diff mbox series

[ovs-dev] controller: Set check_tnl_key for BFD on tunnel ifaces.

Message ID 20240312125656.3252402-1-dceara@redhat.com
State Accepted
Headers show
Series [ovs-dev] controller: Set check_tnl_key for BFD on tunnel ifaces. | expand

Checks

Context Check Description
ovsrobot/apply-robot warning apply and check: warning
ovsrobot/github-robot-_Build_and_Test fail github build: failed
ovsrobot/github-robot-_ovn-kubernetes success github build: passed

Commit Message

Dumitru Ceara March 12, 2024, 12:56 p.m. UTC 
From: Frode Nordahl <frode.nordahl@canonical.com>

The OVS BFD configuration option `check_tnl_key` controls whether
OVS should consider the tunnel key before processing BFD control
messages.  The OVN pipeline design ensures traffic originating
from a logical port will have a non-zero tunnel key.

Always set `check_tnl_key` to "true" to avoid processing of
BFD control messages originating from a logical port.

CVE-2024-2182

Signed-off-by: Dumitru Ceara <dceara@redhat.com>
Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
---
 controller/bfd.c | 3 +++
 tests/ovn.at     | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)

Comments

0-day Robot March 12, 2024, 2:04 p.m. UTC | #1 
Bleep bloop.  Greetings Dumitru Ceara, I am a robot and I have tried out your patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.


checkpatch:
ERROR: Committer Mark Michelson <mmichels@redhat.com> needs to sign off.
WARNING: Unexpected sign-offs from developers who are not authors or co-authors or committers: Dumitru Ceara <dceara@redhat.com>
Lines checked: 70, Warnings: 1, Errors: 1


Please check this out.  If you feel there has been an error, please email aconole@redhat.com

Thanks,
0-day Robot
diff mbox series

Patch

diff --git a/controller/bfd.c b/controller/bfd.c
index f24bfd0638..22a8c66959 100644
--- a/controller/bfd.c
+++ b/controller/bfd.c
@@ -235,6 +235,9 @@  bfd_run(const struct ovsrec_interface_table *interface_table,
         if (mult) {
             smap_add(&bfd, "mult", mult);
         }
+        /* `check_tnl_key` must always be set to "true" to avoid processing of
+         * BFD control messages originating from a logical port. */
+        smap_add(&bfd, "check_tnl_key", "true");
     }
 
     /* Enable or disable bfd */
diff --git a/tests/ovn.at b/tests/ovn.at
index e87df6c8dc..0595f1167e 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -13814,7 +13814,7 @@  for chassis in gw1 hv1 hv2; do
     echo "checking gw2 -> $chassis"
     OVS_WAIT_UNTIL([
     bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0)
-    test "$bfd_cfg" = "enable=true min_rx=2000"
+    test "$bfd_cfg" = "check_tnl_key=true enable=true min_rx=2000"
 ])
 done
 ovn-nbctl --wait=hv set NB_Global . options:"bfd-min-tx"=1500
@@ -13822,7 +13822,7 @@  for chassis in gw1 hv1 hv2; do
     echo "checking gw2 -> $chassis"
     OVS_WAIT_UNTIL([
     bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0)
-    test "$bfd_cfg" = "enable=true min_rx=2000 min_tx=1500"
+    test "$bfd_cfg" = "check_tnl_key=true enable=true min_rx=2000 min_tx=1500"
 ])
 done
 ovn-nbctl remove NB_Global . options "bfd-min-rx"
@@ -13831,7 +13831,7 @@  for chassis in gw1 hv1 hv2; do
     echo "checking gw2 -> $chassis"
     OVS_WAIT_UNTIL([
     bfd_cfg=$(ovs-vsctl --bare --columns bfd find Interface name=ovn-$chassis-0)
-    test "$bfd_cfg" = "enable=true min_tx=1500 mult=15"
+    test "$bfd_cfg" = "check_tnl_key=true enable=true min_tx=1500 mult=15"
 ])
 done