openvswitch: take into account de-fragmentation/gso_size in execute_check_pkt_len (17843655) · Commits · 戴 / test

ovs connection tracking module performs de-fragmentation on incoming fragmented traffic. Take info account if traffic has been de-fragmented in execute_check_pkt_len action otherwise we will perform the wrong nested action considering the original packet size. This issue typically occurs if ovs-vswitchd adds a rule in the pipeline that requires connection tracking (e.g. OVN stateful ACLs) before execute_check_pkt_len action. Moreover take into account GSO fragment size for GSO packet in execute_check_pkt_len routine Fixes: ("net: openvswitch: Add a new action check_pkt_len") Signed-off-by:

Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by:

David S. Miller <davem@davemloft.net>

net/openvswitch/actions.c

+7 −2

Original line number	Diff line number	Diff line
		@@ -1169,9 +1169,10 @@ static int execute_check_pkt_len(struct datapath dp, struct sk_buff skb,
		struct sw_flow_key *key,
		const struct nlattr *attr, bool last)
		{
		struct ovs_skb_cb *ovs_cb = OVS_CB(skb);
		const struct nlattr actions, cpl_arg;
		int len, max_len, rem = nla_len(attr);
		const struct check_pkt_len_arg *arg;
		int rem = nla_len(attr);
		bool clone_flow_key;

		/* The first netlink attribute in 'attr' is always
		@@ -1180,7 +1181,11 @@ static int execute_check_pkt_len(struct datapath dp, struct sk_buff skb,
		cpl_arg = nla_data(attr);
		arg = nla_data(cpl_arg);

		if (skb->len <= arg->pkt_len) {
		len = ovs_cb->mru ? ovs_cb->mru + skb->mac_len : skb->len;
		max_len = arg->pkt_len;

		if ((skb_is_gso(skb) && skb_gso_validate_mac_len(skb, max_len)) \|\|
		len <= max_len) {
		/* Second netlink attribute in 'attr' is always
		* 'OVS_CHECK_PKT_LEN_ATTR_ACTIONS_IF_LESS_EQUAL'.
		*/

Admin message