Eli Britstein via dev <[email protected]> writes: > From: Emeel Hakim <[email protected]> > > dp_netdev_get_mega_ufid() computes a mega flow ufid by hashing the > masked flow (flow & wildcard mask). The mega ufid is used as a key > to the offload objects. If they are not unique, instead of 2 different > offload rules, they will override each other. > > For example, consider two flows that share the same 5-tuple but > differ only in TOS handling: > - Flow A: tos=0x20, wildcard mask tos=0x00 -> masked tos=0x00 > - Flow B: tos=0x00, wildcard mask tos=0xff -> masked tos=0x00 > Both produce identical masked flows, so they get the same mega ufid, > even though they belong to different megaflows (different wildcard > masks). > > This can be triggered by an OpenFlow rule change while traffic is active: > 1. Install a high-priority rule matching nw_tos=0 and a lower-priority > catch-all ip, tcp rule. > 2. Start TOS=0 traffic — flows match the nw_tos=0 rule and get an > exact TOS mask (0xff). > 3. Remove the nw_tos=0 rule — new flows now match the catch-all rule > with TOS wild-carded (mask=0x00). > 4. Start TOS=0x20 traffic — the masked TOS is 0x00 in both cases, > producing the same mega ufid despite different wildcard masks. > > Fix this by taking into account not only the masked values but also the masks. > > Fixes: 241bad15d99a ("dpif-netdev: associate flow with a mark id") > Signed-off-by: Emeel Hakim <[email protected]> > ---
Thanks Emeel (and Eli) - applied and backported down through branch-3.3 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
