On 2023-04-11 12:30:16 +0200, Thomas Goirand wrote: > Hi, > > I would very much prefer to upload the latest point release from upstream, > however, if the release team prefers, here's a debdiff, attached to this > message, containing a more targeted fix. > > Note that the debdiff contains a "quilt refresh" of the ovs-ctl-ipsec.patch > already present in Bookworm, as I saw offsets when doing "quilt push" (which > may be annoying depending on your build env). Not sure (because uploaded by > Luca) how it got in. > > Please let me know your decision (ie: latest point release from upstream or > this patch).
Until somebody has the time to look at the larger diff, I'd propose to upload the fix now and then worry about the upstream point release. Cheers > > Cheers, > > Thomas Goirand (zigo) > diff -Nru openvswitch-3.1.0/debian/changelog > openvswitch-3.1.0/debian/changelog > --- openvswitch-3.1.0/debian/changelog 2023-02-21 23:02:16.000000000 > +0100 > +++ openvswitch-3.1.0/debian/changelog 2023-04-11 11:54:40.000000000 > +0200 > @@ -1,3 +1,11 @@ > +openvswitch (3.1.0-2) unstable; urgency=high > + > + * CVE-2023-1668: Remote traffic denial of service via crafted packets with > IP > + proto 0. Applied upstream patch: ofproto-dpif-xlate: Always mask ip proto > + field (Closes: #1034042). > + > + -- Thomas Goirand <z...@debian.org> Tue, 11 Apr 2023 11:54:40 +0200 > + > openvswitch (3.1.0-1) unstable; urgency=medium > > [ Luca Boccassi ] > diff -Nru > openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch > > openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch > --- > openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch > 2023-04-11 11:54:40.000000000 +0200 > @@ -0,0 +1,425 @@ > +Subject: CVE-2023-1668: ofproto-dpif-xlate: Always mask ip proto field. > + The ofproto layer currently treats nw_proto field as overloaded to mean > + both that a proper nw layer exists, as well as the value contained in > + the header for the nw proto. However, this is incorrect behavior as > + relevant standards permit that any value, including '0' should be treated > + as a valid value. > + . > + Because of this overload, when the ofproto layer builds action list for > + a packet with nw_proto of 0, it won't build the complete action list that > + we expect to be built for the packet. That will cause a bad behavior > + where all packets passing the datapath will fall into an incomplete > + action set. > + . > + The fix here is to unwildcard nw_proto, allowing us to preserve setting > + actions for protocols which we know have support for the actions we > + program. This means that a traffic which contains nw_proto == 0 cannot > + cause connectivity breakage with other traffic on the link. > +Author: Aaron Conole <acon...@redhat.com> > +Date: Fri, 31 Mar 2023 17:17:27 -0400 > +Reported-by: David Marchand <dmarch...@redhat.com> > +Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2134873 > +Acked-by: Ilya Maximets <i.maxim...@ovn.org> > +Signed-off-by: Aaron Conole <acon...@redhat.com> > +Signed-off-by: Ilya Maximets <i.maxim...@ovn.org> > +Origin: upstream, > https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9.patch > +Bug-Debian: https://bugs.debian.org/1034042 > +Last-Update: 2023-04-11 > + > +diff --git a/include/openvswitch/meta-flow.h > b/include/openvswitch/meta-flow.h > +index 045dce8f5fa..3b0220aaa25 100644 > +--- a/include/openvswitch/meta-flow.h > ++++ b/include/openvswitch/meta-flow.h > +@@ -2366,6 +2366,10 @@ void mf_format_subvalue(const union mf_subvalue > *subvalue, struct ds *s); > + void field_array_set(enum mf_field_id id, const union mf_value *, > + struct field_array *); > + > ++/* Mask the required l3 prerequisites if a 'set' action occurs. */ > ++void mf_set_mask_l3_prereqs(const struct mf_field *, const struct flow *, > ++ struct flow_wildcards *); > ++ > + #ifdef __cplusplus > + } > + #endif > +diff --git a/lib/meta-flow.c b/lib/meta-flow.c > +index c576ae6202a..474344194fa 100644 > +--- a/lib/meta-flow.c > ++++ b/lib/meta-flow.c > +@@ -3676,3 +3676,28 @@ mf_bitmap_not(struct mf_bitmap x) > + bitmap_not(x.bm, MFF_N_IDS); > + return x; > + } > ++ > ++void > ++mf_set_mask_l3_prereqs(const struct mf_field *mf, const struct flow *fl, > ++ struct flow_wildcards *wc) > ++{ > ++ if (is_ip_any(fl) && > ++ ((mf->id == MFF_IPV4_SRC) || > ++ (mf->id == MFF_IPV4_DST) || > ++ (mf->id == MFF_IPV6_SRC) || > ++ (mf->id == MFF_IPV6_DST) || > ++ (mf->id == MFF_IPV6_LABEL) || > ++ (mf->id == MFF_IP_DSCP) || > ++ (mf->id == MFF_IP_ECN) || > ++ (mf->id == MFF_IP_TTL))) { > ++ WC_MASK_FIELD(wc, nw_proto); > ++ } else if ((fl->dl_type == htons(ETH_TYPE_ARP)) && > ++ ((mf->id == MFF_ARP_OP) || > ++ (mf->id == MFF_ARP_SHA) || > ++ (mf->id == MFF_ARP_THA) || > ++ (mf->id == MFF_ARP_SPA) || > ++ (mf->id == MFF_ARP_TPA))) { > ++ /* mask only the lower 8 bits. */ > ++ wc->masks.nw_proto = 0xff; > ++ } > ++} > +diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c > +index a9cf3cbee0b..cffd733c5eb 100644 > +--- a/ofproto/ofproto-dpif-xlate.c > ++++ b/ofproto/ofproto-dpif-xlate.c > +@@ -5211,6 +5211,7 @@ compose_dec_ttl(struct xlate_ctx *ctx, struct > ofpact_cnt_ids *ids) > + } > + > + ctx->wc->masks.nw_ttl = 0xff; > ++ WC_MASK_FIELD(ctx->wc, nw_proto); > + if (flow->nw_ttl > 1) { > + flow->nw_ttl--; > + return false; > +@@ -7128,6 +7129,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t > ofpacts_len, > + case OFPACT_SET_IPV4_SRC: > + if (flow->dl_type == htons(ETH_TYPE_IP)) { > + memset(&wc->masks.nw_src, 0xff, sizeof wc->masks.nw_src); > ++ WC_MASK_FIELD(wc, nw_proto); > + flow->nw_src = ofpact_get_SET_IPV4_SRC(a)->ipv4; > + } > + break; > +@@ -7135,12 +7137,14 @@ do_xlate_actions(const struct ofpact *ofpacts, > size_t ofpacts_len, > + case OFPACT_SET_IPV4_DST: > + if (flow->dl_type == htons(ETH_TYPE_IP)) { > + memset(&wc->masks.nw_dst, 0xff, sizeof wc->masks.nw_dst); > ++ WC_MASK_FIELD(wc, nw_proto); > + flow->nw_dst = ofpact_get_SET_IPV4_DST(a)->ipv4; > + } > + break; > + > + case OFPACT_SET_IP_DSCP: > + if (is_ip_any(flow)) { > ++ WC_MASK_FIELD(wc, nw_proto); > + wc->masks.nw_tos |= IP_DSCP_MASK; > + flow->nw_tos &= ~IP_DSCP_MASK; > + flow->nw_tos |= ofpact_get_SET_IP_DSCP(a)->dscp; > +@@ -7149,6 +7153,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t > ofpacts_len, > + > + case OFPACT_SET_IP_ECN: > + if (is_ip_any(flow)) { > ++ WC_MASK_FIELD(wc, nw_proto); > + wc->masks.nw_tos |= IP_ECN_MASK; > + flow->nw_tos &= ~IP_ECN_MASK; > + flow->nw_tos |= ofpact_get_SET_IP_ECN(a)->ecn; > +@@ -7157,6 +7162,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t > ofpacts_len, > + > + case OFPACT_SET_IP_TTL: > + if (is_ip_any(flow)) { > ++ WC_MASK_FIELD(wc, nw_proto); > + wc->masks.nw_ttl = 0xff; > + flow->nw_ttl = ofpact_get_SET_IP_TTL(a)->ttl; > + } > +@@ -7224,6 +7230,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t > ofpacts_len, > + > + /* Set the field only if the packet actually has it. */ > + if (mf_are_prereqs_ok(mf, flow, wc)) { > ++ mf_set_mask_l3_prereqs(mf, flow, wc); > + mf_mask_field_masked(mf, ofpact_set_field_mask(set_field), > wc); > + mf_set_flow_value_masked(mf, set_field->value, > + ofpact_set_field_mask(set_field), > +@@ -7280,6 +7287,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t > ofpacts_len, > + > + case OFPACT_DEC_TTL: > + wc->masks.nw_ttl = 0xff; > ++ WC_MASK_FIELD(wc, nw_proto); > + if (compose_dec_ttl(ctx, ofpact_get_DEC_TTL(a))) { > + return; > + } > +diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at > +index fa6111c1ed2..6b58cabec91 100644 > +--- a/tests/ofproto-dpif.at > ++++ b/tests/ofproto-dpif.at > +@@ -849,7 +849,7 @@ table=2 ip > actions=set_field:192.168.3.91->ip_src,output(11) > + AT_CHECK([ovs-ofctl -O OpenFlow12 add-flows br0 flows.txt]) > + AT_CHECK([ovs-appctl ofproto/trace br0 > 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=1,nw_tos=0,nw_ttl=128,nw_frag=no,icmp_type=8,icmp_code=0'], > [0], [stdout]) > + AT_CHECK([tail -2 stdout], [0], > +- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no > ++ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no > + Datapath actions: > 10,set(ipv4(src=192.168.3.91)),11,set(ipv4(src=192.168.3.90)),13 > + ]) > + OVS_VSWITCHD_STOP > +@@ -912,7 +912,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 > 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds > + # Must match on the source address to be able to restore it's value for > + # the second bucket > + AT_CHECK([tail -2 stdout], [0], > +- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no > ++ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no > + Datapath actions: > set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 > + ]) > + OVS_VSWITCHD_STOP > +@@ -944,7 +944,7 @@ done > + AT_CHECK([ovs-appctl dpctl/dump-flows | sed > 's/dp_hash(.*\/0xf)/dp_hash(0xXXXX\/0xf)/' | sed > 's/packets.*actions:/actions:/' | strip_ufid | strip_used | sort], [0], [dnl > + flow-dump from the main thread: > + > recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), > actions:hash(sym_l4(0)),recirc(0x1) > +-recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,frag=no), > actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 > ++recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,proto=1,frag=no), > actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 > + ]) > + > + OVS_VSWITCHD_STOP > +@@ -959,7 +959,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 > 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds > + # Must match on the source address to be able to restore it's value for > + # the third bucket > + AT_CHECK([tail -2 stdout], [0], > +- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no > ++ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no > + Datapath actions: > set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 > + ]) > + OVS_VSWITCHD_STOP > +@@ -1536,17 +1536,17 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) > + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy > 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=2,frag=no)' > -generate], [0], [stdout]) > + AT_CHECK([tail -4 stdout], [0], [ > + Final flow: > ip,in_port=1,vlan_tci=0x0000,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=111,nw_tos=0,nw_ecn=0,nw_ttl=1,nw_frag=no > +-Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=2,nw_frag=no > ++Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=2,nw_frag=no > + Datapath actions: > set(ipv4(ttl=1)),2,userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)),4 > + ]) > + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy > 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=3,frag=no)'], > [0], [stdout]) > + AT_CHECK([tail -2 stdout], [0], > +- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=3,nw_frag=no > ++ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=3,nw_frag=no > + Datapath actions: set(ipv4(ttl=2)),2,set(ipv4(ttl=1)),3,4 > + ]) > + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy > 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x86dd),ipv6(src=::1,dst=::2,label=0,proto=10,tclass=0x70,hlimit=128,frag=no)'], > [0], [stdout]) > + AT_CHECK([tail -2 stdout], [0], > +- [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_ttl=128,nw_frag=no > ++ [Megaflow: > recirc_id=0,eth,ipv6,in_port=1,nw_proto=10,nw_ttl=128,nw_frag=no > + Datapath actions: set(ipv6(hlimit=127)),2,set(ipv6(hlimit=126)),3,4 > + ]) > + > +@@ -1656,7 +1656,7 @@ AT_CHECK([ovs-vsctl -- \ > + --id=@q2 create Queue dscp=2], [0], [ignore]) > + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy > 'in_port(9),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=1.1.1.1,dst=2.2.2.2,proto=1,tos=0xff,ttl=128,frag=no),icmp(type=8,code=0)'], > [0], [stdout]) > + AT_CHECK([tail -2 stdout], [0], > +- [Megaflow: > recirc_id=0,skb_priority=0,eth,ip,in_port=9,nw_tos=252,nw_frag=no > ++ [Megaflow: > recirc_id=0,skb_priority=0,eth,icmp,in_port=9,nw_tos=252,nw_frag=no > + Datapath actions: dnl > + 100,dnl > + set(ipv4(tos=0x4/0xfc)),set(skb_priority(0x1)),1,dnl > +@@ -11884,7 +11884,7 @@ ovs-ofctl dump-flows br0 > + > + AT_CHECK([ovs-appctl ofproto/trace ovs-dummy > 'in_port(1),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.10.10.2,dst=10.10.10.1,proto=1,tos=1,ttl=128,frag=no),icmp(type=8,code=0)'], > [0], [stdout]) > + AT_CHECK([tail -3 stdout], [0], [dnl > +-Megaflow: > recirc_id=0,eth,ip,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no > ++Megaflow: > recirc_id=0,eth,icmp,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no > + Datapath actions: drop > + Translation failed (Recursion too deep), packet is dropped. > + ]) > +diff --git a/tests/ofproto.at b/tests/ofproto.at > +index a666bebcac4..2fa8486a86f 100644 > +--- a/tests/ofproto.at > ++++ b/tests/ofproto.at > +@@ -6538,3 +6538,185 @@ verify_deleted > + > + OVS_VSWITCHD_STOP(["/<invalid/d"]) > + AT_CLEANUP > ++ > ++AT_SETUP([ofproto - implicit mask of ipv4 proto with invalid proto field]) > ++OVS_VSWITCHD_START > ++add_of_ports br0 1 2 > ++ > ++AT_DATA([flows.txt], [dnl > ++table=0 in_port=1 > priority=90,ip,nw_dst=192.168.1.20,actions=mod_nw_dst:192.168.20.20,output=2 > ++table=0 in_port=1 > priority=89,ip,nw_dst=192.168.1.21,actions=mod_nw_src:192.168.20.21,output=2 > ++table=0 in_port=1 > priority=88,ip,nw_dst=192.168.1.10,actions=dec_ttl,output=2 > ++table=0 in_port=1 > priority=87,ip,nw_dst=192.168.1.19,actions=mod_nw_ttl:8,output=2 > ++table=0 in_port=1 > priority=86,ip,nw_dst=192.168.1.18,actions=mod_nw_ecn:2,output=2 > ++table=0 in_port=1 > priority=85,ip,nw_dst=192.168.1.17,actions=mod_nw_tos:0x40,output=2 > ++table=0 in_port=1 > priority=84,ip,nw_dst=192.168.1.16,actions=set_field:192.168.20.26->nw_dst,output=2 > ++table=0 in_port=1 > priority=83,ip,nw_dst=192.168.1.15,actions=set_field:192.168.21.26->nw_src,output=2 > ++table=0 in_port=1 > priority=82,ip,nw_dst=192.168.1.14,actions=set_field:0x40->nw_tos,output=2 > ++table=0 in_port=1 priority=0,actions=drop > ++]) > ++AT_CHECK([ovs-ofctl del-flows br0]) > ++AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) > ++ > ++dnl send a proto 0 packet to try and poison the DP flow path > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ > ++ > '5054000000075054000000050800450000548de140004000289fc0a801c4c0a8011408003bf60002001bbf080a640000000032ad010000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637']) > ++ > ++AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl > ++flow-dump from the main thread: > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), > packets:0, bytes:0, used:never, actions:2 > ++]) > ++ > ++dnl Send ICMP for mod nw_src and mod nw_dst > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.20,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) > ++ > ++dnl send ICMP that will dec TTL > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.10,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) > ++ > ++dnl send ICMP that will mod TTL > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.19,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) > ++ > ++dnl send ICMP that will mod ECN > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.18,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) > ++ > ++dnl send ICMP that will mod TOS > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.17,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) > ++ > ++dnl send ICMP that will set DST > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.16,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) > ++ > ++dnl send ICMP that will set SRC > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) > ++ > ++dnl send ICMP that will set TOS > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.14,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) > ++ > ++AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl > ++flow-dump from the main thread: > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.10,proto=1,ttl=64,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv4(ttl=63)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.14,proto=1,tos=0/0xfc,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.16,proto=1,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.26)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.17,proto=1,tos=0/0xfc,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.18,proto=1,tos=0/0x3,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x2/0x3)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.19,proto=1,ttl=64,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv4(ttl=8)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), > packets:0, bytes:0, used:never, actions:2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=1,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.20)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.21.26)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.20.21)),2 > ++]) > ++ > ++OVS_VSWITCHD_STOP > ++AT_CLEANUP > ++ > ++AT_SETUP([ofproto - implicit mask of ipv6 proto with HOPOPT field]) > ++OVS_VSWITCHD_START > ++add_of_ports br0 1 2 > ++ > ++AT_DATA([flows.txt], [dnl > ++table=0 in_port=1 > priority=77,ip6,ipv6_dst=111:db8::3,actions=dec_ttl,output=2 > ++table=0 in_port=1 > priority=76,ip6,ipv6_dst=111:db8::4,actions=mod_nw_ttl:8,output=2 > ++table=0 in_port=1 > priority=75,ip6,ipv6_dst=111:db8::5,actions=mod_nw_ecn:2,output=2 > ++table=0 in_port=1 > priority=74,ip6,ipv6_dst=111:db8::6,actions=mod_nw_tos:0x40,output=2 > ++table=0 in_port=1 > priority=73,ip6,ipv6_dst=111:db8::7,actions=set_field:2112:db8::2->ipv6_dst,output=2 > ++table=0 in_port=1 > priority=72,ip6,ipv6_dst=111:db8::8,actions=set_field:2112:db8::3->ipv6_src,output=2 > ++table=0 in_port=1 > priority=72,ip6,ipv6_dst=111:db8::9,actions=set_field:44->ipv6_label,output=2 > ++table=0 in_port=1 priority=0,actions=drop > ++]) > ++AT_CHECK([ovs-ofctl del-flows br0]) > ++AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) > ++ > ++dnl send a proto 0 packet to try and poison the DP flow path > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=0,tclass=0,hlimit=64,frag=no)']) > ++ > ++AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl > ++flow-dump from the main thread: > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), > packets:0, bytes:0, used:never, > actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) > ++]) > ++ > ++dnl Send ICMP for mod nw_src and mod nw_dst > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::4,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) > ++ > ++dnl send ICMP that will dec TTL > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::5,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) > ++ > ++dnl send ICMP that will mod TTL > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::6,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) > ++ > ++dnl send ICMP that will mod ECN > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::7,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) > ++ > ++dnl send ICMP that will mod TOS > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) > ++ > ++dnl send ICMP that will set LABEL > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::9,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) > ++ > ++AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl > ++flow-dump from the main thread: > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), > packets:0, bytes:0, used:never, > actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=1,hlimit=64,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=63)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::4,proto=1,hlimit=64,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=8)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::5,proto=1,tclass=0/0x3,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x2/0x3)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::6,proto=1,tclass=0/0xfc,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x40/0xfc)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::7,proto=1,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv6(dst=2112:db8::2)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::9,label=0,proto=1,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv6(label=0x2c)),2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,frag=no), > packets:0, bytes:0, used:never, actions:set(ipv6(src=2112:db8::3)),2 > ++]) > ++ > ++OVS_VSWITCHD_STOP > ++AT_CLEANUP > ++ > ++AT_SETUP([ofproto - implicit mask of ARP OPer field]) > ++OVS_VSWITCHD_START > ++add_of_ports br0 1 2 > ++ > ++AT_DATA([flows.txt], [dnl > ++table=0 in_port=1 > priority=77,arp,arp_sha=00:01:02:03:04:06,actions=set_field:0x1->arp_op,2 > ++table=0 in_port=1 > priority=76,arp,arp_sha=00:01:02:03:04:07,actions=set_field:00:02:03:04:05:06->arp_sha,2 > ++table=0 in_port=1 > priority=75,arp,arp_sha=00:01:02:03:04:08,actions=set_field:ff:00:00:00:00:ff->arp_tha,2 > ++table=0 in_port=1 > priority=74,arp,arp_sha=00:01:02:03:04:09,actions=set_field:172.31.110.26->arp_spa,2 > ++table=0 in_port=1 > priority=73,arp,arp_sha=00:01:02:03:04:0a,actions=set_field:172.31.110.10->arp_tpa,2 > ++table=0 in_port=1 priority=1,actions=drop > ++]) > ++ > ++AT_CHECK([ovs-ofctl del-flows br0]) > ++AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) > ++ > ++dnl Send op == 0 packet > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ > ++ > 'ffffffffffffaa55aa550000080600010800060400000001020304070c0a00010000000000000c0a0002']) > ++ > ++AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl > ++flow-dump from the main thread: > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), > packets:0, bytes:0, used:never, actions:2 > ++]) > ++ > ++dnl Send op 2 -> set op > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=2,sha=00:01:02:03:04:06,tha=ff:ff:ff:ff:ff:ff)']) > ++ > ++dnl Send op 1 -> set SHA > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:07,tha=ff:ff:ff:ff:ff:ff)']) > ++ > ++dnl Send op 1 -> set THA > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff)']) > ++ > ++dnl Send op 1 -> set SIP > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:09,tha=ff:ff:ff:ff:ff:ff)']) > ++ > ++dnl Send op 1 -> set TIP > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 > 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a,tha=ff:ff:ff:ff:ff:ff)']) > ++ > ++AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl > ++flow-dump from the main thread: > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), > packets:0, bytes:0, used:never, actions:2 > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:07), > packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff), > packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=2,sha=00:01:02:03:04:06), > packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(sip=172.31.110.1,op=1,sha=00:01:02:03:04:09), > packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) > ++recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a), > packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) > ++]) > ++ > ++OVS_VSWITCHD_STOP > ++AT_CLEANUP > +diff --git a/tests/packet-type-aware.at b/tests/packet-type-aware.at > +index 3b5c66fe526..d63528e69ee 100644 > +--- a/tests/packet-type-aware.at > ++++ b/tests/packet-type-aware.at > +@@ -1021,7 +1021,7 @@ AT_CHECK([ > + ], [0], [flow-dump from the main thread: > + > recirc_id(0),in_port(p0),packet_type(ns=0,id=0),eth(src=aa:bb:cc:00:00:02,dst=aa:bb:cc:00:00:01),eth_type(0x0800),ipv4(dst=20.0.0.1,proto=47,frag=no), > packets:3, bytes:378, used:0.0s, actions:tnl_pop(gre_sys) > + > tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0),in_port(gre_sys),packet_type(ns=1,id=0x8847),eth_type(0x8847),mpls(label=999/0x0,tc=0/0,ttl=64/0x0,bos=1/1), > packets:3, bytes:264, used:0.0s, > actions:push_eth(src=00:00:00:00:00:00,dst=00:00:00:00:00:00),pop_mpls(eth_type=0x800),recirc(0x1) > +-tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(ttl=64,frag=no), > packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br > ++tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=1,ttl=64,frag=no), > packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br > + ]) > + > + ovs-appctl time/warp 1000 > diff -Nru openvswitch-3.1.0/debian/patches/ovs-ctl-ipsec.patch > openvswitch-3.1.0/debian/patches/ovs-ctl-ipsec.patch > --- openvswitch-3.1.0/debian/patches/ovs-ctl-ipsec.patch 2023-02-21 > 23:01:11.000000000 +0100 > +++ openvswitch-3.1.0/debian/patches/ovs-ctl-ipsec.patch 2023-04-11 > 11:54:40.000000000 +0200 > @@ -6,9 +6,11 @@ > Author: James Page <james.p...@ubuntu.com> > Forwarded: not-needed > > ---- a/utilities/ovs-ctl.in > -+++ b/utilities/ovs-ctl.in > -@@ -245,7 +245,7 @@ start_ovs_ipsec () { > +Index: openvswitch/utilities/ovs-ctl.in > +=================================================================== > +--- openvswitch.orig/utilities/ovs-ctl.in > ++++ openvswitch/utilities/ovs-ctl.in > +@@ -250,7 +250,7 @@ start_ovs_ipsec () { > --pidfile=${rundir}/ovs-monitor-ipsec.pid \ > --ike-daemon=$IKE_DAEMON \ > $no_restart \ > @@ -16,3 +18,4 @@ > + --log-file --detach unix:${rundir}/db.sock || return 1 > return 0 > } > + > diff -Nru openvswitch-3.1.0/debian/patches/series > openvswitch-3.1.0/debian/patches/series > --- openvswitch-3.1.0/debian/patches/series 2023-02-21 23:01:11.000000000 > +0100 > +++ openvswitch-3.1.0/debian/patches/series 2023-04-11 11:54:40.000000000 > +0200 > @@ -1 +1,2 @@ > ovs-ctl-ipsec.patch > +CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch -- Sebastian Ramacher