-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update openvswitch to rev 69 via SR 1109539
https://build.opensuse.org/request/show/1109539 by user dpitchumani + anag+factory Description: - Added fix for CVE-2023-3152, openvswitch : service monitor MAC flow is not rate limited Actions: - submit network/openvswitch => openSUSE:Factory/openvswitch Changes: - Fix CVE-2023-3153 [bsc#1212125], VUL-0: CVE-2023-3153: openvswitch,openvswitch3: service monitor MAC flow is not rate limited - Added patch, CVE-2023-3152.patch
- Loading branch information
1 parent
f9e365c
commit 399fa5e
Showing
5 changed files
with
148 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,121 @@ | ||
commit 9a3f7ed905e525ebdcb14541e775211cbb0203bd | ||
Author: Ales Musil <amusil@redhat.com> | ||
Date: Wed Jul 12 07:12:29 2023 +0200 | ||
|
||
northd, controller: Add CoPP for SVC monitor | ||
|
||
The SVC monitor was exposed without any limitation. | ||
Add CoPP for the SVC monitor flow, which adds a way | ||
for CMSs to limit the traffic that this flow accepts. | ||
|
||
Signed-off-by: Ales Musil <amusil@redhat.com> | ||
|
||
diff --git a/lib/copp.c b/lib/copp.c | ||
index 603e3f5bf..11dd9029d 100644 | ||
--- a/lib/copp.c | ||
+++ b/lib/copp.c | ||
@@ -38,6 +38,7 @@ static char *copp_proto_names[COPP_PROTO_MAX] = { | ||
[COPP_ND_RA_OPTS] = "nd-ra-opts", | ||
[COPP_TCP_RESET] = "tcp-reset", | ||
[COPP_REJECT] = "reject", | ||
+ [COPP_SVC_MONITOR] = "svc-monitor", | ||
[COPP_BFD] = "bfd", | ||
}; | ||
|
||
diff --git a/lib/copp.h b/lib/copp.h | ||
index f03004aa6..b99737220 100644 | ||
--- a/lib/copp.h | ||
+++ b/lib/copp.h | ||
@@ -37,6 +37,7 @@ enum copp_proto { | ||
COPP_TCP_RESET, | ||
COPP_BFD, | ||
COPP_REJECT, | ||
+ COPP_SVC_MONITOR, | ||
COPP_PROTO_MAX, | ||
COPP_PROTO_INVALID = COPP_PROTO_MAX, | ||
}; | ||
diff --git a/northd/northd.c b/northd/northd.c | ||
index 7ad4cdfad..1e05b8f22 100644 | ||
--- a/northd/northd.c | ||
+++ b/northd/northd.c | ||
@@ -8876,9 +8876,11 @@ build_lswitch_destination_lookup_bmcast(struct ovn_datapath *od, | ||
{ | ||
if (od->nbs) { | ||
|
||
- ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 110, | ||
- "eth.dst == $svc_monitor_mac", | ||
- "handle_svc_check(inport);"); | ||
+ ovn_lflow_metered(lflows, od, S_SWITCH_IN_L2_LKUP, 110, "eth.dst == " | ||
+ "$svc_monitor_mac && (tcp || icmp || icmp6)", | ||
+ "handle_svc_check(inport);", | ||
+ copp_meter_get(COPP_SVC_MONITOR, od->nbs->copp, | ||
+ meter_groups)); | ||
|
||
struct mcast_switch_info *mcast_sw_info = &od->mcast_info.sw; | ||
|
||
diff --git a/ovn-nb.xml b/ovn-nb.xml | ||
index 35acda107..59ac42dbd 100644 | ||
--- a/ovn-nb.xml | ||
+++ b/ovn-nb.xml | ||
@@ -466,6 +466,10 @@ | ||
<column name="meters" key="reject"> | ||
Rate limiting meter for packets that trigger a reject action | ||
</column> | ||
+ <column name="meters" key="svc-monitor"> | ||
+ Rate limiting meter for packets that are arriving to service | ||
+ monitor MAC address. | ||
+ </column> | ||
<column name="external_ids"> | ||
See <em>External IDs</em> at the beginning of this document. | ||
</column> | ||
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at | ||
index b8376991b..70350a781 100644 | ||
--- a/tests/ovn-northd.at | ||
+++ b/tests/ovn-northd.at | ||
@@ -3544,7 +3544,7 @@ AT_CHECK([ovn-sbctl list logical_flow | grep trigger_event -A 2 | grep -q meter0 | ||
|
||
# let's try to add an usupported protocol "dhcp" | ||
AT_CHECK([ovn-nbctl --wait=hv copp-add copp5 dhcp meter1],[1],[],[dnl | ||
-ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject. | ||
+ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject, svc-monitor. | ||
]) | ||
|
||
#Let's try to add a valid protocol to an unknown datapath | ||
diff --git a/tests/system-ovn.at b/tests/system-ovn.at | ||
index f8131b90e..7c009e157 100644 | ||
--- a/tests/system-ovn.at | ||
+++ b/tests/system-ovn.at | ||
@@ -7282,6 +7282,23 @@ OVS_WAIT_UNTIL([ | ||
]) | ||
kill $(pidof tcpdump) | ||
|
||
+check ovn-nbctl set nb_global . options:svc_monitor_mac="33:33:33:33:33:33" | ||
+check ovn-nbctl meter-add svc-meter drop 1 pktps 0 | ||
+check ovn-nbctl --wait=hv copp-add copp4 svc-monitor svc-meter | ||
+check ovn-nbctl --wait=hv ls-copp-add copp4 sw0 | ||
+check ovn-appctl -t ovn-controller vlog/set vconn:dbg | ||
+AT_CHECK([ovn-nbctl copp-list copp4], [0], [dnl | ||
+svc-monitor: svc-meter | ||
+]) | ||
+ | ||
+ip netns exec sw01 scapy -H <<-EOF | ||
+p = Ether(dst="33:33:33:33:33:33", src="f0:00:00:01:02:03") /\ | ||
+ IP(dst="192.168.1.100", src="192.168.1.2") / TCP(dport=1234, sport=1234) | ||
+sendp(p, iface='sw01', loop=0, verbose=0, count=20) | ||
+EOF | ||
+ | ||
+OVS_WAIT_UNTIL([test "1" = "$(grep -c "dl_dst=33:33:33:33:33:33" ovn-controller.log)"]) | ||
+ | ||
kill $(pidof ovn-controller) | ||
|
||
as ovn-sb | ||
@@ -7295,7 +7312,8 @@ OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE]) | ||
|
||
as | ||
OVS_TRAFFIC_VSWITCHD_STOP(["/.*error receiving.*/d | ||
-/.*terminating with signal 15.*/d"]) | ||
+/.*terminating with signal 15.*/d | ||
+/.*Service monitor not found/d"]) | ||
|
||
AT_CLEANUP | ||
]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters