Hi,I would very much prefer to upload the latest point release from upstream, however, if the release team prefers, here's a debdiff, attached to this message, containing a more targeted fix.
Note that the debdiff contains a "quilt refresh" of the ovs-ctl-ipsec.patch already present in Bookworm, as I saw offsets when doing "quilt push" (which may be annoying depending on your build env). Not sure (because uploaded by Luca) how it got in.
Please let me know your decision (ie: latest point release from upstream or this patch).
Cheers, Thomas Goirand (zigo)
diff -Nru openvswitch-3.1.0/debian/changelog openvswitch-3.1.0/debian/changelog --- openvswitch-3.1.0/debian/changelog 2023-02-21 23:02:16.000000000 +0100 +++ openvswitch-3.1.0/debian/changelog 2023-04-11 11:54:40.000000000 +0200 @@ -1,3 +1,11 @@ +openvswitch (3.1.0-2) unstable; urgency=high + + * CVE-2023-1668: Remote traffic denial of service via crafted packets with IP + proto 0. Applied upstream patch: ofproto-dpif-xlate: Always mask ip proto + field (Closes: #1034042). + + -- Thomas Goirand <z...@debian.org> Tue, 11 Apr 2023 11:54:40 +0200 + openvswitch (3.1.0-1) unstable; urgency=medium [ Luca Boccassi ] diff -Nru openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch --- openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch 1970-01-01 01:00:00.000000000 +0100 +++ openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch 2023-04-11 11:54:40.000000000 +0200 @@ -0,0 +1,425 @@ +Subject: CVE-2023-1668: ofproto-dpif-xlate: Always mask ip proto field. + The ofproto layer currently treats nw_proto field as overloaded to mean + both that a proper nw layer exists, as well as the value contained in + the header for the nw proto. However, this is incorrect behavior as + relevant standards permit that any value, including '0' should be treated + as a valid value. + . + Because of this overload, when the ofproto layer builds action list for + a packet with nw_proto of 0, it won't build the complete action list that + we expect to be built for the packet. That will cause a bad behavior + where all packets passing the datapath will fall into an incomplete + action set. + . + The fix here is to unwildcard nw_proto, allowing us to preserve setting + actions for protocols which we know have support for the actions we + program. This means that a traffic which contains nw_proto == 0 cannot + cause connectivity breakage with other traffic on the link. +Author: Aaron Conole <acon...@redhat.com> +Date: Fri, 31 Mar 2023 17:17:27 -0400 +Reported-by: David Marchand <dmarch...@redhat.com> +Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2134873 +Acked-by: Ilya Maximets <i.maxim...@ovn.org> +Signed-off-by: Aaron Conole <acon...@redhat.com> +Signed-off-by: Ilya Maximets <i.maxim...@ovn.org> +Origin: upstream, https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9.patch +Bug-Debian: https://bugs.debian.org/1034042 +Last-Update: 2023-04-11 + +diff --git a/include/openvswitch/meta-flow.h b/include/openvswitch/meta-flow.h +index 045dce8f5fa..3b0220aaa25 100644 +--- a/include/openvswitch/meta-flow.h ++++ b/include/openvswitch/meta-flow.h +@@ -2366,6 +2366,10 @@ void mf_format_subvalue(const union mf_subvalue *subvalue, struct ds *s); + void field_array_set(enum mf_field_id id, const union mf_value *, + struct field_array *); + ++/* Mask the required l3 prerequisites if a 'set' action occurs. */ ++void mf_set_mask_l3_prereqs(const struct mf_field *, const struct flow *, ++ struct flow_wildcards *); ++ + #ifdef __cplusplus + } + #endif +diff --git a/lib/meta-flow.c b/lib/meta-flow.c +index c576ae6202a..474344194fa 100644 +--- a/lib/meta-flow.c ++++ b/lib/meta-flow.c +@@ -3676,3 +3676,28 @@ mf_bitmap_not(struct mf_bitmap x) + bitmap_not(x.bm, MFF_N_IDS); + return x; + } ++ ++void ++mf_set_mask_l3_prereqs(const struct mf_field *mf, const struct flow *fl, ++ struct flow_wildcards *wc) ++{ ++ if (is_ip_any(fl) && ++ ((mf->id == MFF_IPV4_SRC) || ++ (mf->id == MFF_IPV4_DST) || ++ (mf->id == MFF_IPV6_SRC) || ++ (mf->id == MFF_IPV6_DST) || ++ (mf->id == MFF_IPV6_LABEL) || ++ (mf->id == MFF_IP_DSCP) || ++ (mf->id == MFF_IP_ECN) || ++ (mf->id == MFF_IP_TTL))) { ++ WC_MASK_FIELD(wc, nw_proto); ++ } else if ((fl->dl_type == htons(ETH_TYPE_ARP)) && ++ ((mf->id == MFF_ARP_OP) || ++ (mf->id == MFF_ARP_SHA) || ++ (mf->id == MFF_ARP_THA) || ++ (mf->id == MFF_ARP_SPA) || ++ (mf->id == MFF_ARP_TPA))) { ++ /* mask only the lower 8 bits. */ ++ wc->masks.nw_proto = 0xff; ++ } ++} +diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c +index a9cf3cbee0b..cffd733c5eb 100644 +--- a/ofproto/ofproto-dpif-xlate.c ++++ b/ofproto/ofproto-dpif-xlate.c +@@ -5211,6 +5211,7 @@ compose_dec_ttl(struct xlate_ctx *ctx, struct ofpact_cnt_ids *ids) + } + + ctx->wc->masks.nw_ttl = 0xff; ++ WC_MASK_FIELD(ctx->wc, nw_proto); + if (flow->nw_ttl > 1) { + flow->nw_ttl--; + return false; +@@ -7128,6 +7129,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, + case OFPACT_SET_IPV4_SRC: + if (flow->dl_type == htons(ETH_TYPE_IP)) { + memset(&wc->masks.nw_src, 0xff, sizeof wc->masks.nw_src); ++ WC_MASK_FIELD(wc, nw_proto); + flow->nw_src = ofpact_get_SET_IPV4_SRC(a)->ipv4; + } + break; +@@ -7135,12 +7137,14 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, + case OFPACT_SET_IPV4_DST: + if (flow->dl_type == htons(ETH_TYPE_IP)) { + memset(&wc->masks.nw_dst, 0xff, sizeof wc->masks.nw_dst); ++ WC_MASK_FIELD(wc, nw_proto); + flow->nw_dst = ofpact_get_SET_IPV4_DST(a)->ipv4; + } + break; + + case OFPACT_SET_IP_DSCP: + if (is_ip_any(flow)) { ++ WC_MASK_FIELD(wc, nw_proto); + wc->masks.nw_tos |= IP_DSCP_MASK; + flow->nw_tos &= ~IP_DSCP_MASK; + flow->nw_tos |= ofpact_get_SET_IP_DSCP(a)->dscp; +@@ -7149,6 +7153,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, + + case OFPACT_SET_IP_ECN: + if (is_ip_any(flow)) { ++ WC_MASK_FIELD(wc, nw_proto); + wc->masks.nw_tos |= IP_ECN_MASK; + flow->nw_tos &= ~IP_ECN_MASK; + flow->nw_tos |= ofpact_get_SET_IP_ECN(a)->ecn; +@@ -7157,6 +7162,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, + + case OFPACT_SET_IP_TTL: + if (is_ip_any(flow)) { ++ WC_MASK_FIELD(wc, nw_proto); + wc->masks.nw_ttl = 0xff; + flow->nw_ttl = ofpact_get_SET_IP_TTL(a)->ttl; + } +@@ -7224,6 +7230,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, + + /* Set the field only if the packet actually has it. */ + if (mf_are_prereqs_ok(mf, flow, wc)) { ++ mf_set_mask_l3_prereqs(mf, flow, wc); + mf_mask_field_masked(mf, ofpact_set_field_mask(set_field), wc); + mf_set_flow_value_masked(mf, set_field->value, + ofpact_set_field_mask(set_field), +@@ -7280,6 +7287,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, + + case OFPACT_DEC_TTL: + wc->masks.nw_ttl = 0xff; ++ WC_MASK_FIELD(wc, nw_proto); + if (compose_dec_ttl(ctx, ofpact_get_DEC_TTL(a))) { + return; + } +diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at +index fa6111c1ed2..6b58cabec91 100644 +--- a/tests/ofproto-dpif.at ++++ b/tests/ofproto-dpif.at +@@ -849,7 +849,7 @@ table=2 ip actions=set_field:192.168.3.91->ip_src,output(11) + AT_CHECK([ovs-ofctl -O OpenFlow12 add-flows br0 flows.txt]) + AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=1,nw_tos=0,nw_ttl=128,nw_frag=no,icmp_type=8,icmp_code=0'], [0], [stdout]) + AT_CHECK([tail -2 stdout], [0], +- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no ++ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no + Datapath actions: 10,set(ipv4(src=192.168.3.91)),11,set(ipv4(src=192.168.3.90)),13 + ]) + OVS_VSWITCHD_STOP +@@ -912,7 +912,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds + # Must match on the source address to be able to restore it's value for + # the second bucket + AT_CHECK([tail -2 stdout], [0], +- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no ++ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no + Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 + ]) + OVS_VSWITCHD_STOP +@@ -944,7 +944,7 @@ done + AT_CHECK([ovs-appctl dpctl/dump-flows | sed 's/dp_hash(.*\/0xf)/dp_hash(0xXXXX\/0xf)/' | sed 's/packets.*actions:/actions:/' | strip_ufid | strip_used | sort], [0], [dnl + flow-dump from the main thread: + recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:hash(sym_l4(0)),recirc(0x1) +-recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 ++recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,proto=1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 + ]) + + OVS_VSWITCHD_STOP +@@ -959,7 +959,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds + # Must match on the source address to be able to restore it's value for + # the third bucket + AT_CHECK([tail -2 stdout], [0], +- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no ++ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no + Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 + ]) + OVS_VSWITCHD_STOP +@@ -1536,17 +1536,17 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=2,frag=no)' -generate], [0], [stdout]) + AT_CHECK([tail -4 stdout], [0], [ + Final flow: ip,in_port=1,vlan_tci=0x0000,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=111,nw_tos=0,nw_ecn=0,nw_ttl=1,nw_frag=no +-Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=2,nw_frag=no ++Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=2,nw_frag=no + Datapath actions: set(ipv4(ttl=1)),2,userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)),4 + ]) + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=3,frag=no)'], [0], [stdout]) + AT_CHECK([tail -2 stdout], [0], +- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=3,nw_frag=no ++ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=3,nw_frag=no + Datapath actions: set(ipv4(ttl=2)),2,set(ipv4(ttl=1)),3,4 + ]) + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x86dd),ipv6(src=::1,dst=::2,label=0,proto=10,tclass=0x70,hlimit=128,frag=no)'], [0], [stdout]) + AT_CHECK([tail -2 stdout], [0], +- [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_ttl=128,nw_frag=no ++ [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_proto=10,nw_ttl=128,nw_frag=no + Datapath actions: set(ipv6(hlimit=127)),2,set(ipv6(hlimit=126)),3,4 + ]) + +@@ -1656,7 +1656,7 @@ AT_CHECK([ovs-vsctl -- \ + --id=@q2 create Queue dscp=2], [0], [ignore]) + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(9),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=1.1.1.1,dst=2.2.2.2,proto=1,tos=0xff,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout]) + AT_CHECK([tail -2 stdout], [0], +- [Megaflow: recirc_id=0,skb_priority=0,eth,ip,in_port=9,nw_tos=252,nw_frag=no ++ [Megaflow: recirc_id=0,skb_priority=0,eth,icmp,in_port=9,nw_tos=252,nw_frag=no + Datapath actions: dnl + 100,dnl + set(ipv4(tos=0x4/0xfc)),set(skb_priority(0x1)),1,dnl +@@ -11884,7 +11884,7 @@ ovs-ofctl dump-flows br0 + + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.10.10.2,dst=10.10.10.1,proto=1,tos=1,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout]) + AT_CHECK([tail -3 stdout], [0], [dnl +-Megaflow: recirc_id=0,eth,ip,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no ++Megaflow: recirc_id=0,eth,icmp,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no + Datapath actions: drop + Translation failed (Recursion too deep), packet is dropped. + ]) +diff --git a/tests/ofproto.at b/tests/ofproto.at +index a666bebcac4..2fa8486a86f 100644 +--- a/tests/ofproto.at ++++ b/tests/ofproto.at +@@ -6538,3 +6538,185 @@ verify_deleted + + OVS_VSWITCHD_STOP(["/<invalid/d"]) + AT_CLEANUP ++ ++AT_SETUP([ofproto - implicit mask of ipv4 proto with invalid proto field]) ++OVS_VSWITCHD_START ++add_of_ports br0 1 2 ++ ++AT_DATA([flows.txt], [dnl ++table=0 in_port=1 priority=90,ip,nw_dst=192.168.1.20,actions=mod_nw_dst:192.168.20.20,output=2 ++table=0 in_port=1 priority=89,ip,nw_dst=192.168.1.21,actions=mod_nw_src:192.168.20.21,output=2 ++table=0 in_port=1 priority=88,ip,nw_dst=192.168.1.10,actions=dec_ttl,output=2 ++table=0 in_port=1 priority=87,ip,nw_dst=192.168.1.19,actions=mod_nw_ttl:8,output=2 ++table=0 in_port=1 priority=86,ip,nw_dst=192.168.1.18,actions=mod_nw_ecn:2,output=2 ++table=0 in_port=1 priority=85,ip,nw_dst=192.168.1.17,actions=mod_nw_tos:0x40,output=2 ++table=0 in_port=1 priority=84,ip,nw_dst=192.168.1.16,actions=set_field:192.168.20.26->nw_dst,output=2 ++table=0 in_port=1 priority=83,ip,nw_dst=192.168.1.15,actions=set_field:192.168.21.26->nw_src,output=2 ++table=0 in_port=1 priority=82,ip,nw_dst=192.168.1.14,actions=set_field:0x40->nw_tos,output=2 ++table=0 in_port=1 priority=0,actions=drop ++]) ++AT_CHECK([ovs-ofctl del-flows br0]) ++AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) ++ ++dnl send a proto 0 packet to try and poison the DP flow path ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ ++ '5054000000075054000000050800450000548de140004000289fc0a801c4c0a8011408003bf60002001bbf080a640000000032ad010000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637']) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl ++flow-dump from the main thread: ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2 ++]) ++ ++dnl Send ICMP for mod nw_src and mod nw_dst ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.20,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will dec TTL ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.10,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will mod TTL ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.19,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will mod ECN ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.18,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will mod TOS ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.17,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will set DST ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.16,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will set SRC ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++dnl send ICMP that will set TOS ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.14,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl ++flow-dump from the main thread: ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.10,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=63)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.14,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.16,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.26)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.17,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.18,proto=1,tos=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x2/0x3)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.19,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=8)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.20)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.21.26)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.20.21)),2 ++]) ++ ++OVS_VSWITCHD_STOP ++AT_CLEANUP ++ ++AT_SETUP([ofproto - implicit mask of ipv6 proto with HOPOPT field]) ++OVS_VSWITCHD_START ++add_of_ports br0 1 2 ++ ++AT_DATA([flows.txt], [dnl ++table=0 in_port=1 priority=77,ip6,ipv6_dst=111:db8::3,actions=dec_ttl,output=2 ++table=0 in_port=1 priority=76,ip6,ipv6_dst=111:db8::4,actions=mod_nw_ttl:8,output=2 ++table=0 in_port=1 priority=75,ip6,ipv6_dst=111:db8::5,actions=mod_nw_ecn:2,output=2 ++table=0 in_port=1 priority=74,ip6,ipv6_dst=111:db8::6,actions=mod_nw_tos:0x40,output=2 ++table=0 in_port=1 priority=73,ip6,ipv6_dst=111:db8::7,actions=set_field:2112:db8::2->ipv6_dst,output=2 ++table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::8,actions=set_field:2112:db8::3->ipv6_src,output=2 ++table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::9,actions=set_field:44->ipv6_label,output=2 ++table=0 in_port=1 priority=0,actions=drop ++]) ++AT_CHECK([ovs-ofctl del-flows br0]) ++AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) ++ ++dnl send a proto 0 packet to try and poison the DP flow path ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=0,tclass=0,hlimit=64,frag=no)']) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl ++flow-dump from the main thread: ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) ++]) ++ ++dnl Send ICMP for mod nw_src and mod nw_dst ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::4,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++ ++dnl send ICMP that will dec TTL ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::5,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++ ++dnl send ICMP that will mod TTL ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::6,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++ ++dnl send ICMP that will mod ECN ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::7,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++ ++dnl send ICMP that will mod TOS ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++ ++dnl send ICMP that will set LABEL ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::9,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl ++flow-dump from the main thread: ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=63)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::4,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=8)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::5,proto=1,tclass=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x2/0x3)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::6,proto=1,tclass=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x40/0xfc)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::7,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(dst=2112:db8::2)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::9,label=0,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(label=0x2c)),2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(src=2112:db8::3)),2 ++]) ++ ++OVS_VSWITCHD_STOP ++AT_CLEANUP ++ ++AT_SETUP([ofproto - implicit mask of ARP OPer field]) ++OVS_VSWITCHD_START ++add_of_ports br0 1 2 ++ ++AT_DATA([flows.txt], [dnl ++table=0 in_port=1 priority=77,arp,arp_sha=00:01:02:03:04:06,actions=set_field:0x1->arp_op,2 ++table=0 in_port=1 priority=76,arp,arp_sha=00:01:02:03:04:07,actions=set_field:00:02:03:04:05:06->arp_sha,2 ++table=0 in_port=1 priority=75,arp,arp_sha=00:01:02:03:04:08,actions=set_field:ff:00:00:00:00:ff->arp_tha,2 ++table=0 in_port=1 priority=74,arp,arp_sha=00:01:02:03:04:09,actions=set_field:172.31.110.26->arp_spa,2 ++table=0 in_port=1 priority=73,arp,arp_sha=00:01:02:03:04:0a,actions=set_field:172.31.110.10->arp_tpa,2 ++table=0 in_port=1 priority=1,actions=drop ++]) ++ ++AT_CHECK([ovs-ofctl del-flows br0]) ++AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) ++ ++dnl Send op == 0 packet ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ ++ 'ffffffffffffaa55aa550000080600010800060400000001020304070c0a00010000000000000c0a0002']) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl ++flow-dump from the main thread: ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2 ++]) ++ ++dnl Send op 2 -> set op ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=2,sha=00:01:02:03:04:06,tha=ff:ff:ff:ff:ff:ff)']) ++ ++dnl Send op 1 -> set SHA ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:07,tha=ff:ff:ff:ff:ff:ff)']) ++ ++dnl Send op 1 -> set THA ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff)']) ++ ++dnl Send op 1 -> set SIP ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:09,tha=ff:ff:ff:ff:ff:ff)']) ++ ++dnl Send op 1 -> set TIP ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a,tha=ff:ff:ff:ff:ff:ff)']) ++ ++AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl ++flow-dump from the main thread: ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2 ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=2,sha=00:01:02:03:04:06), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(sip=172.31.110.1,op=1,sha=00:01:02:03:04:09), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) ++]) ++ ++OVS_VSWITCHD_STOP ++AT_CLEANUP +diff --git a/tests/packet-type-aware.at b/tests/packet-type-aware.at +index 3b5c66fe526..d63528e69ee 100644 +--- a/tests/packet-type-aware.at ++++ b/tests/packet-type-aware.at +@@ -1021,7 +1021,7 @@ AT_CHECK([ + ], [0], [flow-dump from the main thread: + recirc_id(0),in_port(p0),packet_type(ns=0,id=0),eth(src=aa:bb:cc:00:00:02,dst=aa:bb:cc:00:00:01),eth_type(0x0800),ipv4(dst=20.0.0.1,proto=47,frag=no), packets:3, bytes:378, used:0.0s, actions:tnl_pop(gre_sys) + tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0),in_port(gre_sys),packet_type(ns=1,id=0x8847),eth_type(0x8847),mpls(label=999/0x0,tc=0/0,ttl=64/0x0,bos=1/1), packets:3, bytes:264, used:0.0s, actions:push_eth(src=00:00:00:00:00:00,dst=00:00:00:00:00:00),pop_mpls(eth_type=0x800),recirc(0x1) +-tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br ++tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=1,ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br + ]) + + ovs-appctl time/warp 1000 diff -Nru openvswitch-3.1.0/debian/patches/ovs-ctl-ipsec.patch openvswitch-3.1.0/debian/patches/ovs-ctl-ipsec.patch --- openvswitch-3.1.0/debian/patches/ovs-ctl-ipsec.patch 2023-02-21 23:01:11.000000000 +0100 +++ openvswitch-3.1.0/debian/patches/ovs-ctl-ipsec.patch 2023-04-11 11:54:40.000000000 +0200 @@ -6,9 +6,11 @@ Author: James Page <james.p...@ubuntu.com> Forwarded: not-needed ---- a/utilities/ovs-ctl.in -+++ b/utilities/ovs-ctl.in -@@ -245,7 +245,7 @@ start_ovs_ipsec () { +Index: openvswitch/utilities/ovs-ctl.in +=================================================================== +--- openvswitch.orig/utilities/ovs-ctl.in ++++ openvswitch/utilities/ovs-ctl.in +@@ -250,7 +250,7 @@ start_ovs_ipsec () { --pidfile=${rundir}/ovs-monitor-ipsec.pid \ --ike-daemon=$IKE_DAEMON \ $no_restart \ @@ -16,3 +18,4 @@ + --log-file --detach unix:${rundir}/db.sock || return 1 return 0 } + diff -Nru openvswitch-3.1.0/debian/patches/series openvswitch-3.1.0/debian/patches/series --- openvswitch-3.1.0/debian/patches/series 2023-02-21 23:01:11.000000000 +0100 +++ openvswitch-3.1.0/debian/patches/series 2023-04-11 11:54:40.000000000 +0200 @@ -1 +1,2 @@ ovs-ctl-ipsec.patch +CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch
