On 2/25/26 6:05 PM, Matteo Perin via dev wrote: > This series fixes a bug/unintended behavior where the --disable-system-route > flag did not fully prevent non-standard system routing rules from being cached > at startup. > > At init time, route_table_reset() queries all kernel routing rules via > RTM_GETRULE and invokes ovs_router_rule_add() for each one. The > use_system_routing_table flag was only checked in ovs_router_insert() and > ovs_router_lookup_fallback(), leaving ovs_router_rule_add() unguarded. As a > result, non-standard system rules (e.g. VRF or policy routing rules present on > the host) would leak into the routing cache regardless of the flag, causing > incorrect route lookups in unit tests and in production environments that use > --disable-system-route. > > Patch 1 is the main fix: ovs_router_rule_add() is split into an internal > ovs_router_rule_add__() used by OVS-internal callers (init_standard_rules, > ovs_router_rule_add_cmd) that must always succeed, and a public > ovs_router_rule_add() wrapper that gates insertion on > use_system_routing_table. > External callers such as rule_handle_msg() in route-table.c go through the > public wrapper and are, therefore, correctly filtered. > > While working on patch 1, a second bug was found: > ovs_router_rules_flush(false) > removes all non-user rules, including the standard local/main/default rules > that were added, unconditionally, at init time. Patch 2 fixes this by > re-adding > the standard rules immediately after a non-full flush via > init_standard_rules(). > > Patch 3 fixes an independent locking issue also uncovered during this work: > ovs_router_rule_add() carried an OVS_REQUIRES(mutex) annotation, yet its > external caller rule_handle_msg() in route-table.c does not hold the mutex, > creating a potential data race. > > Together, patches 1 and 2 fix unit tests 834, 847, 848 and 850 which were > failing because non-standard system routing rules were incorrectly appearing > in the rule cache even when --disable-system-route was in effect. > > Matteo Perin (3): > ovs-router: Fix --disable-system-route rules filter. > ovs-router: Restore standard rules in non-full flush. > ovs-router: Fix locking in ovs_router_rule_add(). > > lib/ovs-router.c | 53 +++++++++++++++++++++++++++++++++--------------- > 1 file changed, 37 insertions(+), 16 deletions(-) >
Thanks, Matteo! I left some comments for the individual patches for the reference, but I fixed all of them, squashed first two patches together and applied the set. Also backported to branch-3.7. Best regards, Ilya Maximets. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
