From patchwork Wed Nov 11 19:39:50 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joe Stringer X-Patchwork-Id: 543057 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id 036C11402D1 for ; Thu, 12 Nov 2015 06:40:19 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nicira_com.20150623.gappssmtp.com header.i=@nicira_com.20150623.gappssmtp.com header.b=RKtaoiaD; dkim-atps=neutral Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 6EFE522C398; Wed, 11 Nov 2015 11:40:08 -0800 (PST) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id F2E2E22C390 for ; Wed, 11 Nov 2015 11:40:06 -0800 (PST) Received: from bar3.cudamail.com (localhost [127.0.0.1]) by mx3v3.cudamail.com (Postfix) with ESMTPS id 634A0162C3C for ; Wed, 11 Nov 2015 12:40:06 -0700 (MST) X-ASG-Debug-ID: 1447270805-03dd7b6d9428100001-byXFYA Received: from mx3-pf2.cudamail.com ([192.168.14.1]) by bar3.cudamail.com with ESMTP id KY0ivFTyAns0zAdK (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 11 Nov 2015 12:40:05 -0700 (MST) X-Barracuda-Envelope-From: joestringer@nicira.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.1 Received: from unknown (HELO mail-pa0-f48.google.com) (209.85.220.48) by mx3-pf2.cudamail.com with ESMTPS (RC4-SHA encrypted); 11 Nov 2015 19:40:04 -0000 Received-SPF: unknown (mx3-pf2.cudamail.com: Multiple SPF records returned) X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.48 Received: by pasz6 with SMTP id z6so40715551pas.2 for ; Wed, 11 Nov 2015 11:40:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nicira_com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=HudlcJVUFtWxm4x3tyJtf8007/91I2LGH7NlUCqgu/E=; b=RKtaoiaD+wwNjsB3ZF2bTzxjL3mVfOkRhs0DkzHx8X5dOInGDEG7OL4l3GqzLoaDWL 60UVzSIifOXPTe9frE73Yp9ZnEB6koa73YnUsFPMjUFVMXK6T+0UK5wy0UilQonB/GQY 6jeiXvsMt65VHBWKv/X0ABseNBxsm8FzgmbuRYu52Co2NDZQUCvLCQmtfzEwoxHjd4JY 7dILRKswAyh42EpqBMKC8b1Ksflib6R10dDmjclFqXQRL9gtGV+soh+Up6eLQEuotgA5 LhXufdotkNkEqhY7GP9mQlWaOI8LdbtSnb+LIGXCadz355RdHM6D5YtJzuiJKn1hOmDR R8FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=HudlcJVUFtWxm4x3tyJtf8007/91I2LGH7NlUCqgu/E=; b=VVnIpYDoag81SkUK6nT63BO/db68kWAHjqst+Kro7vrUFwRci50F10nKSIr74N8q1M Ln2JyABxUshaPeneB3BxiLsrO5CNT+hpVIM71KvOzC7W5grrO/vTwwdXbLuQoRx6knTF v5zhCQe6r3gw/y0vVgDy1sestCpTP81H0yLOmVyIzEyfh4jB4dD8k3Xx/FqbaxAjnKp2 KQWVy0jTgDNqXVwuLuhQmak6fcmgDqWV4DJNDzPMw59i5O8N32zl6aJ5pxCIq0FnJTG0 5LNnzTQ0vejmcZpKNn0n4n1DngZfMck2l0BFGxLuMK4rnWG1rFOVubHvZeX1mtpJprdK uRwg== X-Gm-Message-State: ALoCoQma+Sxo6+vvt5++MLoGYenxjsTLjKoCnMjrSDHb6Fb7UUynaYB+c+BRdiruDHzKgrQ3wwu0 X-Received: by 10.68.193.165 with SMTP id hp5mr16716630pbc.20.1447270803972; Wed, 11 Nov 2015 11:40:03 -0800 (PST) Received: from localhost.localdomain ([208.91.2.4]) by smtp.gmail.com with ESMTPSA id fn4sm1720587pab.46.2015.11.11.11.40.02 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 11 Nov 2015 11:40:03 -0800 (PST) X-CudaMail-Envelope-Sender: joestringer@nicira.com X-Barracuda-Apparent-Source-IP: 208.91.2.4 From: Joe Stringer To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V2-1110044509 X-CudaMail-DTE: 111115 X-CudaMail-Originating-IP: 209.85.220.48 Date: Wed, 11 Nov 2015 11:39:50 -0800 X-ASG-Orig-Subj: [##CM-V2-1110044509##][PATCHv2 2/6] ofproto-dpif: Validate ct_* field masks. Message-Id: <1447270794-21103-3-git-send-email-joestringer@nicira.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1447270794-21103-1-git-send-email-joestringer@nicira.com> References: <1447270794-21103-1-git-send-email-joestringer@nicira.com> X-Barracuda-Connect: UNKNOWN[192.168.14.1] X-Barracuda-Start-Time: 1447270805 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [PATCHv2 2/6] ofproto-dpif: Validate ct_* field masks. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" When inserting rules that match on connection tracking fields, datapath support must be checked before allowing or denying the rule insertion. Previously we only disallowed flows that had non-zero values for the ct_* field, but allowed non-zero masks. This meant that, eg: ct_state=-trk,... Would be allowed, while ct_state=+trk,... Would be disallowed, due to lack of datapath support. Fix this by performing the check on masks instead of the flows. Reported-by: Ravindra Kenchappa Signed-off-by: Joe Stringer Acked-by: Jarno Rajahalme --- ofproto/ofproto-dpif.c | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c index ab1b6a2f7d8e..ee2d267ab7b8 100644 --- a/ofproto/ofproto-dpif.c +++ b/ofproto/ofproto-dpif.c @@ -4014,30 +4014,26 @@ rule_dealloc(struct rule *rule_) static enum ofperr rule_check(struct rule *rule) { + struct ofproto_dpif *ofproto = ofproto_dpif_cast(rule->ofproto); + const struct odp_support *support; uint16_t ct_state, ct_zone; ovs_u128 ct_label; uint32_t ct_mark; - ct_state = MINIFLOW_GET_U16(rule->cr.match.flow, ct_state); - ct_zone = MINIFLOW_GET_U16(rule->cr.match.flow, ct_zone); - ct_mark = MINIFLOW_GET_U32(rule->cr.match.flow, ct_mark); - ct_label = MINIFLOW_GET_U128(rule->cr.match.flow, ct_label); + support = &ofproto_dpif_get_support(ofproto)->odp; + ct_state = MINIFLOW_GET_U16(&rule->cr.match.mask->masks, ct_state); + ct_zone = MINIFLOW_GET_U16(&rule->cr.match.mask->masks, ct_zone); + ct_mark = MINIFLOW_GET_U32(&rule->cr.match.mask->masks, ct_mark); + ct_label = MINIFLOW_GET_U128(&rule->cr.match.mask->masks, ct_label); - if (ct_state || ct_zone || ct_mark - || !ovs_u128_is_zero(&ct_label)) { - struct ofproto_dpif *ofproto = ofproto_dpif_cast(rule->ofproto); - const struct odp_support *support = &ofproto_dpif_get_support(ofproto)->odp; - - if ((ct_state && !support->ct_state) - || (ct_zone && !support->ct_zone) - || (ct_mark && !support->ct_mark) - || (!ovs_u128_is_zero(&ct_label) && !support->ct_label)) { - return OFPERR_OFPBMC_BAD_FIELD; - } - if (ct_state & CS_UNSUPPORTED_MASK) { - return OFPERR_OFPBMC_BAD_MASK; - } + if ((ct_state && !support->ct_state) + || (ct_state & CS_UNSUPPORTED_MASK) + || (ct_zone && !support->ct_zone) + || (ct_mark && !support->ct_mark) + || (!ovs_u128_is_zero(&ct_label) && !support->ct_label)) { + return OFPERR_OFPBMC_BAD_MASK; } + return 0; }