On 4/16/21 2:44 PM, Flavio Leitner wrote: > On Fri, Apr 16, 2021 at 02:06:31PM +0200, David Marchand wrote: >> Skipping further processing of invalid IP packets helps avoid crashes >> but it does not help to figure out if the malformed packets are still >> present on the network. >> >> Add coverage counters for IPv4 and IPv6 sanity checks so that we know >> there are some invalid packets. >> >> Dump such whole packets in debug mode. >> >> Signed-off-by: David Marchand <david.march...@redhat.com> >> Acked-by: Eelco Chaudron <echau...@redhat.com> >> --- > > The patch looks good to me. > > Generated log dumping the packet correctly: > 2021-04-16T12:37:25.525Z|00004|flow(handler21)|DBG|invalid packet for > ipv6_sanity_check: port 1, size 86 > 00000000 33 33 ff 00 00 02 7a d0-49 c1 c0 e9 86 dd 60 00 > > 00000010 00 00 00 21 3a ff fe 80-00 00 00 00 00 00 78 d0 > > 00000020 49 ff fe c1 c0 e9 ff 02-00 00 00 00 00 00 00 00 > > 00000030 00 01 ff 00 00 02 87 00-74 a2 00 00 00 00 fe 80 > > 00000040 00 00 00 00 00 00 00 00-00 00 00 00 00 02 01 01 > > 00000050 7a d0 49 c1 c0 e9 > > # ovs-appctl coverage/show | grep miniflow > miniflow_extract_ipv6_pkt_len_error 0.0/sec 0.000/sec 0.0011/sec > total: 4 > > Acked-by: Flavio Leitner <f...@sysclose.org>
Thanks, David, Eelco and Flavio! This is an important change taking into account recent security issues due to malformed packets. Applied to master. Best regards, Ilya Maximets. _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
