Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hello release team, a nasty bug made it into the Debian 10 ("buster") version of softflowd, and I'd like to fix that in a stable point release. Due to a broken flow aggregation, the flow table might overflow, resulting in forced flow expiration. Which, as I was told, can lead to constant 100% CPU usage of the softflowd process. Another effect is the resulting flow files captured by nfcapd(1) (from the nfdump package) are way bigger then before the upgrade, and nfcapd creating a lot of noise in the syslog as well. This was fixed upstream although not quite in an obvious way - thanks to bisecting this wasn't a big problem anyway. According to tests done by the reporter the fix ended the massive CPU usage, for the other effects I can confirm the desired behaviour as seen in the previous Debian 9 ("stretch") version is restored as well. For the next stable point release, version 0.9.9-5+deb10u1 was already uploaded to the applicable queue. Suggested one-line description: Fix broken netflow aggregation Regards, Christoph -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.19 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect
diff -Nru softflowd-0.9.9/debian/changelog softflowd-0.9.9/debian/changelog --- softflowd-0.9.9/debian/changelog 2018-10-26 17:10:09.000000000 +0200 +++ softflowd-0.9.9/debian/changelog 2019-12-05 00:21:02.000000000 +0100 @@ -1,3 +1,10 @@ +softflowd (0.9.9-5+deb10u1) buster; urgency=medium + + * Fix roken flow aggregation which might result in flow table overflow + and 100% CPU usage. + + -- Christoph Biedl <debian.a...@manchmal.in-ulm.de> Thu, 05 Dec 2019 00:21:02 +0100 + softflowd (0.9.9-5) unstable; urgency=high * Don't migrate legacy config if it wasn't modified. Closes: #910214 diff -Nru softflowd-0.9.9/debian/patches/cherry-pick.softflowd-0.9.9-22-ge6d29a1.fix-some-bugs.patch softflowd-0.9.9/debian/patches/cherry-pick.softflowd-0.9.9-22-ge6d29a1.fix-some-bugs.patch --- softflowd-0.9.9/debian/patches/cherry-pick.softflowd-0.9.9-22-ge6d29a1.fix-some-bugs.patch 1970-01-01 01:00:00.000000000 +0100 +++ softflowd-0.9.9/debian/patches/cherry-pick.softflowd-0.9.9-22-ge6d29a1.fix-some-bugs.patch 2019-12-05 00:21:02.000000000 +0100 @@ -0,0 +1,68 @@ +Subject: [ Add option "-a" for reading pcap file and ] fix some bugs +Origin: softflowd-0.9.9-22-ge6d29a1 <https://github.com/irino/softflowd/commit/e6d29a1> +Upstream-Author: Hitoshi Irino <ir...@sfc.wide.ad.jp> +Date: Sun May 26 23:00:41 2019 +0900 +Comment: Fixes a regression introduced in buster: The flow aggregation + is broken, causing a new flow to generated for virtually each packet. + If the daemon sees a lot of traffic, the flow table might overflow, + resulting in forced expiration and 100% CPU usage. + . + Thanks Johanna Jerzembeck for reporting and testing. + + - fix flow_compare for comparing vlan and ether + [ - fix missing sequence in netflow v9 ] + + +--- a/softflowd.c ++++ b/softflowd.c +@@ -55,6 +55,8 @@ + static int verbose_flag = 0; /* Debugging flag */ + static u_int16_t if_index = 0; /* "manual" interface index */ + ++static int track_level; ++ + /* Signal handler flags */ + static volatile sig_atomic_t graceful_shutdown_request = 0; + +@@ -144,15 +146,21 @@ + { + /* Be careful to avoid signed vs unsigned issues here */ + int r; ++ if (track_level == TRACK_FULL_VLAN || track_level == TRACK_FULL_VLAN_ETHER) { ++ if (a->vlanid[0] != b->vlanid[0]) ++ return (a->vlanid[0] > b->vlanid[0] ? 1 : -1); ++ ++ if (a->vlanid[1] != b->vlanid[1]) ++ return (a->vlanid[1] > b->vlanid[1] ? 1 : -1); ++ } + +- if (a->vlanid != b->vlanid) +- return (a->vlanid > b->vlanid ? 1 : -1); +- ++ if (track_level == TRACK_FULL_VLAN_ETHER) { + if ((r = memcmp(&a->ethermac[0], &b->ethermac[0], 6)) != 0) + return (r > 0 ? 1 : -1); + + if ((r = memcmp(&a->ethermac[1], &b->ethermac[1], 6)) != 0) + return (r > 0 ? 1 : -1); ++ } + + if (a->af != b->af) + return (a->af > b->af ? 1 : -1); +@@ -1526,7 +1534,7 @@ + + ft->param.max_flows = DEFAULT_MAX_FLOWS; + +- ft->param.track_level = TRACK_FULL; ++ track_level = ft->param.track_level = TRACK_FULL; + + ft->param.tcp_timeout = DEFAULT_TCP_TIMEOUT; + ft->param.tcp_rst_timeout = DEFAULT_TCP_RST_TIMEOUT; +@@ -1882,6 +1890,7 @@ + usage(); + exit(1); + } ++ track_level = flowtrack.param.track_level; + break; + case 'L': + hoplimit = atoi(optarg); diff -Nru softflowd-0.9.9/debian/patches/series softflowd-0.9.9/debian/patches/series --- softflowd-0.9.9/debian/patches/series 2018-09-14 19:40:33.000000000 +0200 +++ softflowd-0.9.9/debian/patches/series 2019-12-05 00:21:02.000000000 +0100 @@ -14,3 +14,4 @@ cherry-pick.softflowd-0.9.9-13-g49c039a.added-define-default-source-line-to-avoid-warning-in-linux.patch cherry-pick.softflowd-0.9.9-14-g8a47e87.adding-current-repository-information-in-readme.patch cherry-pick.softflowd-0.9.9-16-gbbd0685.add-check-of-the-length-of-string-for-i-interface-option.patch +cherry-pick.softflowd-0.9.9-22-ge6d29a1.fix-some-bugs.patch
signature.asc
Description: PGP signature