdout])
- AT_CHECK([tail -2 stdout], [0],
--  [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no
-+  [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no
- Datapath actions: 10,set(ipv4(src=192.168.3.91)),11,set(ipv4(src=192.168.3.90)),13
- ])
- OVS_VSWITCHD_STOP
-@@ -783,7 +783,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds
- # Must match on the source address to be able to restore it's value for
- # the second bucket
- AT_CHECK([tail -2 stdout], [0],
--  [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no
-+  [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no
- Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11
- ])
- OVS_VSWITCHD_STOP
-@@ -815,7 +815,7 @@ done
- AT_CHECK([ovs-appctl dpctl/dump-flows | sed 's/dp_hash(.*\/0xf)/dp_hash(0xXXXX\/0xf)/' |  sed 's/packets.*actions:/actions:/' | strip_ufid | strip_used | sort], [0], [dnl
- flow-dump from the main thread:
- recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:hash(sym_l4(0)),recirc(0x1)
--recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10
-+recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,proto=1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10
- ])
- 
- OVS_VSWITCHD_STOP
-@@ -830,7 +830,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds
- # Must match on the source address to be able to restore it's value for
- # the third bucket
- AT_CHECK([tail -2 stdout], [0],
--  [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no
-+  [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no
- Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11
- ])
- OVS_VSWITCHD_STOP
-@@ -1407,17 +1407,17 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
- AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=2,frag=no)' -generate], [0], [stdout])
- AT_CHECK([tail -4 stdout], [0], [
- Final flow: ip,in_port=1,vlan_tci=0x0000,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=111,nw_tos=0,nw_ecn=0,nw_ttl=1,nw_frag=no
--Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=2,nw_frag=no
-+Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=2,nw_frag=no
- Datapath actions: set(ipv4(ttl=1)),2,userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)),4
- ])
- AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=3,frag=no)'], [0], [stdout])
- AT_CHECK([tail -2 stdout], [0],
--  [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=3,nw_frag=no
-+  [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=3,nw_frag=no
- Datapath actions: set(ipv4(ttl=2)),2,set(ipv4(ttl=1)),3,4
- ])
- AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x86dd),ipv6(src=::1,dst=::2,label=0,proto=10,tclass=0x70,hlimit=128,frag=no)'], [0], [stdout])
- AT_CHECK([tail -2 stdout], [0],
--  [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_ttl=128,nw_frag=no
-+  [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_proto=10,nw_ttl=128,nw_frag=no
- Datapath actions: set(ipv6(hlimit=127)),2,set(ipv6(hlimit=126)),3,4
- ])
- 
-@@ -1527,7 +1527,7 @@ AT_CHECK([ovs-vsctl -- \
-         --id=@q2 create Queue dscp=2], [0], [ignore])
- AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(9),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=1.1.1.1,dst=2.2.2.2,proto=1,tos=0xff,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout])
- AT_CHECK([tail -2 stdout], [0],
--  [Megaflow: recirc_id=0,skb_priority=0,eth,ip,in_port=9,nw_tos=252,nw_frag=no
-+  [Megaflow: recirc_id=0,skb_priority=0,eth,icmp,in_port=9,nw_tos=252,nw_frag=no
- Datapath actions: dnl
- 100,dnl
- set(ipv4(tos=0x4/0xfc)),set(skb_priority(0x1)),1,dnl
-@@ -11703,7 +11703,7 @@ ovs-ofctl dump-flows br0
- 
- AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.10.10.2,dst=10.10.10.1,proto=1,tos=1,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout])
- AT_CHECK([tail -3 stdout], [0], [dnl
--Megaflow: recirc_id=0,eth,ip,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no
-+Megaflow: recirc_id=0,eth,icmp,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no
- Datapath actions: drop
- Translation failed (Recursion too deep), packet is dropped.
- ])
-diff --git a/tests/ofproto.at b/tests/ofproto.at
-index 39c3b047045..32bde5b5a28 100644
---- a/tests/ofproto.at
-+++ b/tests/ofproto.at
-@@ -6448,3 +6448,185 @@ verify_deleted
- 
- OVS_VSWITCHD_STOP(["/<invalid/d"])
- AT_CLEANUP
-+
-+AT_SETUP([ofproto - implicit mask of ipv4 proto with invalid proto field])
-+OVS_VSWITCHD_START
-+add_of_ports br0 1 2
-+
-+AT_DATA([flows.txt], [dnl
-+table=0 in_port=1 priority=90,ip,nw_dst=192.168.1.20,actions=mod_nw_dst:192.168.20.20,output=2
-+table=0 in_port=1 priority=89,ip,nw_dst=192.168.1.21,actions=mod_nw_src:192.168.20.21,output=2
-+table=0 in_port=1 priority=88,ip,nw_dst=192.168.1.10,actions=dec_ttl,output=2
-+table=0 in_port=1 priority=87,ip,nw_dst=192.168.1.19,actions=mod_nw_ttl:8,output=2
-+table=0 in_port=1 priority=86,ip,nw_dst=192.168.1.18,actions=mod_nw_ecn:2,output=2
-+table=0 in_port=1 priority=85,ip,nw_dst=192.168.1.17,actions=mod_nw_tos:0x40,output=2
-+table=0 in_port=1 priority=84,ip,nw_dst=192.168.1.16,actions=set_field:192.168.20.26->nw_dst,output=2
-+table=0 in_port=1 priority=83,ip,nw_dst=192.168.1.15,actions=set_field:192.168.21.26->nw_src,output=2
-+table=0 in_port=1 priority=82,ip,nw_dst=192.168.1.14,actions=set_field:0x40->nw_tos,output=2
-+table=0 in_port=1 priority=0,actions=drop
-+])
-+AT_CHECK([ovs-ofctl del-flows br0])
-+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
-+
-+dnl send a proto 0 packet to try and poison the DP flow path
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 \
-+ '5054000000075054000000050800450000548de140004000289fc0a801c4c0a8011408003bf60002001bbf080a640000000032ad010000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637'])
-+
-+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl
-+flow-dump from the main thread:
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2
-+])
-+
-+dnl Send ICMP for mod nw_src and mod nw_dst
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)'])
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.20,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)'])
-+
-+dnl send ICMP that will dec TTL
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.10,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)'])
-+
-+dnl send ICMP that will mod TTL
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.19,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)'])
-+
-+dnl send ICMP that will mod ECN
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.18,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)'])
-+
-+dnl send ICMP that will mod TOS
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.17,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)'])
-+
-+dnl send ICMP that will set DST
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.16,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)'])
-+
-+dnl send ICMP that will set SRC
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)'])
-+
-+dnl send ICMP that will set TOS
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.14,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)'])
-+
-+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl
-+flow-dump from the main thread:
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.10,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=63)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.14,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.16,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.26)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.17,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.18,proto=1,tos=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x2/0x3)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.19,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=8)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.20)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.21.26)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.20.21)),2
-+])
-+
-+OVS_VSWITCHD_STOP
-+AT_CLEANUP
-+
-+AT_SETUP([ofproto - implicit mask of ipv6 proto with HOPOPT field])
-+OVS_VSWITCHD_START
-+add_of_ports br0 1 2
-+
-+AT_DATA([flows.txt], [dnl
-+table=0 in_port=1 priority=77,ip6,ipv6_dst=111:db8::3,actions=dec_ttl,output=2
-+table=0 in_port=1 priority=76,ip6,ipv6_dst=111:db8::4,actions=mod_nw_ttl:8,output=2
-+table=0 in_port=1 priority=75,ip6,ipv6_dst=111:db8::5,actions=mod_nw_ecn:2,output=2
-+table=0 in_port=1 priority=74,ip6,ipv6_dst=111:db8::6,actions=mod_nw_tos:0x40,output=2
-+table=0 in_port=1 priority=73,ip6,ipv6_dst=111:db8::7,actions=set_field:2112:db8::2->ipv6_dst,output=2
-+table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::8,actions=set_field:2112:db8::3->ipv6_src,output=2
-+table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::9,actions=set_field:44->ipv6_label,output=2
-+table=0 in_port=1 priority=0,actions=drop
-+])
-+AT_CHECK([ovs-ofctl del-flows br0])
-+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
-+
-+dnl send a proto 0 packet to try and poison the DP flow path
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=0,tclass=0,hlimit=64,frag=no)'])
-+
-+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl
-+flow-dump from the main thread:
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535))
-+])
-+
-+dnl Send ICMP for mod nw_src and mod nw_dst
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)'])
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::4,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)'])
-+
-+dnl send ICMP that will dec TTL
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::5,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)'])
-+
-+dnl send ICMP that will mod TTL
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::6,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)'])
-+
-+dnl send ICMP that will mod ECN
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::7,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)'])
-+
-+dnl send ICMP that will mod TOS
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)'])
-+
-+dnl send ICMP that will set LABEL
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::9,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)'])
-+
-+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl
-+flow-dump from the main thread:
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535))
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=63)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::4,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=8)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::5,proto=1,tclass=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x2/0x3)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::6,proto=1,tclass=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x40/0xfc)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::7,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(dst=2112:db8::2)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::9,label=0,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(label=0x2c)),2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(src=2112:db8::3)),2
-+])
-+
-+OVS_VSWITCHD_STOP
-+AT_CLEANUP
-+
-+AT_SETUP([ofproto - implicit mask of ARP OPer field])
-+OVS_VSWITCHD_START
-+add_of_ports br0 1 2
-+
-+AT_DATA([flows.txt], [dnl
-+table=0 in_port=1 priority=77,arp,arp_sha=00:01:02:03:04:06,actions=set_field:0x1->arp_op,2
-+table=0 in_port=1 priority=76,arp,arp_sha=00:01:02:03:04:07,actions=set_field:00:02:03:04:05:06->arp_sha,2
-+table=0 in_port=1 priority=75,arp,arp_sha=00:01:02:03:04:08,actions=set_field:ff:00:00:00:00:ff->arp_tha,2
-+table=0 in_port=1 priority=74,arp,arp_sha=00:01:02:03:04:09,actions=set_field:172.31.110.26->arp_spa,2
-+table=0 in_port=1 priority=73,arp,arp_sha=00:01:02:03:04:0a,actions=set_field:172.31.110.10->arp_tpa,2
-+table=0 in_port=1 priority=1,actions=drop
-+])
-+
-+AT_CHECK([ovs-ofctl del-flows br0])
-+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
-+
-+dnl Send op == 0 packet
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 \
-+ 'ffffffffffffaa55aa550000080600010800060400000001020304070c0a00010000000000000c0a0002'])
-+
-+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl
-+flow-dump from the main thread:
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2
-+])
-+
-+dnl Send op 2 -> set op
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=2,sha=00:01:02:03:04:06,tha=ff:ff:ff:ff:ff:ff)'])
-+
-+dnl Send op 1 -> set SHA
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:07,tha=ff:ff:ff:ff:ff:ff)'])
-+
-+dnl Send op 1 -> set THA
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff)'])
-+
-+dnl Send op 1 -> set SIP
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:09,tha=ff:ff:ff:ff:ff:ff)'])
-+
-+dnl Send op 1 -> set TIP
-+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a,tha=ff:ff:ff:ff:ff:ff)'])
-+
-+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl
-+flow-dump from the main thread:
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action))
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action))
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=2,sha=00:01:02:03:04:06), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action))
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(sip=172.31.110.1,op=1,sha=00:01:02:03:04:09), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action))
-+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action))
-+])
-+
-+OVS_VSWITCHD_STOP
-+AT_CLEANUP
-diff --git a/tests/packet-type-aware.at b/tests/packet-type-aware.at
-index 054dcc9ccf6..38d839e85ce 100644
---- a/tests/packet-type-aware.at
-+++ b/tests/packet-type-aware.at
-@@ -1021,7 +1021,7 @@ AT_CHECK([
- ], [0], [flow-dump from the main thread:
- recirc_id(0),in_port(p0),packet_type(ns=0,id=0),eth(src=aa:bb:cc:00:00:02,dst=aa:bb:cc:00:00:01),eth_type(0x0800),ipv4(dst=20.0.0.1,proto=47,frag=no), packets:3, bytes:378, used:0.0s, actions:tnl_pop(gre_sys)
- tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0),in_port(gre_sys),packet_type(ns=1,id=0x8847),eth_type(0x8847),mpls(label=999/0x0,tc=0/0,ttl=64/0x0,bos=1/1), packets:3, bytes:264, used:0.0s, actions:push_eth(src=00:00:00:00:00:00,dst=00:00:00:00:00:00),pop_mpls(eth_type=0x800),recirc(0x1)
--tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br
-+tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=1,ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br
- ])
- 
- ovs-appctl time/warp 1000

backport-CVE-2023-3966.patch

@@ -0,0 +1,144 @@
+From 2cfbcd5247ed0fd941c1ebb9f4adb952b67fe13a Mon Sep 17 00:00:00 2001
+From: Timothy Redaelli <tredaelli@redhat.com>
+Date: Thu, 23 Nov 2023 19:47:54 +0100
+Subject: [PATCH] netdev-offload-tc: Check geneve metadata length.
+
+Currently ovs-vswitchd crashes, with hw offloading enabled, if a geneve
+packet with corrupted metadata is received, because the metadata header
+is not verified correctly.
+
+This commit adds a check for geneve metadata length and, if the header
+is wrong, the packet is not sent to flower.
+
+It also includes a system-traffic test for geneve packets with corrupted
+metadata.
+
+Fixes: a468645c6d33 ("lib/tc: add geneve with option match offload")
+Reported-by: Haresh Khandelwal <hakhande@redhat.com>
+Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+---
+ lib/netdev-offload-tc.c | 25 ++++++++++++++++++++-----
+ tests/system-traffic.at | 33 +++++++++++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+), 5 deletions(-)
+
+diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c
+index 164c7eef63e..921d5231777 100644
+--- a/lib/netdev-offload-tc.c
++++ b/lib/netdev-offload-tc.c
+@@ -1785,12 +1785,12 @@ test_key_and_mask(struct match *match)
+     return 0;
+ }
+ 
+-static void
++static int
+ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl,
+                         struct flow_tnl *tnl_mask)
+ {
+     struct geneve_opt *opt, *opt_mask;
+-    int len, cnt = 0;
++    int tot_opt_len, len, cnt = 0;
+ 
+     /* 'flower' always has an exact match on tunnel metadata length, so having
+      * it in a wrong format is not acceptable unless it is empty. */
+@@ -1806,7 +1806,7 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl,
+             memset(&tnl_mask->metadata.present.map, 0,
+                    sizeof tnl_mask->metadata.present.map);
+         }
+-        return;
++        return 0;
+     }
+ 
+     tnl_mask->flags &= ~FLOW_TNL_F_UDPIF;
+@@ -1820,7 +1820,7 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl,
+            sizeof tnl_mask->metadata.present.len);
+ 
+     if (!tnl->metadata.present.len) {
+-        return;
++        return 0;
+     }
+ 
+     memcpy(flower->key.tunnel.metadata.opts.gnv, tnl->metadata.opts.gnv,
+@@ -1834,7 +1834,16 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl,
+      * also not masks, but actual lengths in the 'flower' structure. */
+     len = flower->key.tunnel.metadata.present.len;
+     while (len) {
++        if (len < sizeof *opt) {
++            return EOPNOTSUPP;
++        }
++
+         opt = &flower->key.tunnel.metadata.opts.gnv[cnt];
++        tot_opt_len = sizeof *opt + opt->length * 4;
++        if (len < tot_opt_len) {
++            return EOPNOTSUPP;
++        }
++
+         opt_mask = &flower->mask.tunnel.metadata.opts.gnv[cnt];
+ 
+         opt_mask->length = opt->length;
+@@ -1842,6 +1851,8 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl,
+         cnt += sizeof(struct geneve_opt) / 4 + opt->length;
+         len -= sizeof(struct geneve_opt) + opt->length * 4;
+     }
++
++    return 0;
+ }
+ 
+ static void
+@@ -2287,7 +2298,11 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match,
+         tnl_mask->flags &= ~(FLOW_TNL_F_DONT_FRAGMENT | FLOW_TNL_F_CSUM);
+ 
+         if (!strcmp(netdev_get_type(netdev), "geneve")) {
+-            flower_match_to_tun_opt(&flower, tnl, tnl_mask);
++            err = flower_match_to_tun_opt(&flower, tnl, tnl_mask);
++            if (err) {
++                VLOG_WARN_RL(&warn_rl, "Unable to parse geneve options");
++                return err;
++            }
+         }
+         flower.tunnel = true;
+     } else {
+diff --git a/tests/system-traffic.at b/tests/system-traffic.at
+index 418cd32..4c40580 100644
+--- a/tests/system-traffic.at
++++ b/tests/system-traffic.at
+@@ -903,6 +903,39 @@ ovs-pcap p0.pcap
+ AT_CHECK([ovs-pcap p0.pcap | grep -Eq "^[[[:xdigit:]]]{24}86dd60000000003a1140fc000000000000000000000000000100fc000000000000000000000000000001[[[:xdigit:]]]{4}17c1003a[[[:xdigit:]]]{4}0000655800000000fffffffffffffa163e949d8008060001080006040001[[[:xdigit:]]]{12}0a0000f40000000000000a0000fe$"])
+ AT_CLEANUP
+ 
++AT_SETUP([datapath - handling of geneve corrupted metadata])
++OVS_CHECK_TUNNEL_TSO()
++OVS_CHECK_GENEVE()
++
++OVS_TRAFFIC_VSWITCHD_START(
++    [_ADD_BR([br-underlay]) -- \
++     set bridge br0 other-config:hwaddr=f2:ff:00:00:00:01 -- \
++     set bridge br-underlay other-config:hwaddr=f2:ff:00:00:00:02])
++
++AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
++AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
++
++ADD_NAMESPACES(at_ns0)
++
++dnl Set up underlay link from host into the namespace using veth pair.
++ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
++AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
++AT_CHECK([ip link set dev br-underlay up])
++
++dnl Set up tunnel endpoints on OVS outside the namespace and with a native
++dnl linux device inside the namespace.
++ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
++ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
++                  [vni 0], [address f2:ff:00:00:00:04])
++
++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 03 08 00 45 00 00 52 00 01 00 00 40 11 1f f7 ac 1f 01 01 ac 1f 01 64 de c1 17 c1 00 3e 59 e9 01 00 65 58 00 00 00 00 00 03 00 02 f2 ff 00 00 00 01 f2 ff 00 00 00 04 08 00 45 00 00 1c 00 01 00 00 40 01 64 7a 0a 01 01 01 0a 01 01 64 08 00 f7 ff 00 00 00 00  > /dev/null])
++
++OVS_WAIT_UNTIL([grep -q 'Invalid Geneve tunnel metadata' ovs-vswitchd.log])
++
++OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while processing icmp,in_port=1,vlan_tci=0x0000,dl_src=f2:ff:00:00:00:04,dl_dst=f2:ff:00:00:00:01,nw_src=10.1.1.1,nw_dst=10.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0/d
++/Unable to parse geneve options/d"])
++AT_CLEANUP
++
+ AT_SETUP([datapath - ping over gre tunnel by simulated packets])
+ OVS_CHECK_TUNNEL_TSO()
+ OVS_CHECK_MIN_KERNEL(3, 10)

backport-docs-5-Run_tbl_preprocessor_in_manpage-check_rule.patch

@@ -1,125 +0,0 @@
-Description: [PATCH v2 5/5] docs: Run tbl preprocessor in manpage-check rule
-Date: Fri, 4 Aug 2023 18:25:33 +0100
- If we omit this, groff 1.23.0 warns:
- .
-  tbl preprocessor failed, or it or soelim was not run; table(s) likely
-  not rendered (TE macro called with TW register undefined)
- .
-Author: Colin Watson <cjwatson@ubuntu.com>
-Bug-Debian: https://bugs.debian.org/1042358
-Last-Update: 2023-08-07
-
----
- Makefile.am                  |  2 +-
- build-aux/extract-ofp-fields | 15 +++++++++------
- lib/meta-flow.xml            | 25 +++++++++++++------------
- 3 files changed, 23 insertions(+), 19 deletions(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index 9807d63..c29725d 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -368,7 +368,7 @@ ALL_LOCAL += manpage-check
- manpage-check: $(man_MANS) $(dist_man_MANS) $(noinst_man_MANS)
- 	@error=false; \
- 	for manpage in $?; do \
--	  LANG=en_US.UTF-8 groff -w mac -w delim -w escape -w input -w missing -w tab -T utf8 -man -p -z $$manpage >$@.tmp 2>&1; \
-+	  LANG=en_US.UTF-8 groff -t -w mac -w delim -w escape -w input -w missing -w tab -T utf8 -man -p -z $$manpage >$@.tmp 2>&1; \
- 	  if grep warning: $@.tmp; then error=:; fi; \
- 	  rm -f $@.tmp; \
- 	done; \
-diff --git a/build-aux/extract-ofp-fields b/build-aux/extract-ofp-fields
-index 8766995..5fbdc34 100755
---- a/build-aux/extract-ofp-fields
-+++ b/build-aux/extract-ofp-fields
-@@ -552,12 +552,14 @@ def field_to_xml(field_node, f, body, summary):
-         ovs_version = [int(x) for x in ovs_version_s.split('.')]
-         if min_ovs_version is None or ovs_version < min_ovs_version:
-             min_ovs_version = ovs_version
--    summary += ["\\fB%s\\fR" % f["name"]]
-+    summary += ["T{\n\\fB%s\\fR" % f["name"]]
-     if f["extra_name"]:
-         summary += [" aka \\fB%s\\fR" % f["extra_name"]]
--    summary += [";%d" % f["n_bytes"]]
-+    summary += ["\nT}"]
-+    summary += [";T{\n%d" % f["n_bytes"]]
-     if f["n_bits"] != 8 * f["n_bytes"]:
-         summary += [" (low %d bits)" % f["n_bits"]]
-+    summary += ["\nT}"]
-     summary += [";%s;" % {"MFM_NONE": "no", "MFM_FULLY": "yes"}[f["mask"]]]
-     summary += ["%s;" % {True: "yes", False: "no"}[f["writable"]]]
-     summary += ["%s;" % f["prereqs"]]
-@@ -566,7 +568,7 @@ def field_to_xml(field_node, f, body, summary):
-         support += ["OF %s+" % VERSION_REVERSE[min_of_version]]
-     if min_ovs_version is not None:
-         support += ["OVS %s+" % '.'.join([str(x) for x in min_ovs_version])]
--    summary += ' and '.join(support)
-+    summary += ["T{\n", " and ".join(support), "\nT}"]
-     summary += ["\n"]
- 
-     # Full description.
-@@ -589,8 +591,9 @@ l lx.
- 
-     body += ["Width:;"]
-     if f["n_bits"] != 8 * f["n_bytes"]:
--        body += ["%d bits (only the least-significant %d bits "
--                 "may be nonzero)" % (f["n_bytes"] * 8, f["n_bits"])]
-+        body += ["T{\n", "%d bits (only the least-significant %d bits "
-+                 "may be nonzero)" % (f["n_bytes"] * 8, f["n_bits"]),
-+                 "\nT}",]
-     elif f["n_bits"] <= 128:
-         body += ["%d bits" % f["n_bits"]]
-     else:
-@@ -657,7 +660,7 @@ def group_xml_to_nroff(group_node, fields):
-         '.TS\n',
-         'tab(;);\n',
-         'l l l l l l l.\n',
--        'Name;Bytes;Mask;RW?;Prereqs;NXM/OXM Support\n',
-+        "Name;Bytes;Mask;RW?;Prereqs;T{\nNXM/OXM Support\nT}\n",
-         '\_;\_;\_;\_;\_;\_\n']
-     content += summary
-     content += ['.TE\n']
-diff --git a/lib/meta-flow.xml b/lib/meta-flow.xml
-index 28865f8..cb612d7 100644
---- a/lib/meta-flow.xml
-+++ b/lib/meta-flow.xml
-@@ -3517,23 +3517,24 @@ actions=clone(load:0->NXM_OF_IN_PORT[],output:123)
-     </p>
- 
-     <tbl>
-+tab(;);
- r r r r r.
--Criteria        OpenFlow 1.0    OpenFlow 1.1    OpenFlow 1.2+   NXM
--\_      \_      \_      \_      \_
--[1]     \fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR     \fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR     \fL0000\fR/\fL0000\fR,\fL--\fR  \fL0000\fR/\fL0000\fR
--[2]     \fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR     \fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR     \fL0000\fR/\fLffff\fR,\fL--\fR  \fL0000\fR/\fLffff\fR
--[3]     \fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR     \fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR     \fL1xxx\fR/\fLffff\fR,\fL--\fR  \fL1xxx\fR/\fL1fff\fR
--[4]     \fL????\fR/\fL1\fR,\fL0y\fR/\fL0\fR     \fLfffe\fR/\fL0\fR,\fL0y\fR/\fL0\fR     \fL1000\fR/\fL1000\fR,\fL0y\fR  \fLz000\fR/\fLf000\fR
--[5]     \fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR     \fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR     \fL1xxx\fR/\fLffff\fR,\fL0y\fR  \fLzxxx\fR/\fLffff\fR
-+Criteria;OpenFlow 1.0;OpenFlow 1.1;OpenFlow 1.2+;NXM
-+\_;\_;\_;\_;\_
-+[1];\fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR;\fL????\fR/\fL1\fR,\fL??\fR/\fL?\fR;\fL0000\fR/\fL0000\fR,\fL--\fR;\fL0000\fR/\fL0000\fR
-+[2];\fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR;\fLffff\fR/\fL0\fR,\fL??\fR/\fL?\fR;\fL0000\fR/\fLffff\fR,\fL--\fR;\fL0000\fR/\fLffff\fR
-+[3];\fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR;\fL0xxx\fR/\fL0\fR,\fL??\fR/\fL1\fR;\fL1xxx\fR/\fLffff\fR,\fL--\fR;\fL1xxx\fR/\fL1fff\fR
-+[4];\fL????\fR/\fL1\fR,\fL0y\fR/\fL0\fR;\fLfffe\fR/\fL0\fR,\fL0y\fR/\fL0\fR;\fL1000\fR/\fL1000\fR,\fL0y\fR;\fLz000\fR/\fLf000\fR
-+[5];\fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR;\fL0xxx\fR/\fL0\fR,\fL0y\fR/\fL0\fR;\fL1xxx\fR/\fLffff\fR,\fL0y\fR;\fLzxxx\fR/\fLffff\fR
- .T&amp;
- r r c c r.
--[6]     (none)  (none)  \fL1001\fR/\fL1001\fR,\fL--\fR  \fL1001\fR/\fL1001\fR
-+[6];(none);(none);\fL1001\fR/\fL1001\fR,\fL--\fR;\fL1001\fR/\fL1001\fR
- .T&amp;
- r r c c c.
--[7]     (none)  (none)  (none)  \fL3000\fR/\fL3000\fR
--[8]     (none)  (none)  (none)  \fL0000\fR/\fL0fff\fR
--[9]     (none)  (none)  (none)  \fL0000\fR/\fLf000\fR
--[10]    (none)  (none)  (none)  \fL0000\fR/\fLefff\fR
-+[7];(none);(none);(none);\fL3000\fR/\fL3000\fR
-+[8];(none);(none);(none);\fL0000\fR/\fL0fff\fR
-+[9];(none);(none);(none);\fL0000\fR/\fLf000\fR
-+[10];(none);(none);(none);\fL0000\fR/\fLefff\fR
-     </tbl>
- 
-     <p>
--- 
-2.27.0
-

fix-selinux-err.patch

@@ -1,16 +1,97 @@
+From 5ab25718492e83565e4376577510a151541714ee Mon Sep 17 00:00:00 2001
+From: zhangpan <zhangpan103@h-partners.com>
+Date: Fri, 29 Mar 2024 15:26:06 +0800
+Subject: [PATCH] fix selinux err
+
+add openvswitch-ipsec.service policy
+
+---
+ selinux/openvswitch-custom.te.in | 42 ++++++++++++++++++++++++++++----
+ 1 file changed, 37 insertions(+), 5 deletions(-)
+
 diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
-index 9f51f604e..77b0bd98f 100644
+index 9f51f60..1b34147 100644
 --- a/selinux/openvswitch-custom.te.in
 +++ b/selinux/openvswitch-custom.te.in
-@@ -15,6 +15,7 @@ require {
+@@ -12,11 +12,22 @@ require {
+         type openvswitch_var_run_t;
+ 
+         type bin_t;
++        type etc_t;
          type ifconfig_exec_t;
++        type ipsec_t;
++        type ipsec_conf_file_t;
++        type ipsec_exec_t;
++        type ipsec_key_file_t;
++        type ipsec_mgmt_exec_t;
++        type ipsec_mgmt_unit_file_t;
++        type ipsec_var_run_t;
          type init_t;
          type init_var_run_t;
-+	type initrc_t;
++        type initrc_t;
          type insmod_exec_t;
          type kernel_t;
++        type ldconfig_exec_t;
++        type systemd_systemctl_exec_t;
          type hostname_exec_t;
-@@ -118,6 +119,7 @@ allow openvswitch_t openvswitch_load_module_t:process transition;
+         type modules_conf_t;
+         type modules_dep_t;
+@@ -45,7 +56,7 @@ require {
+         class chr_file { write getattr read open ioctl map };
+         class dir { write remove_name add_name lock read getattr search open };
+         class fd { use };
+-        class file { map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
++        class file { setattr map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
+         class fifo_file { getattr read write append ioctl lock open };
+         class filesystem getattr;
+         class lnk_file { read open };
+@@ -55,11 +66,12 @@ require {
+         class netlink_rdma_socket { setopt bind create };
+ @end_dpdk@
+         class netlink_socket { setopt getopt create connect getattr write read };
+-        class sock_file { write };
++        class sock_file { read write };
+         class system { module_load module_request };
+         class process { sigchld signull transition noatsecure siginh rlimitinh };
+         class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl };
+ 
++        class service { start status };
+ @begin_dpdk@
+         class sock_file { read append getattr open };
+         class tun_socket { relabelfrom relabelto create };
+@@ -78,9 +90,28 @@ domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
+ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);
+ 
+ #============= openvswitch_t ==============
+-allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
+-allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
+-allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
++allow openvswitch_t etc_t:dir { write };
++allow openvswitch_t ifconfig_exec_t:file map;
++allow openvswitch_t init_t:file { getattr open read };
++allow openvswitch_t init_t:lnk_file read;
++allow openvswitch_t init_t:unix_stream_socket connectto;
++allow openvswitch_t ipsec_t:unix_stream_socket connectto;
++allow openvswitch_t ipsec_conf_file_t:file { getattr ioctl open read write };
++allow openvswitch_t ipsec_exec_t:file { execute execute_no_trans map open read };
++allow openvswitch_t ipsec_key_file_t:dir { search add_name remove_name write };
++allow openvswitch_t ipsec_key_file_t:file { create getattr setattr ioctl lock open read write unlink };
++allow openvswitch_t ipsec_mgmt_exec_t:file { execute execute_no_trans getattr ioctl open read };
++allow openvswitch_t ipsec_mgmt_unit_file_t:service { start status };
++allow openvswitch_t ipsec_var_run_t:sock_file { read write };
++allow openvswitch_t ldconfig_exec_t:file execute;
++allow openvswitch_t ldconfig_exec_t:file map;
++allow openvswitch_t ldconfig_exec_t:file { execute execute_no_trans open read };
++allow openvswitch_t systemd_systemctl_exec_t:file map;
++allow openvswitch_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read };
++
++allow openvswitch_t self:capability { dac_override net_broadcast net_raw };
++allow openvswitch_t self:netlink_audit_socket { create read write };
++allow openvswitch_t self:netlink_netfilter_socket { create read write };
+ @begin_dpdk@
+ allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
+ @end_dpdk@
+@@ -118,6 +149,7 @@ allow openvswitch_t openvswitch_load_module_t:process transition;
  allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
  allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write };
  allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search };
@@ -18,3 +99,6 @@ index 9f51f604e..77b0bd98f 100644
  allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read };
  allow openvswitch_load_module_t kernel_t:system module_request;
  allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search };
+-- 
+2.27.0
+

fix-the-problem-that-openvswitch-ipsec.service-causes-ipsec.service-to-fail-to-start.patch

@@ -0,0 +1,24 @@
+From 5e2e60e2f05195f506ea68fe17e72a2a6fe4bdbe Mon Sep 17 00:00:00 2001
+From: zhangpan <zhangpan103@h-partners.com>
+Date: Fri, 29 Mar 2024 15:26:47 +0800
+Subject: [PATCH] Fix the problem that openvswitch-ipsec.service causes ipsec.service to fail to start
+
+---
+ ipsec/ovs-monitor-ipsec.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
+index 7945162..c4f48e9 100755
+--- a/ipsec/ovs-monitor-ipsec.in
++++ b/ipsec/ovs-monitor-ipsec.in
+@@ -389,6 +389,7 @@ class LibreSwanHelper(object):
+     """This class does LibreSwan specific configurations."""
+     CONF_HEADER = """%s
+ config setup
++    nssdir=/etc/ipsec.d
+     uniqueids=yes
+ 
+ conn %%default
+-- 
+2.27.0
+

openvswitch.spec

@@ -12,8 +12,8 @@
 Name: openvswitch
 Summary: Open vSwitch daemon/database/utilities
 URL: https://www.openvswitch.org/
-Version: 2.17.5
-Release: 6
+Version: 3.2.1
+Release: 4
 License: ASL 2.0 and LGPLv2+ and SISSL
 
 Source0: https://www.openvswitch.org/releases/%{name}-%{version}.tar.gz
@@ -21,8 +21,9 @@ Source0: https://www.openvswitch.org/releases/%{name}-%{version}.tar.gz
 Patch0000:      0000-openvswitch-add-stack-protector-strong.patch
 Patch0002:      0002-Remove-unsupported-permission-names.patch
 Patch0003:      fix-selinux-err.patch
-Patch6000:      backport-CVE-2023-1668.patch
-Patch6001:      backport-docs-5-Run_tbl_preprocessor_in_manpage-check_rule.patch
+Patch0004:      fix-the-problem-that-openvswitch-ipsec.service-causes-ipsec.service-to-fail-to-start.patch
+
+Patch6000:      backport-CVE-2023-3966.patch
 
 BuildRequires: gcc gcc-c++ make
 BuildRequires: autoconf automake libtool
@@ -34,6 +35,8 @@ BuildRequires: groff-base graphviz
 BuildRequires: unbound-devel groff
 # make check dependencies
 BuildRequires: procps-ng
+BuildRequires: checkpolicy selinux-policy-devel
+BuildRequires: chrpath
 
 %if %{with check_datapath_kernel}
 BuildRequires: nmap-ncat
@@ -48,6 +51,7 @@ BuildRequires: dpdk-devel libpcap-devel numactl-devel
 %endif
 
 Requires: openssl iproute module-init-tools
+Requires: selinux-policy-targeted
 
 Requires(post): /bin/sed
 Requires(post): %{_sbindir}/update-alternatives
@@ -145,6 +149,9 @@ ln -s ../configure
         --enable-ssl \
         --with-pkidir=%{_sharedstatedir}/openvswitch/pki
 make %{?_smp_mflags}
+sed -i "s#selinux/openvswitch-custom.te selinux/openvswitch-custom.fc#../selinux/openvswitch-custom.te ../selinux/openvswitch-custom.fc#g" Makefile
+sed -i "s#-C selinux/ -f#-C ../selinux/ -f#g" Makefile
+make selinux-policy
 popd
 %if %{with dpdk}
 pushd build-dpdk
@@ -187,6 +194,9 @@ install -d -m 0755 $RPM_BUILD_ROOT/run/openvswitch
 install -d -m 0750 $RPM_BUILD_ROOT%{_localstatedir}/log/openvswitch
 install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch
 
+install -p -m 644 -D selinux/openvswitch-custom.pp \
+    $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
+
 install -p -D -m 0644 rhel/usr_lib_udev_rules.d_91-vfio.rules \
         $RPM_BUILD_ROOT%{_udevrulesdir}/91-vfio.rules
 
@@ -244,6 +254,9 @@ install -p -D -m 0755 \
         rhel/usr_share_openvswitch_scripts_ovs-systemd-reload \
         $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-systemd-reload
 
+chrpath -d $RPM_BUILD_ROOT%{_sbindir}/ovs-vswitchd.dpdk
+chrpath -d $RPM_BUILD_ROOT%{_libdir}/openvswitch-dpdk/libofproto*.so.*
+
 touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db
 touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf
 
@@ -290,6 +303,9 @@ pushd $dir
 %endif
 popd
 done
+
+%pre
+%selinux_relabel_pre -s targeted
  
 %preun
 %if 0%{?systemd_preun:1}
@@ -311,6 +327,7 @@ done
         /bin/systemctl daemon-reload >dev/null || :
     fi
 %endif
+%selinux_modules_install -s targeted /usr/share/selinux/packages/%{name}/openvswitch-custom.pp
 
 %postun
 %if 0%{?systemd_postun:1}
@@ -319,6 +336,13 @@ done
     /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 %endif
 
+if [ $1 -eq 0 ] ; then
+  %selinux_modules_uninstall -s targeted openvswitch-custom
+fi
+
+%posttrans
+%selinux_relabel_post -s targeted
+
 %if %{with dpdk}
 %post dpdk
 if grep -Fqw sse4_1 /proc/cpuinfo; then
@@ -354,6 +378,7 @@ fi
 %{_bindir}/ovs-test
 %{_bindir}/ovs-vlan-test
 %{_bindir}/ovs-l3ping
+%{_datadir}/openvswitch/scripts/usdt/*
 %{python3_sitelib}/ovstest
 
 %files testcontroller
@@ -421,11 +446,28 @@ fi
 %doc LICENSE NOTICE README.rst NEWS rhel/README.RHEL.rst
 /var/lib/openvswitch
 /var/log/openvswitch
+%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
 %ghost %attr(755,root,root) %verify(not owner group) /run/openvswitch
 %{_sysconfdir}/sysconfig/network-scripts/ifup-ovs
 %{_sysconfdir}/sysconfig/network-scripts/ifdown-ovs
 
 %changelog
+* Mon Apr 08 2024 zhangxianting <zhangxianting@uniontech.com> - 3.2.1-4
+- remove rpath
+
+* Fri Mar 29 2024 zhangpan <zhangpan103@h-partners.com> - 3.2.1-3
+- fix openvswitch-ipsec servive failure when selinux is on
+- fix the problem that openvswitch-ipsec.service causes ipsec.service to fail when starting
+
+* Sun Feb 18 2024 zhangpan <zhangpan103@h-partners.com> - 3.2.1-2
+- fix CVE-2023-3966
+
+* Fri Jan 26 2024 zhangpan <zhangpan103@h-partners.com> - 3.2.1-1
+- update to 3.2.1
+
+* Sat Oct 07 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.17.5-7
+- fix CVE-2023-5366
+
 * Tue Aug 29 2023 zhangpan <zhangpan103@h-partners.com> - 2.17.5-6
 - replace fgrep witch grep -F