mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-31 06:15:47 +00:00
Code Issues Releases Wiki Activity

ofproto-dpif-xlate: Make flows that match ICMP fields revalidate correctly.

Browse Source 
ICMPv4 and ICMPv6 have 8-bit "type" and "code" fields.  struct flow
uses the low 8 bits of the 16-bit tp_src and tp_dst members to
represent these fields.  The datapath interface, on the other hand,
represents them with just 8 bits each.  This means that if the high 8
bits of the masks for these fields somehow become set (meaning to
match on the nonexistent "high bits" of these fields) during
translation, then they will get chopped off by a round trip through
the datapath, and revalidation will spot that as an inconsistency and
delete the flow.  This commit avoids the problem by making sure that
only the low 8 bits of either field can be unwildcarded for ICMP.

This seems like the minimal fix for this problem, appropriate for
backporting to earlier branches.  The root of the issue is that these high
bits can get set in the match at all.  I have some leads on that, but they
require more invasive changes elsewhere.

Bug #23320.
Reported-by: Krishna Miriyala <miriyalak@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>
This commit is contained in:
Ben Pfaff
2014-02-11 08:24:16 -08:00
parent 276e2864c5
commit c56fac1b67
3 changed files with 30 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
lib/packets.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
* Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -627,6 +627,18 @@ static inline bool is_ip_any(const struct flow *flow)
return dl_type_is_ip_any(flow->dl_type);
}
static inline bool is_icmpv4(const struct flow *flow)
{
return (flow->dl_type == htons(ETH_TYPE_IP)
&& flow->nw_proto == IPPROTO_ICMP);
}
static inline bool is_icmpv6(const struct flow *flow)
{
return (flow->dl_type == htons(ETH_TYPE_IPV6)
&& flow->nw_proto == IPPROTO_ICMPV6);
}
void format_ipv6_addr(char *addr_str, const struct in6_addr *addr);
void print_ipv6_addr(struct ds *string, const struct in6_addr *addr);
void print_ipv6_masked(struct ds *string, const struct in6_addr *addr,