From patchwork Sat Nov  7 20:05:35 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Joe Stringer <joestringer@nicira.com>
X-Patchwork-Id: 541383
Return-Path: <dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (unknown
	[IPv6:2600:3c00::f03c:91ff:fe6e:bdf7])
	by ozlabs.org (Postfix) with ESMTP id E76381402CC
	for <incoming@patchwork.ozlabs.org>;
	Sun,  8 Nov 2015 07:05:47 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=nicira_com.20150623.gappssmtp.com
	header.i=@nicira_com.20150623.gappssmtp.com header.b=Jby+Ecpr;
	dkim-atps=neutral
Received: from archives.nicira.com (localhost [127.0.0.1])
	by archives.nicira.com (Postfix) with ESMTP id 01755109E5;
	Sat,  7 Nov 2015 12:05:47 -0800 (PST)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx1e4.cudamail.com (mx1.cudamail.com [69.90.118.67])
	by archives.nicira.com (Postfix) with ESMTPS id 71AFB1092F
	for <dev@openvswitch.org>; Sat,  7 Nov 2015 12:05:45 -0800 (PST)
Received: from bar5.cudamail.com (unknown [192.168.21.12])
	by mx1e4.cudamail.com (Postfix) with ESMTPS id F07CC1E00CF
	for <dev@openvswitch.org>; Sat,  7 Nov 2015 13:05:44 -0700 (MST)
X-ASG-Debug-ID: 1446926744-09eadd036590340001-byXFYA
Received: from mx1-pf1.cudamail.com ([192.168.24.1]) by bar5.cudamail.com
	with
	ESMTP id xPmYFGZWG939sXu0 (version=TLSv1 cipher=DHE-RSA-AES256-SHA
	bits=256 verify=NO) for <dev@openvswitch.org>;
	Sat, 07 Nov 2015 13:05:44 -0700 (MST)
X-Barracuda-Envelope-From: joestringer@nicira.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.1
Received: from unknown (HELO mail-pa0-f49.google.com) (209.85.220.49)
	by mx1-pf1.cudamail.com with ESMTPS (RC4-SHA encrypted);
	7 Nov 2015 20:05:44 -0000
Received-SPF: unknown (mx1-pf1.cudamail.com: Multiple SPF records returned)
X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.49
Received: by pabfh17 with SMTP id fh17so156659256pab.0
	for <dev@openvswitch.org>; Sat, 07 Nov 2015 12:05:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=nicira_com.20150623.gappssmtp.com; s=20150623;
	h=from:to:subject:date:message-id;
	bh=ytvBkokQ84u7NG/DKL4eq/fHolyew273HdsIeEdmiWs=;
	b=Jby+EcprnTFW+Xi2yJVDN1RNzd2h/EcIgqWes+cW3Q0BI5auRSG5y3TiqhU6K+Ewgq
	VwiAg35f9LiSqTnLAlYH0+UXm3YVWhHd+nm1fddCe5WigLvBtueQALI+Go26zK1kQ/1o
	YU1Ji6U7FTmXedMYnMFcmGq1qxNfTcPBnP6FH7sY1G8tGltm59oaO2k09EBctBnIe8vU
	YaA53tJSlKWyY0sj7XPTE4BxayD9hfDbGrEMSwDCb/IhjZEkcG7G6I741ZJmsTozP8v3
	+Vvk/N7p9Cto8artHqRHt1UxWeF5AapCv7EY190GhKCLgaAH7RWIOCq4wGTUIKEgeEAJ
	a+6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:subject:date:message-id;
	bh=ytvBkokQ84u7NG/DKL4eq/fHolyew273HdsIeEdmiWs=;
	b=jxxjkLyU7Ej8CseewS7AS1Eh3ULYGyAYMmL9QRAKmV398mo36b8tfFY+X0WdcibIlG
	KLAiG+4+bIJkCGWqnbQqsNcxUtIm5XlVkpGkHEzCuqSEX1Qb8MBVTXHQuTk/9I6lZG3/
	0VPD0MyIeS7XbpYLQHZoNwhqywjZwDdIYoWEHIHMjG3wE/lB7saSbKuQZw3JRciJdz5j
	C8WFt/3jgbI3t2o0lPOwRZZHuUCcuRZeiY6WYSMbbVX1uRBEgNKzNKHSlptcfXslTFGi
	quBAC52OMYHyWpwNgp8NozasJC0p/yGtUoodwMWv5NPQNM+bx5/+F5f8vQaNR8uUqQKu
	zJ4w==
X-Gm-Message-State: 
 ALoCoQkqkMdFnoE6r3FMfhzTRLzlaLgbNixXLsUOpG1OeXIy6EFbqrDpctdao7gaMWflH/ei5Xp0
X-Received: by 10.66.234.194 with SMTP id ug2mr28422764pac.122.1446926743906;
	Sat, 07 Nov 2015 12:05:43 -0800 (PST)
Received: from localhost.localdomain ([208.91.2.4])
	by smtp.gmail.com with ESMTPSA id
	it10sm7372749pbc.14.2015.11.07.12.05.42 for <dev@openvswitch.org>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Sat, 07 Nov 2015 12:05:43 -0800 (PST)
X-CudaMail-Envelope-Sender: joestringer@nicira.com
X-Barracuda-Apparent-Source-IP: 208.91.2.4
From: Joe Stringer <joestringer@nicira.com>
To: dev@openvswitch.org
X-CudaMail-Whitelist-To: dev@openvswitch.org
X-CudaMail-MID: CM-E1-1106023533
X-CudaMail-DTE: 110715
X-CudaMail-Originating-IP: 209.85.220.49
Date: Sat,  7 Nov 2015 12:05:35 -0800
X-ASG-Orig-Subj: [##CM-E1-1106023533##][PATCH 1/3] ofproto-dpif: Validate
	ct_* field masks.
Message-Id: <1446926737-56001-1-git-send-email-joestringer@nicira.com>
X-Mailer: git-send-email 2.1.4
X-Barracuda-Connect: UNKNOWN[192.168.24.1]
X-Barracuda-Start-Time: 1446926744
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?=
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
Subject: [ovs-dev] [PATCH 1/3] ofproto-dpif: Validate ct_* field masks.
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <dev.openvswitch.org>
List-Unsubscribe: <http://openvswitch.org/mailman/options/dev>,
	<mailto:dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://openvswitch.org/pipermail/dev>
List-Post: <mailto:dev@openvswitch.org>
List-Help: <mailto:dev-request@openvswitch.org?subject=help>
List-Subscribe: <http://openvswitch.org/mailman/listinfo/dev>,
	<mailto:dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

When inserting rules that match on connection tracking fields, datapath
support must be checked before allowing or denying the rule insertion.
Previously we only disallowed flows that had non-zero values for the
ct_* field, but allowed non-zero masks. This meant that, eg:

ct_state=-trk,...

Would be allowed, while

ct_state=+trk,...

Would be disallowed, due to lack of datapath support.

Fix this by denying nonzero masks whenever there is no datapath support
for connection tracking.

Reported-by: Ravindra Kenchappa <ravindra.kenchappa@hpe.com>
Signed-off-by: Joe Stringer <joestringer@nicira.com>
---
 ofproto/ofproto-dpif.c | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index 5cc64cbca1f5..2f75b93d9694 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -4012,40 +4012,55 @@ rule_dealloc(struct rule *rule_)
 }
 
 static enum ofperr
-rule_check(struct rule *rule)
+check_flow(const struct ofproto_dpif *ofproto, const struct miniflow *flow,
+           bool mask)
 {
+    ovs_u128 ct_label = { { 0, 0 } };
     uint16_t ct_state, ct_zone;
     const ovs_u128 *labelp;
-    ovs_u128 ct_label = { { 0, 0 } };
     uint32_t ct_mark;
 
-    ct_state = MINIFLOW_GET_U16(rule->cr.match.flow, ct_state);
-    ct_zone = MINIFLOW_GET_U16(rule->cr.match.flow, ct_zone);
-    ct_mark = MINIFLOW_GET_U32(rule->cr.match.flow, ct_mark);
-    labelp = MINIFLOW_GET_U128_PTR(rule->cr.match.flow, ct_label);
+    ct_state = MINIFLOW_GET_U16(flow, ct_state);
+    ct_zone = MINIFLOW_GET_U16(flow, ct_zone);
+    ct_mark = MINIFLOW_GET_U32(flow, ct_mark);
+    labelp = MINIFLOW_GET_U128_PTR(flow, ct_label);
     if (labelp) {
         ct_label = *labelp;
     }
 
     if (ct_state || ct_zone || ct_mark
         || !ovs_u128_is_zero(&ct_label)) {
-        struct ofproto_dpif *ofproto = ofproto_dpif_cast(rule->ofproto);
-        const struct odp_support *support = &ofproto_dpif_get_support(ofproto)->odp;
+        const struct odp_support *support;
 
+        support = &ofproto_dpif_get_support(ofproto)->odp;
         if ((ct_state && !support->ct_state)
             || (ct_zone && !support->ct_zone)
             || (ct_mark && !support->ct_mark)
             || (!ovs_u128_is_zero(&ct_label) && !support->ct_label)) {
             return OFPERR_OFPBMC_BAD_FIELD;
         }
-        if (ct_state & CS_UNSUPPORTED_MASK) {
+        if (mask && ct_state & CS_UNSUPPORTED_MASK) {
             return OFPERR_OFPBMC_BAD_MASK;
         }
     }
+
     return 0;
 }
 
 static enum ofperr
+rule_check(struct rule *rule)
+{
+    struct ofproto_dpif *ofproto = ofproto_dpif_cast(rule->ofproto);
+    enum ofperr err;
+
+    err = check_flow(ofproto, rule->cr.match.flow, false);
+    if (err) {
+        return err;
+    }
+    return check_flow(ofproto, &rule->cr.match.mask->masks, true);
+}
+
+static enum ofperr
 rule_construct(struct rule *rule_)
     OVS_NO_THREAD_SAFETY_ANALYSIS
 {