From a98dc4992648a1ca15f6682793cc9998ea254781 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 9 Jan 2026 11:44:15 +0100 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 openvswitch revision 0a41dce34309528f1da09568140d8ffb --- CVE-2023-1668.patch | 517 -------------------------------------- CVE-2023-3152.patch | 121 --------- CVE-2025-0650.patch | 129 ++++++++++ install-ovsdb-tools.patch | 18 +- openvswitch-3.1.0.tar.gz | 3 - openvswitch-3.1.7.tar.gz | 3 + openvswitch.changes | 63 +++++ openvswitch.spec | 13 +- ovn-23.03.0.tar.gz | 3 - ovn-23.03.3.tar.gz | 3 + 10 files changed, 212 insertions(+), 661 deletions(-) delete mode 100644 CVE-2023-1668.patch delete mode 100644 CVE-2023-3152.patch create mode 100644 CVE-2025-0650.patch delete mode 100644 openvswitch-3.1.0.tar.gz create mode 100644 openvswitch-3.1.7.tar.gz delete mode 100644 ovn-23.03.0.tar.gz create mode 100644 ovn-23.03.3.tar.gz diff --git a/CVE-2023-1668.patch b/CVE-2023-1668.patch deleted file mode 100644 index be960cc..0000000 --- a/CVE-2023-1668.patch +++ /dev/null @@ -1,517 +0,0 @@ -commit 9d840923d32124fe427de76e8234c49d64e4bb77 -Author: Aaron Conole -Date: Fri Mar 31 17:17:27 2023 -0400 - - ofproto-dpif-xlate: Always mask ip proto field. - - The ofproto layer currently treats nw_proto field as overloaded to mean - both that a proper nw layer exists, as well as the value contained in - the header for the nw proto. However, this is incorrect behavior as - relevant standards permit that any value, including '0' should be treated - as a valid value. - - Because of this overload, when the ofproto layer builds action list for - a packet with nw_proto of 0, it won't build the complete action list that - we expect to be built for the packet. That will cause a bad behavior - where all packets passing the datapath will fall into an incomplete - action set. - - The fix here is to unwildcard nw_proto, allowing us to preserve setting - actions for protocols which we know have support for the actions we - program. This means that a traffic which contains nw_proto == 0 cannot - cause connectivity breakage with other traffic on the link. - - Reported-by: David Marchand - Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2134873 - Acked-by: Ilya Maximets - Signed-off-by: Aaron Conole - Signed-off-by: Ilya Maximets - - -diff --git a/include/openvswitch/meta-flow.h b/include/openvswitch/meta-flow.h -index 045dce8f5..3b0220aaa 100644 ---- a/include/openvswitch/meta-flow.h -+++ b/include/openvswitch/meta-flow.h -@@ -2366,6 +2366,10 @@ void mf_format_subvalue(const union mf_subvalue *subvalue, struct ds *s); - void field_array_set(enum mf_field_id id, const union mf_value *, - struct field_array *); - -+/* Mask the required l3 prerequisites if a 'set' action occurs. */ -+void mf_set_mask_l3_prereqs(const struct mf_field *, const struct flow *, -+ struct flow_wildcards *); -+ - #ifdef __cplusplus - } - #endif -diff --git a/lib/meta-flow.c b/lib/meta-flow.c -index c576ae620..474344194 100644 ---- a/lib/meta-flow.c -+++ b/lib/meta-flow.c -@@ -3676,3 +3676,28 @@ mf_bitmap_not(struct mf_bitmap x) - bitmap_not(x.bm, MFF_N_IDS); - return x; - } -+ -+void -+mf_set_mask_l3_prereqs(const struct mf_field *mf, const struct flow *fl, -+ struct flow_wildcards *wc) -+{ -+ if (is_ip_any(fl) && -+ ((mf->id == MFF_IPV4_SRC) || -+ (mf->id == MFF_IPV4_DST) || -+ (mf->id == MFF_IPV6_SRC) || -+ (mf->id == MFF_IPV6_DST) || -+ (mf->id == MFF_IPV6_LABEL) || -+ (mf->id == MFF_IP_DSCP) || -+ (mf->id == MFF_IP_ECN) || -+ (mf->id == MFF_IP_TTL))) { -+ WC_MASK_FIELD(wc, nw_proto); -+ } else if ((fl->dl_type == htons(ETH_TYPE_ARP)) && -+ ((mf->id == MFF_ARP_OP) || -+ (mf->id == MFF_ARP_SHA) || -+ (mf->id == MFF_ARP_THA) || -+ (mf->id == MFF_ARP_SPA) || -+ (mf->id == MFF_ARP_TPA))) { -+ /* mask only the lower 8 bits. */ -+ wc->masks.nw_proto = 0xff; -+ } -+} -diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c -index a9cf3cbee..cffd733c5 100644 ---- a/ofproto/ofproto-dpif-xlate.c -+++ b/ofproto/ofproto-dpif-xlate.c -@@ -5211,6 +5211,7 @@ compose_dec_ttl(struct xlate_ctx *ctx, struct ofpact_cnt_ids *ids) - } - - ctx->wc->masks.nw_ttl = 0xff; -+ WC_MASK_FIELD(ctx->wc, nw_proto); - if (flow->nw_ttl > 1) { - flow->nw_ttl--; - return false; -@@ -7128,6 +7129,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - case OFPACT_SET_IPV4_SRC: - if (flow->dl_type == htons(ETH_TYPE_IP)) { - memset(&wc->masks.nw_src, 0xff, sizeof wc->masks.nw_src); -+ WC_MASK_FIELD(wc, nw_proto); - flow->nw_src = ofpact_get_SET_IPV4_SRC(a)->ipv4; - } - break; -@@ -7135,12 +7137,14 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - case OFPACT_SET_IPV4_DST: - if (flow->dl_type == htons(ETH_TYPE_IP)) { - memset(&wc->masks.nw_dst, 0xff, sizeof wc->masks.nw_dst); -+ WC_MASK_FIELD(wc, nw_proto); - flow->nw_dst = ofpact_get_SET_IPV4_DST(a)->ipv4; - } - break; - - case OFPACT_SET_IP_DSCP: - if (is_ip_any(flow)) { -+ WC_MASK_FIELD(wc, nw_proto); - wc->masks.nw_tos |= IP_DSCP_MASK; - flow->nw_tos &= ~IP_DSCP_MASK; - flow->nw_tos |= ofpact_get_SET_IP_DSCP(a)->dscp; -@@ -7149,6 +7153,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - case OFPACT_SET_IP_ECN: - if (is_ip_any(flow)) { -+ WC_MASK_FIELD(wc, nw_proto); - wc->masks.nw_tos |= IP_ECN_MASK; - flow->nw_tos &= ~IP_ECN_MASK; - flow->nw_tos |= ofpact_get_SET_IP_ECN(a)->ecn; -@@ -7157,6 +7162,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - case OFPACT_SET_IP_TTL: - if (is_ip_any(flow)) { -+ WC_MASK_FIELD(wc, nw_proto); - wc->masks.nw_ttl = 0xff; - flow->nw_ttl = ofpact_get_SET_IP_TTL(a)->ttl; - } -@@ -7224,6 +7230,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - /* Set the field only if the packet actually has it. */ - if (mf_are_prereqs_ok(mf, flow, wc)) { -+ mf_set_mask_l3_prereqs(mf, flow, wc); - mf_mask_field_masked(mf, ofpact_set_field_mask(set_field), wc); - mf_set_flow_value_masked(mf, set_field->value, - ofpact_set_field_mask(set_field), -@@ -7280,6 +7287,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - case OFPACT_DEC_TTL: - wc->masks.nw_ttl = 0xff; -+ WC_MASK_FIELD(wc, nw_proto); - if (compose_dec_ttl(ctx, ofpact_get_DEC_TTL(a))) { - return; - } -diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at -index fa6111c1e..62291de4a 100644 ---- a/tests/ofproto-dpif.at -+++ b/tests/ofproto-dpif.at -@@ -849,7 +849,7 @@ table=2 ip actions=set_field:192.168.3.91->ip_src,output(11) - AT_CHECK([ovs-ofctl -O OpenFlow12 add-flows br0 flows.txt]) - AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=1,nw_tos=0,nw_ttl=128,nw_frag=no,icmp_type=8,icmp_code=0'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no -+ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no - Datapath actions: 10,set(ipv4(src=192.168.3.91)),11,set(ipv4(src=192.168.3.90)),13 - ]) - OVS_VSWITCHD_STOP -@@ -912,7 +912,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds - # Must match on the source address to be able to restore it's value for - # the second bucket - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no -+ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no - Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 - ]) - OVS_VSWITCHD_STOP -@@ -944,7 +944,7 @@ done - AT_CHECK([ovs-appctl dpctl/dump-flows | sed 's/dp_hash(.*\/0xf)/dp_hash(0xXXXX\/0xf)/' | sed 's/packets.*actions:/actions:/' | strip_ufid | strip_used | sort], [0], [dnl - flow-dump from the main thread: - recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:hash(sym_l4(0)),recirc(0x1) --recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 -+recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,proto=1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 - ]) - - OVS_VSWITCHD_STOP -@@ -959,7 +959,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds - # Must match on the source address to be able to restore it's value for - # the third bucket - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no -+ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no - Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 - ]) - OVS_VSWITCHD_STOP -@@ -1536,17 +1536,17 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=2,frag=no)' -generate], [0], [stdout]) - AT_CHECK([tail -4 stdout], [0], [ - Final flow: ip,in_port=1,vlan_tci=0x0000,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=111,nw_tos=0,nw_ecn=0,nw_ttl=1,nw_frag=no --Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=2,nw_frag=no -+Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=2,nw_frag=no - Datapath actions: set(ipv4(ttl=1)),2,userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)),4 - ]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=3,frag=no)'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=3,nw_frag=no -+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=3,nw_frag=no - Datapath actions: set(ipv4(ttl=2)),2,set(ipv4(ttl=1)),3,4 - ]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x86dd),ipv6(src=::1,dst=::2,label=0,proto=10,tclass=0x70,hlimit=128,frag=no)'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_ttl=128,nw_frag=no -+ [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_proto=10,nw_ttl=128,nw_frag=no - Datapath actions: set(ipv6(hlimit=127)),2,set(ipv6(hlimit=126)),3,4 - ]) - -@@ -1656,7 +1656,7 @@ AT_CHECK([ovs-vsctl -- \ - --id=@q2 create Queue dscp=2], [0], [ignore]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(9),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=1.1.1.1,dst=2.2.2.2,proto=1,tos=0xff,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,skb_priority=0,eth,ip,in_port=9,nw_tos=252,nw_frag=no -+ [Megaflow: recirc_id=0,skb_priority=0,eth,icmp,in_port=9,nw_tos=252,nw_frag=no - Datapath actions: dnl - 100,dnl - set(ipv4(tos=0x4/0xfc)),set(skb_priority(0x1)),1,dnl -@@ -8777,12 +8777,12 @@ recirc_id(0),in_port(3),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), p - ]) - - AT_CHECK([ovs-appctl dpif/dump-flows -m br0 | strip_ufid | strip_used | sort], [0], [dnl --skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(p1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:05/00:00:00:00:00:00,dst=50:54:00:00:00:07/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.1/0.0.0.0,dst=192.168.0.2/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:0, bytes:0, used:never, actions:drop --skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(p2),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:07/00:00:00:00:00:00,dst=50:54:00:00:00:05/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.2/0.0.0.0,dst=192.168.0.1/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=0/0,code=0/0), packets:0, bytes:0, used:never, actions:drop -+recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(p1),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:05/00:00:00:00:00:00,dst=50:54:00:00:00:07/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.1/0.0.0.0,dst=192.168.0.2/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:0, bytes:0, used:never, actions:drop -+recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(p2),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:07/00:00:00:00:00:00,dst=50:54:00:00:00:05/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.2/0.0.0.0,dst=192.168.0.1/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=0/0,code=0/0), packets:0, bytes:0, used:never, actions:drop - ]) - - AT_CHECK([ovs-appctl dpif/dump-flows -m br1 | strip_ufid | strip_used | sort], [0], [dnl --skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(p3),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=10.0.0.2/0.0.0.0,dst=10.0.0.1/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:0, bytes:0, used:never, actions:drop -+recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(p3),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=10.0.0.2/0.0.0.0,dst=10.0.0.1/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:0, bytes:0, used:never, actions:drop - ]) - - OVS_VSWITCHD_STOP -@@ -8942,10 +8942,10 @@ recirc_id(0),in_port(101),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), - ]) - - AT_CHECK([grep -e 'in_port(100).*packets:9' ovs-vswitchd.log | strip_ufid | filter_flow_dump], [0], [dnl --skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(100),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:05/00:00:00:00:00:00,dst=50:54:00:00:00:07/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.1/0.0.0.0,dst=192.168.0.2/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:9, bytes:954, used:0.0s, actions:101,3,2 -+recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(100),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:05/00:00:00:00:00:00,dst=50:54:00:00:00:07/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.1/0.0.0.0,dst=192.168.0.2/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:9, bytes:954, used:0.0s, actions:101,3,2 - ]) - AT_CHECK([grep -e 'in_port(101).*packets:4' ovs-vswitchd.log | strip_ufid | filter_flow_dump], [0], [dnl --skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(101),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:07/00:00:00:00:00:00,dst=50:54:00:00:00:05/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.2/0.0.0.0,dst=192.168.0.1/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:4, bytes:424, used:0.0s, actions:100,2,3 -+recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(101),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:07/00:00:00:00:00:00,dst=50:54:00:00:00:05/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.0.2/0.0.0.0,dst=192.168.0.1/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), packets:4, bytes:424, used:0.0s, actions:100,2,3 - ]) - - AT_CHECK([ovs-ofctl dump-ports br0 pbr0], [0], [dnl -@@ -9637,12 +9637,12 @@ table=0 in_port=1,ip,nw_dst=10.0.0.3 actions=drop - done - sleep 1 - AT_CHECK([strip_ufid < ovs-vswitchd.log | filter_flow_install | strip_used], [0], [dnl --skb_priority(0),skb_mark(0),ct_state(-new-est-rel-rpl-inv-trk-snat-dnat),ct_zone(0),ct_mark(0),ct_label(0),recirc_id(0),dp_hash(0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.0.0.2,dst=10.0.0.1,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), actions:2 --skb_priority(0),skb_mark(0),ct_state(-new-est-rel-rpl-inv-trk-snat-dnat),ct_zone(0),ct_mark(0),ct_label(0),recirc_id(0),dp_hash(0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=10.0.0.4,dst=10.0.0.3,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), actions:drop -+recirc_id(0),dp_hash(0),skb_priority(0),in_port(1),skb_mark(0),ct_state(-new-est-rel-rpl-inv-trk-snat-dnat),ct_zone(0),ct_mark(0),ct_label(0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.0.0.2,dst=10.0.0.1,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), actions:2 -+recirc_id(0),dp_hash(0),skb_priority(0),in_port(1),skb_mark(0),ct_state(-new-est-rel-rpl-inv-trk-snat-dnat),ct_zone(0),ct_mark(0),ct_label(0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=10.0.0.4,dst=10.0.0.3,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), actions:drop - ]) - AT_CHECK([strip_ufid < ovs-vswitchd.log | filter_flow_dump | grep 'packets:3'], [0], [dnl --skb_priority(0),skb_mark(0),ct_state(0/0xff),ct_zone(0),ct_mark(0),ct_label(0),recirc_id(0),dp_hash(0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.0.0.2,dst=10.0.0.1,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), packets:3, bytes:318, used:0.0s, actions:2 --skb_priority(0),skb_mark(0),ct_state(0/0xff),ct_zone(0),ct_mark(0),ct_label(0),recirc_id(0),dp_hash(0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=10.0.0.4,dst=10.0.0.3,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), packets:3, bytes:318, used:0.0s, actions:drop -+recirc_id(0),dp_hash(0),skb_priority(0),in_port(1),skb_mark(0),ct_state(0/0xff),ct_zone(0),ct_mark(0),ct_label(0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.0.0.2,dst=10.0.0.1,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), packets:3, bytes:318, used:0.0s, actions:2 -+recirc_id(0),dp_hash(0),skb_priority(0),in_port(1),skb_mark(0),ct_state(0/0xff),ct_zone(0),ct_mark(0),ct_label(0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=10.0.0.4,dst=10.0.0.3,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0), packets:3, bytes:318, used:0.0s, actions:drop - ]) - OVS_VSWITCHD_STOP - AT_CLEANUP]) -@@ -10344,7 +10344,7 @@ recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x1234), packets:5, byte - ]) - - AT_CHECK([grep 'modify' ovs-vswitchd.log | strip_ufid ], [0], [dnl --dpif|DBG|dummy@ovs-dummy: put[[modify]] skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x1234), actions:push_vlan(vid=4,pcp=0),100 -+dpif|DBG|dummy@ovs-dummy: put[[modify]] recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(1),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x1234), actions:push_vlan(vid=4,pcp=0),100 - ]) - OVS_VSWITCHD_STOP - AT_CLEANUP -@@ -10425,8 +10425,8 @@ recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x8100),vlan(vid=99,pcp= - # are wildcarded. - AT_CHECK([grep '\(modify\)\|\(flow_add\)' ovs-vswitchd.log | strip_ufid ], [0], [dnl - dpif_netdev|DBG|flow_add: recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x1234), actions:100 --dpif|DBG|dummy@ovs-dummy: put[[modify]] skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x1234), actions:drop --dpif|DBG|dummy@ovs-dummy: put[[modify]] skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(1),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x1234), actions:100 -+dpif|DBG|dummy@ovs-dummy: put[[modify]] recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(1),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x1234), actions:drop -+dpif|DBG|dummy@ovs-dummy: put[[modify]] recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(1),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=50:54:00:00:00:09/00:00:00:00:00:00,dst=50:54:00:00:00:0a/00:00:00:00:00:00),eth_type(0x1234), actions:100 - dpif_netdev|DBG|flow_add: recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x8100),vlan(vid=99,pcp=7/0x0),encap(eth_type(0x1234)), actions:drop - ]) - OVS_VSWITCHD_STOP -@@ -10752,10 +10752,10 @@ AT_CHECK([ovs-appctl netdev-dummy/receive p2 'in_port(2),eth(src=50:54:00:00:00: - - - AT_CHECK([cat ovs-vswitchd.log | strip_ufid | filter_flow_install], [0], [dnl --ct_state(+new-est+trk),recirc_id(0x1),in_port(2),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:drop --ct_state(-new+est+trk),recirc_id(0x1),in_port(2),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=17,frag=no), actions:1 - recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=17,frag=no), actions:ct(commit),2 - recirc_id(0),in_port(2),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=17,frag=no), actions:ct,recirc(0x1) -+recirc_id(0x1),in_port(2),ct_state(+new-est+trk),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:drop -+recirc_id(0x1),in_port(2),ct_state(-new+est+trk),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=17,frag=no), actions:1 - ]) - - OVS_VSWITCHD_STOP -@@ -11161,9 +11161,9 @@ AT_CHECK([ovs-appctl netdev-dummy/receive p2 'in_port(2),eth(src=50:54:00:00:00: - ovs-appctl revalidator/wait - - AT_CHECK([cat ovs-vswitchd.log | strip_ufid | filter_flow_install], [0], [dnl --ct_state(+rpl+trk),ct_label(0x1),recirc_id(0x1),in_port(2),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:1 - recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=17,frag=no),udp(src=1), actions:ct(commit,label=0x1),2 - recirc_id(0),in_port(2),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:ct,recirc(0x1) -+recirc_id(0x1),in_port(2),ct_state(+rpl+trk),ct_label(0x1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:1 - ]) - - OVS_VSWITCHD_STOP -@@ -11884,7 +11884,7 @@ ovs-ofctl dump-flows br0 - - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.10.10.2,dst=10.10.10.1,proto=1,tos=1,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout]) - AT_CHECK([tail -3 stdout], [0], [dnl --Megaflow: recirc_id=0,eth,ip,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no -+Megaflow: recirc_id=0,eth,icmp,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no - Datapath actions: drop - Translation failed (Recursion too deep), packet is dropped. - ]) -diff --git a/tests/ofproto.at b/tests/ofproto.at -index a666bebca..2fa8486a8 100644 ---- a/tests/ofproto.at -+++ b/tests/ofproto.at -@@ -6538,3 +6538,185 @@ verify_deleted - - OVS_VSWITCHD_STOP(["/nw_dst,output=2 -+table=0 in_port=1 priority=83,ip,nw_dst=192.168.1.15,actions=set_field:192.168.21.26->nw_src,output=2 -+table=0 in_port=1 priority=82,ip,nw_dst=192.168.1.14,actions=set_field:0x40->nw_tos,output=2 -+table=0 in_port=1 priority=0,actions=drop -+]) -+AT_CHECK([ovs-ofctl del-flows br0]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+ -+dnl send a proto 0 packet to try and poison the DP flow path -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ -+ '5054000000075054000000050800450000548de140004000289fc0a801c4c0a8011408003bf60002001bbf080a640000000032ad010000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2 -+]) -+ -+dnl Send ICMP for mod nw_src and mod nw_dst -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.20,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will dec TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.10,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will mod TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.19,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will mod ECN -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.18,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will mod TOS -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.17,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will set DST -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.16,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will set SRC -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will set TOS -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.14,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.10,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=63)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.14,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.16,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.26)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.17,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.18,proto=1,tos=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x2/0x3)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.19,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=8)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.20)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.21.26)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.20.21)),2 -+]) -+ -+OVS_VSWITCHD_STOP -+AT_CLEANUP -+ -+AT_SETUP([ofproto - implicit mask of ipv6 proto with HOPOPT field]) -+OVS_VSWITCHD_START -+add_of_ports br0 1 2 -+ -+AT_DATA([flows.txt], [dnl -+table=0 in_port=1 priority=77,ip6,ipv6_dst=111:db8::3,actions=dec_ttl,output=2 -+table=0 in_port=1 priority=76,ip6,ipv6_dst=111:db8::4,actions=mod_nw_ttl:8,output=2 -+table=0 in_port=1 priority=75,ip6,ipv6_dst=111:db8::5,actions=mod_nw_ecn:2,output=2 -+table=0 in_port=1 priority=74,ip6,ipv6_dst=111:db8::6,actions=mod_nw_tos:0x40,output=2 -+table=0 in_port=1 priority=73,ip6,ipv6_dst=111:db8::7,actions=set_field:2112:db8::2->ipv6_dst,output=2 -+table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::8,actions=set_field:2112:db8::3->ipv6_src,output=2 -+table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::9,actions=set_field:44->ipv6_label,output=2 -+table=0 in_port=1 priority=0,actions=drop -+]) -+AT_CHECK([ovs-ofctl del-flows br0]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+ -+dnl send a proto 0 packet to try and poison the DP flow path -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=0,tclass=0,hlimit=64,frag=no)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) -+]) -+ -+dnl Send ICMP for mod nw_src and mod nw_dst -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::4,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will dec TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::5,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will mod TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::6,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will mod ECN -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::7,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will mod TOS -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will set LABEL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::9,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=63)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::4,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=8)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::5,proto=1,tclass=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x2/0x3)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::6,proto=1,tclass=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x40/0xfc)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::7,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(dst=2112:db8::2)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::9,label=0,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(label=0x2c)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(src=2112:db8::3)),2 -+]) -+ -+OVS_VSWITCHD_STOP -+AT_CLEANUP -+ -+AT_SETUP([ofproto - implicit mask of ARP OPer field]) -+OVS_VSWITCHD_START -+add_of_ports br0 1 2 -+ -+AT_DATA([flows.txt], [dnl -+table=0 in_port=1 priority=77,arp,arp_sha=00:01:02:03:04:06,actions=set_field:0x1->arp_op,2 -+table=0 in_port=1 priority=76,arp,arp_sha=00:01:02:03:04:07,actions=set_field:00:02:03:04:05:06->arp_sha,2 -+table=0 in_port=1 priority=75,arp,arp_sha=00:01:02:03:04:08,actions=set_field:ff:00:00:00:00:ff->arp_tha,2 -+table=0 in_port=1 priority=74,arp,arp_sha=00:01:02:03:04:09,actions=set_field:172.31.110.26->arp_spa,2 -+table=0 in_port=1 priority=73,arp,arp_sha=00:01:02:03:04:0a,actions=set_field:172.31.110.10->arp_tpa,2 -+table=0 in_port=1 priority=1,actions=drop -+]) -+ -+AT_CHECK([ovs-ofctl del-flows br0]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+ -+dnl Send op == 0 packet -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ -+ 'ffffffffffffaa55aa550000080600010800060400000001020304070c0a00010000000000000c0a0002']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2 -+]) -+ -+dnl Send op 2 -> set op -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=2,sha=00:01:02:03:04:06,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set SHA -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:07,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set THA -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set SIP -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:09,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set TIP -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a,tha=ff:ff:ff:ff:ff:ff)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=2,sha=00:01:02:03:04:06), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(sip=172.31.110.1,op=1,sha=00:01:02:03:04:09), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+]) -+ -+OVS_VSWITCHD_STOP -+AT_CLEANUP -diff --git a/tests/packet-type-aware.at b/tests/packet-type-aware.at -index 3b5c66fe5..d63528e69 100644 ---- a/tests/packet-type-aware.at -+++ b/tests/packet-type-aware.at -@@ -1021,7 +1021,7 @@ AT_CHECK([ - ], [0], [flow-dump from the main thread: - recirc_id(0),in_port(p0),packet_type(ns=0,id=0),eth(src=aa:bb:cc:00:00:02,dst=aa:bb:cc:00:00:01),eth_type(0x0800),ipv4(dst=20.0.0.1,proto=47,frag=no), packets:3, bytes:378, used:0.0s, actions:tnl_pop(gre_sys) - tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0),in_port(gre_sys),packet_type(ns=1,id=0x8847),eth_type(0x8847),mpls(label=999/0x0,tc=0/0,ttl=64/0x0,bos=1/1), packets:3, bytes:264, used:0.0s, actions:push_eth(src=00:00:00:00:00:00,dst=00:00:00:00:00:00),pop_mpls(eth_type=0x800),recirc(0x1) --tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br -+tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=1,ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br - ]) - - ovs-appctl time/warp 1000 diff --git a/CVE-2023-3152.patch b/CVE-2023-3152.patch deleted file mode 100644 index c6dcd1a..0000000 --- a/CVE-2023-3152.patch +++ /dev/null @@ -1,121 +0,0 @@ -commit 9a3f7ed905e525ebdcb14541e775211cbb0203bd -Author: Ales Musil -Date: Wed Jul 12 07:12:29 2023 +0200 - - northd, controller: Add CoPP for SVC monitor - - The SVC monitor was exposed without any limitation. - Add CoPP for the SVC monitor flow, which adds a way - for CMSs to limit the traffic that this flow accepts. - - Signed-off-by: Ales Musil - -diff --git a/lib/copp.c b/lib/copp.c -index 603e3f5bf..11dd9029d 100644 ---- a/lib/copp.c -+++ b/lib/copp.c -@@ -38,6 +38,7 @@ static char *copp_proto_names[COPP_PROTO_MAX] = { - [COPP_ND_RA_OPTS] = "nd-ra-opts", - [COPP_TCP_RESET] = "tcp-reset", - [COPP_REJECT] = "reject", -+ [COPP_SVC_MONITOR] = "svc-monitor", - [COPP_BFD] = "bfd", - }; - -diff --git a/lib/copp.h b/lib/copp.h -index f03004aa6..b99737220 100644 ---- a/lib/copp.h -+++ b/lib/copp.h -@@ -37,6 +37,7 @@ enum copp_proto { - COPP_TCP_RESET, - COPP_BFD, - COPP_REJECT, -+ COPP_SVC_MONITOR, - COPP_PROTO_MAX, - COPP_PROTO_INVALID = COPP_PROTO_MAX, - }; -diff --git a/northd/northd.c b/northd/northd.c -index 7ad4cdfad..1e05b8f22 100644 ---- a/northd/northd.c -+++ b/northd/northd.c -@@ -8876,9 +8876,11 @@ build_lswitch_destination_lookup_bmcast(struct ovn_datapath *od, - { - if (od->nbs) { - -- ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 110, -- "eth.dst == $svc_monitor_mac", -- "handle_svc_check(inport);"); -+ ovn_lflow_metered(lflows, od, S_SWITCH_IN_L2_LKUP, 110, "eth.dst == " -+ "$svc_monitor_mac && (tcp || icmp || icmp6)", -+ "handle_svc_check(inport);", -+ copp_meter_get(COPP_SVC_MONITOR, od->nbs->copp, -+ meter_groups)); - - struct mcast_switch_info *mcast_sw_info = &od->mcast_info.sw; - -diff --git a/ovn-nb.xml b/ovn-nb.xml -index 35acda107..59ac42dbd 100644 ---- a/ovn-nb.xml -+++ b/ovn-nb.xml -@@ -466,6 +466,10 @@ - - Rate limiting meter for packets that trigger a reject action - -+ -+ Rate limiting meter for packets that are arriving to service -+ monitor MAC address. -+ - - See External IDs at the beginning of this document. - -diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at -index b8376991b..70350a781 100644 ---- a/tests/ovn-northd.at -+++ b/tests/ovn-northd.at -@@ -3544,7 +3544,7 @@ AT_CHECK([ovn-sbctl list logical_flow | grep trigger_event -A 2 | grep -q meter0 - - # let's try to add an usupported protocol "dhcp" - AT_CHECK([ovn-nbctl --wait=hv copp-add copp5 dhcp meter1],[1],[],[dnl --ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject. -+ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject, svc-monitor. - ]) - - #Let's try to add a valid protocol to an unknown datapath -diff --git a/tests/system-ovn.at b/tests/system-ovn.at -index f8131b90e..7c009e157 100644 ---- a/tests/system-ovn.at -+++ b/tests/system-ovn.at -@@ -7282,6 +7282,23 @@ OVS_WAIT_UNTIL([ - ]) - kill $(pidof tcpdump) - -+check ovn-nbctl set nb_global . options:svc_monitor_mac="33:33:33:33:33:33" -+check ovn-nbctl meter-add svc-meter drop 1 pktps 0 -+check ovn-nbctl --wait=hv copp-add copp4 svc-monitor svc-meter -+check ovn-nbctl --wait=hv ls-copp-add copp4 sw0 -+check ovn-appctl -t ovn-controller vlog/set vconn:dbg -+AT_CHECK([ovn-nbctl copp-list copp4], [0], [dnl -+svc-monitor: svc-meter -+]) -+ -+ip netns exec sw01 scapy -H <<-EOF -+p = Ether(dst="33:33:33:33:33:33", src="f0:00:00:01:02:03") /\ -+ IP(dst="192.168.1.100", src="192.168.1.2") / TCP(dport=1234, sport=1234) -+sendp(p, iface='sw01', loop=0, verbose=0, count=20) -+EOF -+ -+OVS_WAIT_UNTIL([test "1" = "$(grep -c "dl_dst=33:33:33:33:33:33" ovn-controller.log)"]) -+ - kill $(pidof ovn-controller) - - as ovn-sb -@@ -7295,7 +7312,8 @@ OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE]) - - as - OVS_TRAFFIC_VSWITCHD_STOP(["/.*error receiving.*/d --/.*terminating with signal 15.*/d"]) -+/.*terminating with signal 15.*/d -+/.*Service monitor not found/d"]) - - AT_CLEANUP - ]) diff --git a/CVE-2025-0650.patch b/CVE-2025-0650.patch new file mode 100644 index 0000000..568d0cc --- /dev/null +++ b/CVE-2025-0650.patch @@ -0,0 +1,129 @@ +From 70efac04ab3034e729e6d42c2c2d7f5687f98fb2 Mon Sep 17 00:00:00 2001 +From: Clemens Famulla-Conrad +Date: Tue, 18 Nov 2025 12:12:28 +0100 +Subject: [PATCH] bsc#1236353 (CVE-2025-0650) ovn: egress ACLs may be bypassed + via specially crafted UDP packet +Reference: bsc#1236353 +Upstream: 4140fead049ecef6a6b0f90e74f5de7d5a40fd5d + +Backported upstream fix 4140fead0 without tests. + +--- + +[PATCH 1/1] Skip only OVN DNS responder packets from OUT_ACL. + +When OVN's DNS caching feature is enabled, due to the OpenFlow rules +that OVN installs in Open vSwitch, it is possible for an attacker to +craft a UDP packet that can bypass egress ACL rules configured on the +same switch that has DNS caching configured. + +This patch fixes the issue by setting a register bit when OVN's DNS +responder replies to an incoming request. Then the flow that allows +egress ACL bypass only applies to packets that have this register bit +set. This gives the intended effect of allowing internally-generated DNS +responses to not be blocked by user-defined ACLs without potentially +compromising the security of the switch. + +Signed-off-by: Numan Siddique +Signed-off-by: Mark Michelson +Acked-by: Dumitru Ceara + +--- + controller/pinctrl.c | 27 +++++++++++++++++++++++++++ + include/ovn/logical-fields.h | 1 + + lib/logical-fields.c | 3 +++ + northd/northd.c | 3 ++- + 4 files changed, 33 insertions(+), 1 deletion(-) + +diff --git a/controller/pinctrl.c b/controller/pinctrl.c +index 633b73d6a..1e08bb6b9 100644 +--- a/controller/pinctrl.c ++++ b/controller/pinctrl.c +@@ -383,6 +383,8 @@ static void pinctrl_handle_put_fdb(const struct flow *md, + const struct flow *headers) + OVS_REQUIRES(pinctrl_mutex); + ++static void set_from_ctrl_flag_in_pkt_metadata(struct ofputil_packet_in *); ++ + COVERAGE_DEFINE(pinctrl_drop_put_mac_binding); + COVERAGE_DEFINE(pinctrl_drop_buffered_packets_map); + COVERAGE_DEFINE(pinctrl_drop_controller_event); +@@ -3203,6 +3205,10 @@ exit: + union mf_subvalue sv; + sv.u8_val = success; + mf_write_subfield(&dst, &sv, &pin->flow_metadata); ++ ++ /* Indicate that this packet is from ovn-controller. */ ++ set_from_ctrl_flag_in_pkt_metadata(pin); ++ + } + queue_msg(swconn, ofputil_encode_resume(pin, continuation, proto)); + dp_packet_uninit(pkt_out_ptr); +@@ -8366,3 +8372,24 @@ pinctrl_handle_put_fdb(const struct flow *md, const struct flow *headers) + ovn_fdb_add(&put_fdbs, dp_key, headers->dl_src, port_key); + notify_pinctrl_main(); + } ++ ++/* This function sets the register bit 'MLF_FROM_CTRL_BIT' ++ * in the register 'MFF_LOG_FLAGS' to indicate that this packet ++ * is generated/sent by ovn-controller. ++ * ovn-northd can add logical flows to match on "flags.from_ctrl". ++ */ ++static void ++set_from_ctrl_flag_in_pkt_metadata(struct ofputil_packet_in *pin) ++{ ++ const struct mf_field *f = mf_from_id(MFF_LOG_FLAGS); ++ ++ struct mf_subfield dst = { ++ .field = f, ++ .ofs = MLF_FROM_CTRL_BIT, ++ .n_bits = 1, ++ }; ++ ++ union mf_subvalue sv; ++ sv.u8_val = 1; ++ mf_write_subfield(&dst, &sv, &pin->flow_metadata); ++} +diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h +index 272277ec4..2770705e3 100644 +--- a/include/ovn/logical-fields.h ++++ b/include/ovn/logical-fields.h +@@ -78,6 +78,7 @@ enum mff_log_flags_bits { + MLF_LOOKUP_COMMIT_ECMP_NH_BIT = 13, + MLF_USE_LB_AFF_SESSION_BIT = 14, + MLF_LOCALNET_BIT = 15, ++ MLF_FROM_CTRL_BIT = 16, + }; + + /* MFF_LOG_FLAGS_REG flag assignments */ +diff --git a/lib/logical-fields.c b/lib/logical-fields.c +index 7a1e66d0a..4069e6a82 100644 +--- a/lib/logical-fields.c ++++ b/lib/logical-fields.c +@@ -134,6 +134,9 @@ ovn_init_symtab(struct shash *symtab) + expr_symtab_add_subfield(symtab, "flags.localnet", NULL, + flags_str); + ++ snprintf(flags_str, sizeof flags_str, "flags[%d]", MLF_FROM_CTRL_BIT); ++ expr_symtab_add_subfield(symtab, "flags.from_ctrl", NULL, flags_str); ++ + /* Connection tracking state. */ + expr_symtab_add_field_scoped(symtab, "ct_mark", MFF_CT_MARK, NULL, false, + WR_CT_COMMIT); +diff --git a/northd/northd.c b/northd/northd.c +index 39b5d5ccb..dc67779f9 100644 +--- a/northd/northd.c ++++ b/northd/northd.c +@@ -6979,7 +6979,8 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, + if (ls_has_dns_records(od->nbs)) { + const char *dns_actions = has_stateful ? "ct_commit; next;" : "next;"; + ovn_lflow_add( +- lflows, od, S_SWITCH_OUT_ACL, 34000, "udp.src == 53", ++ lflows, od, S_SWITCH_OUT_ACL, 34000, ++ "flags.from_ctrl && udp.src == 53", + dns_actions); + } + +-- +2.51.0 + diff --git a/install-ovsdb-tools.patch b/install-ovsdb-tools.patch index 04ebf79..ae235f0 100644 --- a/install-ovsdb-tools.patch +++ b/install-ovsdb-tools.patch @@ -1,8 +1,6 @@ -diff --git a/ovsdb/automake.mk b/ovsdb/automake.mk -index eba713bb6..f1c40d019 100644 ---- a/ovsdb/automake.mk -+++ b/ovsdb/automake.mk -@@ -88,8 +88,9 @@ CLEANFILES += ovsdb/ovsdb-server.1 +--- openvswitch-3.1.7.orig/ovsdb/automake.mk ++++ openvswitch-3.1.7/ovsdb/automake.mk +@@ -88,8 +88,9 @@ MAN_ROOTS += ovsdb/ovsdb-server.1.in # ovsdb-idlc @@ -13,23 +11,25 @@ index eba713bb6..f1c40d019 100644 MAN_ROOTS += ovsdb/ovsdb-idlc.1 CLEANFILES += ovsdb/ovsdb-idlc SUFFIXES += .ovsidl .ovsschema -@@ -112,14 +113,18 @@ CLEANFILES += $(OVSIDL_BUILT) +@@ -112,7 +113,12 @@ # at least for now. $(OVSIDL_BUILT): ovsdb/ovsdb-idlc.in python/ovs/dirs.py +# Some internal tools, but installed for e.g. depending projects like OVN +ovsdbdir = $(pkgdatadir)/ovsdb +ovsdb_SCRIPTS = ++ # ovsdb-doc +ovsdb_SCRIPTS += ovsdb/ovsdb-doc EXTRA_DIST += ovsdb/ovsdb-doc + FLAKE8_PYFILES += ovsdb/ovsdb-doc OVSDB_DOC = $(run_python) $(srcdir)/ovsdb/ovsdb-doc - ovsdb/ovsdb-doc: python/ovs/dirs.py - +@@ -121,7 +127,7 @@ # ovsdb-dot EXTRA_DIST += ovsdb/ovsdb-dot.in ovsdb/dot2pic + FLAKE8_PYFILES += ovsdb/ovsdb-dot.in ovsdb/dot2pic -noinst_SCRIPTS += ovsdb/ovsdb-dot +ovsdb_SCRIPTS += ovsdb/ovsdb-dot CLEANFILES += ovsdb/ovsdb-dot OVSDB_DOT = $(run_python) $(srcdir)/ovsdb/ovsdb-dot.in - + diff --git a/openvswitch-3.1.0.tar.gz b/openvswitch-3.1.0.tar.gz deleted file mode 100644 index e5d2aa7..0000000 --- a/openvswitch-3.1.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2bdda56970e324107b7a7c9f178d928024bd6603cfd86f71959bec0ed0d1c4bb -size 7836227 diff --git a/openvswitch-3.1.7.tar.gz b/openvswitch-3.1.7.tar.gz new file mode 100644 index 0000000..a62e2c5 --- /dev/null +++ b/openvswitch-3.1.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e45de5a48324467f1a9ef90265d6afcf08acea9a8c1357addcecde472c990f3f +size 8123364 diff --git a/openvswitch.changes b/openvswitch.changes index b04aa40..2b066ce 100644 --- a/openvswitch.changes +++ b/openvswitch.changes @@ -1,3 +1,66 @@ +------------------------------------------------------------------- +Wed Nov 26 13:56:48 UTC 2025 - Clemens Famulla-Conrad + +- OpenvSwitch upstream bugfix updates: + * https://www.openvswitch.org/releases/NEWS-3.1.7.txt + * v3.1.7 + - Bug fixes + - OVS validated with DPDK 22.11.7. + * v3.1.6 + - Bug fixes + - OVS validated with DPDK 22.11.6. + * v3.1.5 + - Bug fixes + - OVS validated with DPDK 22.11.5. + * v3.1.4 + - Bug fixes + - Fixed vulnerabilities CVE-2023-3966 (bsc#1219465) + and CVE-2023-5366 (bsc#1216002). + - OVS validated with DPDK 22.11.4. + * v3.1.3 + - Bug fixes + * v3.1.2 + - Bug fixes + * v3.1.1 + - Bug fixes + - Fixed vulnerability CVE-2023-1668 (bsc#1210054) + - Remove included patches: + CVE-2023-1668.patch +- OVN upstream bugfix updates: + * https://github.com/ovn-org/ovn/blob/branch-23.03/NEWS + - Fix CVE-2025-0650 (bsc#1236353) ovn: egress ACLs may be bypassed + via specially crafted UDP packet (CVE-2025-0650.patch) + * v23.03.3 + - Bug fixes + - Add "garp-max-timeout-sec" config option to vswitchd external-ids to + cap the time between when ovn-controller sends gARP packets. + - Security: Fixed vulnerability CVE-2024-2182 (bsc#1255435). + - Updated patches + install-ovsdb-tools.patch + * v23.03.2 + - Bug fixes + * v23.03.1 + - Bug fixes + - CT entries are not flushed by default anymore whenever a load balancer + backend is removed. A new, per-LB, option 'ct_flush' can be used to + restore the previous behavior. Disabled by default. + - Always allow IPv6 Router Discovery, Neighbor Discovery, and Multicast + Listener Discovery protocols, regardless of ACLs defined. + - Send ICMP Fragmentation Needed packets back to offending ports when + communicating with multichassis ports using frames that don't fit through a + tunnel. This is done only for logical switches that are attached to a + physical network via a localnet port, in which case multichassis ports may + have an effective MTU different from regular ports and hence may need this + mechanism to maintain connectivity with other peers in the network. + - ECMP routes use L4_SYM dp-hash by default if the datapath supports it. + Existing sessions might get re-hashed to a different ECMP path when + OVN detects the algorithm support in the datapath during an upgrade + or restart of ovn-controller. + - Add CoPP for the svc_monitor_mac. This addresses CVE-2023-3153 + (bsc#1212125). + - Remove included patches: + CVE-2023-3152.patch + ------------------------------------------------------------------- Thu Dec 14 11:55:19 UTC 2023 - Dirk Müller diff --git a/openvswitch.spec b/openvswitch.spec index 74a1f5a..8e11062 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -1,7 +1,7 @@ # # spec file for package openvswitch # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,8 +20,8 @@ %define skip_python2 1 %define ovs_lname libopenvswitch-3_1-0 %define ovn_lname libovn-23_03-0 -%define ovs_version 3.1.0 -%define ovn_version 23.03.0 +%define ovs_version 3.1.7 +%define ovn_version 23.03.3 %define ovs_dir ovs-%{ovs_version} %define ovn_dir ovn-%{ovn_version} %define rpmstate %{_rundir}/openvswitch-rpm-state- @@ -77,13 +77,11 @@ Patch2: 0001-Don-t-change-permissions-of-dev-hugepages.patch Patch3: 0001-Use-double-hash-for-OVS_USER_ID-comment.patch # PATCH-FEATURE-UPSTREAM install-ovsdb-tools.patch -- Install some tools required for building OVN Patch4: install-ovsdb-tools.patch -# PATCH-FIX-UPSTREAM CVE-2023-1668.patch -Patch5: CVE-2023-1668.patch #OVN patches # PATCH-FIX-OPENSUSE: 0001-Run-ovn-as-openvswitch-openvswitch.patch Patch20: 0001-Run-ovn-as-openvswitch-openvswitch.patch -# PATCH-FIX-UPSTREAM CVE-2023-3152 [bsc#1212125] -- service monitor MAC flow is not rate limited -Patch21: CVE-2023-3152.patch +# PATCH-FIX-UPSTREAM bsc#1236353 (CVE-2025-0650) ovn: egress ACLs may be bypassed via specially crafted UDP packet +Patch21: CVE-2025-0650.patch # CVE-2021-36980 [bsc#1188524], use-after-free in decode_NXAST_RAW_ENCAP BuildRequires: autoconf BuildRequires: %{python_module setuptools} @@ -418,7 +416,6 @@ Devel libraries and headers for Open Virtual Network. %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 # remove python/ovs/dirs.py - this is generated from template to have proper paths rm python/ovs/dirs.py cd %{ovn_dir} diff --git a/ovn-23.03.0.tar.gz b/ovn-23.03.0.tar.gz deleted file mode 100644 index acfc511..0000000 --- a/ovn-23.03.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6c351ef0b1b0a19594c2d9b3cd541da1c6aab6606b371504ba46da75b3a09e30 -size 1955554 diff --git a/ovn-23.03.3.tar.gz b/ovn-23.03.3.tar.gz new file mode 100644 index 0000000..ed4d783 --- /dev/null +++ b/ovn-23.03.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5dc7237420ee65851ece4e9159efef26d418144ef0b8860b68936abd3d7995f5 +size 1993987