From patchwork Wed Sep 15 19:04:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Conole X-Patchwork-Id: 1528538 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=f1XfT3R0; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4H8qQr4xg8z9sR4 for ; Thu, 16 Sep 2021 05:04:50 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 41AFF80DD6; Wed, 15 Sep 2021 19:04:48 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hXY690TkDbK; Wed, 15 Sep 2021 19:04:47 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id 74C3E80DB4; Wed, 15 Sep 2021 19:04:46 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 48584C0011; Wed, 15 Sep 2021 19:04:46 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 09E47C000D for ; Wed, 15 Sep 2021 19:04:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 005B0401DF for ; Wed, 15 Sep 2021 19:04:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S0ng3P0inDJM for ; Wed, 15 Sep 2021 19:04:43 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id 87F48402C2 for ; Wed, 15 Sep 2021 19:04:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1631732679; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=THvf/FUd42nITQtWSusWIBkvXRo1ofDuJxrhDIVhO2c=; b=f1XfT3R0n5kmco0WOMskdoVBxfUusxl4ARD6SzrnfcVe7sQYiFiS1og9m4SCq+KhHb/HIv XijVAsUTMKMmS4uPsc3zEld/byO5o/+d0+B0fP6WndMGN8XnEnjor3Kq3IoyIFcTEztNvq mcWFqdwz29Sdju1Nnd5e03HRrSw6dNE= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-574-Es22lJEONQOEnHPx9pGKqg-1; Wed, 15 Sep 2021 15:04:37 -0400 X-MC-Unique: Es22lJEONQOEnHPx9pGKqg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 381FB1800D41; Wed, 15 Sep 2021 19:04:36 +0000 (UTC) Received: from RHTPC1VM0NT.redhat.com (unknown [10.22.9.128]) by smtp.corp.redhat.com (Postfix) with ESMTP id A71CB5C1C5; Wed, 15 Sep 2021 19:04:34 +0000 (UTC) From: Aaron Conole To: dev@openvswitch.org Date: Wed, 15 Sep 2021 15:04:34 -0400 Message-Id: <20210915190434.1162229-1-aconole@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=aconole@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Cc: Mohamed Mahmoud , Lorenzo Bianconi , Ilya Maximets , Flavio Leitner Subject: [ovs-dev] [PATCH] igmp: always check and mask igmp packets. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" When OVS starts with default settings, it will have no existing datapath flows configured, and it will not explicitly handle IGMP packets. This means that all traffic will hit the datapath, and then follow the xlate_normal processing path. Unfortunately for some users of IGMP-aware applications (such as 'keepalived'), IGMP packets will arrive, go through processing and a default flow like following will be installed: recirc_id(0),in_port(2),eth(),eth_type(0x0800),ipv4(frag=no), actions:userspace(pid=xxxxxxx,slow_path(match)) This is a very broad match - and will force all IPv4 traffic to userspace. To combat this, force the wildcard initialization to always include an IGMP protocol match. An existing IGMP check is only run when multicast snooping is configured. Now we will always run the check during wildcard init. A unit test is added that works for kernel and userspace datapaths. Reported-by: Lorenzo Bianconi Reported-by: Mohamed Mahmoud Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2002888 Signed-off-by: Aaron Conole --- ofproto/ofproto-dpif-xlate.c | 8 ++++++++ tests/system-traffic.at | 28 ++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c index 8723cb4e85..dc3971cdf9 100644 --- a/ofproto/ofproto-dpif-xlate.c +++ b/ofproto/ofproto-dpif-xlate.c @@ -7381,6 +7381,14 @@ xlate_wc_init(struct xlate_ctx *ctx) WC_MASK_FIELD_MASK(ctx->wc, nw_frag, FLOW_NW_FRAG_MASK); } + /* Always check for igmp type in the packet. This will ensure that + * the igmp nw type will properly be set as a match field. */ + if (get_dl_type(&ctx->xin->flow) == htons(ETH_TYPE_IP)) { + if (ctx->xin->flow.nw_proto == IPPROTO_IGMP && ctx->wc) { + WC_MASK_FIELD(ctx->wc, nw_proto); + } + } + if (ctx->xbridge->support.odp.recirc) { /* Always exactly match recirc_id when datapath supports * recirculation. */ diff --git a/tests/system-traffic.at b/tests/system-traffic.at index de9108ac20..e0836839d6 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -6147,6 +6147,34 @@ AT_CHECK([ovs-ofctl dump-flows br0 | grep table=2, | OFPROTO_CLEAR_DURATION_IDLE OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_BANNER([IGMP]) + +AT_SETUP([IGMP - VRRP VSS padded]) + +OVS_TRAFFIC_VSWITCHD_START() +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", "f0:00:00:01:01:01") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", "f0:00:00:01:01:02") + +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 dnl +f0 00 00 01 01 01 08 00 46 c0 00 28 00 00 40 00 01 02 d3 49 45 65 eb 4a e0 dnl +00 00 16 94 04 00 00 22 00 f9 02 00 00 00 01 04 00 00 00 e0 00 00 fb 00 00 dnl +00 00 00 00 > /dev/null]) + +AT_CHECK([ovs-appctl dpctl/dump-flows | grep -e .*ipv4 | dnl + sed -e 's/ packets:[[0-9]]*,//' -e 's/ bytes:[[0-9]]*,//' dnl + -e 's/ used:[[a-zA-Z0-9]]*,//' -e 's/pid=[[0-9]]*,//' dnl + -e 's/,packet_type(ns=[[0-9]]*,id=[[0-9]]*),/,eth(),/' dnl + -e 's/actions:drop/actions:userspace(slow_path(match))/'], + [0], [dnl +recirc_id(0),in_port(2),eth(),eth_type(0x0800),ipv4(proto=2,frag=no), actions:userspace(slow_path(match)) +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + + AT_BANNER([802.1ad]) AT_SETUP([802.1ad - vlan_limit])