store the last executed chain also for clsact egress
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| linux-bluefield (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
* Explain the bug(s)
Misses on multi chain tc egress rules that are offloaded from ovs datapath rules (ct rules on ovs' internal port devices)
will restart from recirc_id(0) again in OvS dp, instead of recirc_id that matches where we left off
in tc (ovs recirc_id should be equal tc chain).
* brief explanation of fixes
Set the tc skb extension that stores the last executed tc chain which ovs reads on misses to
set the starting recirc_id from.
* How to test
Setup ovs with ovs offload enabled, and add ip to internal port, example with veth device:
function config_veth() {
local ns=$1
local ip=$2
local peer=${ns}_peer
local veth=${ns}_veth
echo "Create namespace $ns, veths: hv $veth <-> ns $peer ($ip)"
ip netns add $ns
ip link del $veth &>/dev/null
ip link add $veth type veth peer name $peer
ip link set $veth up
ip link set $peer netns $ns
ip netns exec $ns ifconfig $peer $ip/24 mtu 1400 up
}
IP1="7.7.7.1"
IP2="7.7.7.2"
config_veth ns0 $IP1
ifconfig ovs-br $IP2
ovs-vsctl add-br ovs-br
ovs-vsctl add-port ovs-br ns0_veth
ovs-vsctl add-port ovs-br ns1_veth
Add openflow rules and check if packets arriving to table=0 (default table that corrosponds to recirc_id(0))
have ct mark that was only set if a later table was executed. Add a unsupported offload action (in this case group), so we
will have miss from offloaded tc rules to ovs dp:
ovs-ofctl del-flows ovs-br
ovs-ofctl -O OpenFlow12 add-group ovs-br 'group_
ovs-ofctl add-flow ovs-br "table=0, arp, action=normal"
ovs-ofctl add-flow ovs-br "table=0, ip, +trk, actions=drop" #bad flow
ovs-ofctl add-flow ovs-br "table=0, ip, -trk, actions=
ovs-ofctl add-flow ovs-br "table=1, in_port=1, actions=group:2"
ovs-ofctl add-flow ovs-br "table=2, ip, actions=normal"
run udp/tcp traffic from default ns 7.7.7.1 to ns1 7.7.7.2 and
check ovs-appctl dpctl/dump-flows
if bug occurs there should be a drop rule, because we got to recirc_id(0) after missing in tc, and tc
already did the -trk ct(commit...) rule, so packet should be tracked (+trk) when missed to ovs.
* What it could break.
Running the wrong datapath rules in OvS datapath.
CVE References
| Changed in linux-bluefield (Ubuntu): | |
| status: | New → Fix Committed |
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in linux-bluefield (Ubuntu): | |
| status: | Fix Committed → Fix Released |
This bug was fixed in the package linux-bluefield - 5.4.0-1045.50
---------------
linux-bluefield (5.4.0-1045.50) focal; urgency=medium
* focal/linux-
* pwr-mlxbf.c: Improve driver dependencies and fix zero allocating memory size
(LP: #1980750)
- SAUCE: pwr-mlxbf.c: Improve driver dependencies
- SAUCE: pwr-mlxbf.c: Fix zero allocating memory size
- SAUCE: pwr-mlxbf.c: Update driver version to 1.1
* store the last executed chain also for clsact egress (LP: #1982980)
- net/sched: store the last executed chain also for clsact egress
* i2c-mlxbf.c: support lock mechanism (LP: #1981105)
- SAUCE: i2c-mlxbf.c: support lock mechanism
* i2c-mlxbf.c: fix wrong variable name (LP: #1982357)
- SAUCE: i2c-mlxbf.c: fix wrong variable name
[ Ubuntu: 5.4.0-125.141 ]
* focal/linux: 5.4.0-125.141 -proposed tracker (LP: #1983947)
* nbd: requests can become stuck when disconnecting from server with qemu-nbd
(LP: #1896350)
- blk-mq: blk-mq: provide forced completion method
- blk-mq: move failure injection out of blk_mq_
- nbd: don't handle response without a corresponding request message
- nbd: make sure request completion won't concurrent
- nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed
- nbd: fix io hung while disconnecting device
* CVE-2021-33656
- vt: drop old FONT ioctls
* CVE-2021-33061
- ixgbe: add the ability for the PF to disable VF link state
- ixgbe: add improvement for MDD response functionality
- ixgbevf: add disable link state
-- Zachary Tahenakos <email address hidden> Thu, 11 Aug 2022 15:11:51 -0400