Message ID | 1444846249-52053-1-git-send-email-joestringer@nicira.com |
---|---|
State | Changes Requested, archived |
Delegated to: | David Miller |
Headers | show |
On Wed, Oct 14, 2015 at 11:10 AM, Joe Stringer <joestringer@nicira.com> wrote: > Currently, 0-bits are generated in ct_state where the bit position is > undefined, and matches are accepted on these bit-positions. If userspace > requests to match the 0-value for this bit then it may expect only a > subset of traffic to match this value, whereas currently all packets > will have this bit set to 0. Fix this by rejecting such masks. > > Signed-off-by: Joe Stringer <joestringer@nicira.com> > --- > net/openvswitch/conntrack.h | 11 +++++------ > net/openvswitch/flow_netlink.c | 5 ++++- > 2 files changed, 9 insertions(+), 7 deletions(-) > > diff --git a/net/openvswitch/conntrack.h b/net/openvswitch/conntrack.h > index da8714942c95..2d42b3640117 100644 > --- a/net/openvswitch/conntrack.h > +++ b/net/openvswitch/conntrack.h > @@ -35,12 +35,9 @@ void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key); > int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb); > void ovs_ct_free_action(const struct nlattr *a); > > -static inline bool ovs_ct_state_supported(u32 state) > -{ > - return !(state & ~(OVS_CS_F_NEW | OVS_CS_F_ESTABLISHED | > - OVS_CS_F_RELATED | OVS_CS_F_REPLY_DIR | > - OVS_CS_F_INVALID | OVS_CS_F_TRACKED)); > -} Can you also remove definition of ovs_ct_state_supported() in case where conntrack is not enabled. Otherwise looks good. Acked-by: Pravin B Shelar <pshelar@nicira.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/openvswitch/conntrack.h b/net/openvswitch/conntrack.h index da8714942c95..2d42b3640117 100644 --- a/net/openvswitch/conntrack.h +++ b/net/openvswitch/conntrack.h @@ -35,12 +35,9 @@ void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key); int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb); void ovs_ct_free_action(const struct nlattr *a); -static inline bool ovs_ct_state_supported(u32 state) -{ - return !(state & ~(OVS_CS_F_NEW | OVS_CS_F_ESTABLISHED | - OVS_CS_F_RELATED | OVS_CS_F_REPLY_DIR | - OVS_CS_F_INVALID | OVS_CS_F_TRACKED)); -} +#define CT_SUPPORTED_MASK (OVS_CS_F_NEW | OVS_CS_F_ESTABLISHED | \ + OVS_CS_F_RELATED | OVS_CS_F_REPLY_DIR | \ + OVS_CS_F_INVALID | OVS_CS_F_TRACKED) #else #include <linux/errno.h> @@ -94,5 +91,7 @@ static inline int ovs_ct_put_key(const struct sw_flow_key *key, } static inline void ovs_ct_free_action(const struct nlattr *a) { } + +#define CT_SUPPORTED_MASK 0 #endif /* CONFIG_NF_CONNTRACK */ #endif /* ovs_conntrack.h */ diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c index 171a691f1c32..bd710bc37469 100644 --- a/net/openvswitch/flow_netlink.c +++ b/net/openvswitch/flow_netlink.c @@ -816,7 +816,7 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, ovs_ct_verify(net, OVS_KEY_ATTR_CT_STATE)) { u32 ct_state = nla_get_u32(a[OVS_KEY_ATTR_CT_STATE]); - if (!is_mask && !ovs_ct_state_supported(ct_state)) { + if (ct_state & ~CT_SUPPORTED_MASK) { OVS_NLERR(log, "ct_state flags %08x unsupported", ct_state); return -EINVAL; @@ -1099,6 +1099,9 @@ static void nlattr_set(struct nlattr *attr, u8 val, } else { memset(nla_data(nla), val, nla_len(nla)); } + + if (nla_type(nla) == OVS_KEY_ATTR_CT_STATE) + *(u32 *)nla_data(nla) &= CT_SUPPORTED_MASK; } }
Currently, 0-bits are generated in ct_state where the bit position is undefined, and matches are accepted on these bit-positions. If userspace requests to match the 0-value for this bit then it may expect only a subset of traffic to match this value, whereas currently all packets will have this bit set to 0. Fix this by rejecting such masks. Signed-off-by: Joe Stringer <joestringer@nicira.com> --- net/openvswitch/conntrack.h | 11 +++++------ net/openvswitch/flow_netlink.c | 5 ++++- 2 files changed, 9 insertions(+), 7 deletions(-)