On Sun, Nov 21, 2021 at 11:20:55PM +0800, lic121 wrote: > In ovs kernel datapath upcall, the *key* and packet are passed to > userspace. The key contains the fields/meta extracted from packet. > Once the ovs-vswitchd receives the upcall, the packet is extracted > again into *flow*. Next, the flow is used to match openflow rules to > generate the wildcard(wc). At last, vswitchd installs a mega_flow in > datapath(mega_flow = key/wc,action) > > We can see that vswitchd generate wc from flow while it installs dp > flow with key. If the key is not consistent with the flow [1], we get > bad mega_flow. > > Let's assume we have the flowing rules, means to block tcp port 0-0xf, > but allow other ports. > > "table=0,priority=100,tcp,tp_dst=0x0/0xfff0 actions=drop" > "table=0,priority=90,tcp actions=p1" > > good case: > If a packet has tcp dst=0x10, generated `mega_flow=0x10/0xfff0,out:p1`, > this is expected. > > bad case: > If a packet has tcp dst=0x10 but not pass tcphdr_ok [1], generated wc > and action are `0xfff0,out:p1`. The mega_flow will be > `0x0/0xfff0,out:p1`, bacause mega_flow=key/wc,action. This allows > packets with tcp port 0-0xf pass by mistake. > > The following scapy3 script triggers the issue: > ```py > eth=Ether(src="fa:16:3e:5e:e3:57",dst="be:95:df:40:fb:57") > ip=IP(src="10.10.10.10",dst="20.20.20.20") > tcp=TCP(sport=100,dport=16,dataofs=1) > sendp(eth/ip/tcp) > ``` > > This patch is to prevent from installing datapath flow if the key is > not consistant with the flow. > > [1] https://github.com/openvswitch/ovs/blob/v2.16.1/datapath/flow.c#L601 > > Signed-off-by: lic121 <lic...@chinatelecom.cn>
Hi, This patch appears to have gone stale in patchwork, for one reason or another. If it is still relevant then I think it needs to be revisited, by being reposted after appropriate preparation. As such I'm marking this patch as "Deferred" in patchwork. No action is required unless there is a desire to revisit this patch. _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
